L2TP
VyOS utilizes accel-ppp to provide L2TP server functionality. It can be used with local authentication or a connected RADIUS server.
Configuring L2TP Server
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access outside-address 192.0.2.2
set vpn l2tp remote-access gateway-address 192.168.255.1
Set authentication backend. The configured authentication backend is used for all queries.
radius: All authentication queries are handled by a configured RADIUS server.
local: All authentication queries are handled locally.
Create <user> for local authentication on this system. The users password will be set to <pass>.
Use this command to define the first IP address of a pool of
addresses to be given to l2tp clients. If notation x.x.x.x-x.x.x.x
,
it must be within a /24 subnet. If notation x.x.x.x/x
is
used there is possibility to set host/netmask.
Use this command to define default address pool name.
Configuring IPsec
set vpn ipsec interface eth0
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret secret
If a local firewall policy is in place on your external interface you will need to allow the ports below:
UDP port 500 (IKE)
IP protocol number 50 (ESP)
UDP port 1701 for IPsec
As well as the below to allow NAT-traversal (when NAT is detected by the VPN client, ESP is encapsulated in UDP for NAT-traversal):
UDP port 4500 (NAT-T)
Example:
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
To allow VPN-clients access via your external address, a NAT rule is required:
set nat source rule 110 outbound-interface 'eth0'
set nat source rule 110 source address '192.168.255.0/24'
set nat source rule 110 translation address masquerade
Configuring RADIUS authentication
To enable RADIUS based authentication, the authentication mode needs to be changed within the configuration. Previous settings like the local users, still exists within the configuration, however they are not used if the mode has been changed from local to radius. Once changed back to local, it will use all local accounts again.
set vpn l2tp remote-access authentication mode radius
Configure RADIUS <server> and its required shared <secret> for communicating with the RADIUS server.
Since the RADIUS server would be a single point of failure, multiple RADIUS servers can be setup and will be used subsequentially. For example:
set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
Note
Some RADIUS severs use an access control list which allows or denies queries, make sure to add your VyOS router to the allowed client list.
RADIUS source address
If you are using OSPF as your IGP, use the interface connected closest to the RADIUS server. You can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface.
Source IPv4 address used in all RADIUS server queires.
Note
The source-address
must be configured to that of an interface.
Best practice would be a loopback or dummy interface.
RADIUS advanced options
Configure RADIUS <server> and its required port for authentication requests.
Mark RADIUS server as offline for this given <time> in seconds.
Temporary disable this RADIUS server.
Timeout to wait reply for Interim-Update packets. (default 3 seconds)
Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
Port for Dynamic Authorization Extension server (DM/CoA)
Secret for Dynamic Authorization Extension server (DM/CoA)
Maximum number of tries to send Access-Request/Accounting-Request queries
Timeout to wait response from server (seconds)
Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.
Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.
Source IPv4 address used in all RADIUS server queires.
Specifies which RADIUS server attribute contains the rate limit information. The default attribute is Filter-Id.
Note
If you set a custom RADIUS attribute you must define it on both dictionaries on the RADIUS server and client.
Enables bandwidth shaping via RADIUS.
Specifies the vendor dictionary. This dictionary needs to be present in /usr/share/accel-ppp/radius.
Received RADIUS attributes have a higher priority than parameters defined within the CLI configuration, refer to the explanation below.
Allocation clients ip addresses by RADIUS
If the RADIUS server sends the attribute Framed-IP-Address
then this IP
address will be allocated to the client and the option default-pool
within
the CLI config will be ignored.
If the RADIUS server sends the attribute Framed-Pool
, then the IP address
will be allocated from a predefined IP pool whose name equals the attribute
value.
If the RADIUS server sends the attribute Stateful-IPv6-Address-Pool
, the
IPv6 address will be allocated from a predefined IPv6 pool prefix
whose
name equals the attribute value.
If the RADIUS server sends the attribute Delegated-IPv6-Prefix-Pool
, an
IPv6 delegation prefix will be allocated from a predefined IPv6 pool
delegate
whose name equals the attribute value.
Note
Stateful-IPv6-Address-Pool
and Delegated-IPv6-Prefix-Pool
are defined in
RFC6911. If they are not defined in your RADIUS server, add new dictionary.
The client’s interface can be put into a VRF context via a RADIUS Access-Accept
packet, or changed via RADIUS CoA. Accel-VRF-Name
is used for these
purposes. This is a custom ACCEL-PPP attribute. Define it in your RADIUS
server.
Renaming clients interfaces by RADIUS
If the RADIUS server uses the attribute NAS-Port-Id
, ppp tunnels will be
renamed.
Note
The value of the attribute NAS-Port-Id
must be less than 16
characters, otherwise the interface won’t be renamed.
Configuring LNS (L2TP Network Server)
LNS are often used to connect to a LAC (L2TP Access Concentrator).
Sent to the client (LAC) in the Host-Name attribute
To explain the usage of LNS follow our blueprint PPPoE over L2TP.
IPv6
Specifies IPv6 negotiation preference.
require - Require IPv6 negotiation
prefer - Ask client for IPv6 negotiation, do not fail if it rejects
allow - Negotiate IPv6 only if client requests
deny - Do not negotiate IPv6 (default value)
Use this comand to set the IPv6 address pool from which an l2tp client will get an IPv6 prefix of your defined length (mask) to terminate the l2tp endpoint at their side. The mask length can be set between 48 and 128 bits long, the default value is 64.
Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. You will have to set your IPv6 pool and the length of the delegation prefix. From the defined IPv6 pool you will be handing out networks of the defined length (delegation-prefix). The length of the delegation prefix can be between 32 and 64 bits long.
Use this command to define default IPv6 address pool name.
set vpn l2tp remote-access ppp-options ipv6 allow
set vpn l2tp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
set vpn l2tp remote-access client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64'
set vpn l2tp remote-access default-ipv6-pool IPv6-POOL
IPv6 Advanced Options
Accept peer interface identifier. By default this is not defined.
Specifies if a fixed or random interface identifier is used for IPv6. The default is fixed.
random - Random interface identifier for IPv6
x:x:x:x - Specify interface identifier for IPv6
Specifies the peer interface identifier for IPv6. The default is fixed.
random - Random interface identifier for IPv6
x:x:x:x - Specify interface identifier for IPv6
ipv4-addr - Calculate interface identifier from IPv4 address.
calling-sid - Calculate interface identifier from calling-station-id.
Scripting
Script to run when the session interface is changed by RADIUS CoA handling
Script to run when the session interface is about to terminate
Script to run before the session interface comes up
Advanced Options
Authentication Advanced Options
Disable <user> account.
Assign a static IP address to <user> account.
Rate limit the download bandwidth for <user> to <bandwidth> kbit/s.
Rate limit the upload bandwidth for <user> to <bandwidth> kbit/s
Client IP Pool Advanced Options
PPP Advanced Options
Disable Compression Control Protocol (CCP). CCP is enabled by default.
Specifies number of interfaces to cache. This prevents interfaces from being removed once the corresponding session is destroyed. Instead, interfaces are cached for later use in new sessions. This should reduce the kernel-level interface creation/deletion rate. Default value is 0.
Specifies IPv4 negotiation preference.
require - Require IPv4 negotiation
prefer - Ask client for IPv4 negotiation, do not fail if it rejects
allow - Negotiate IPv4 only if client requests (Default value)
deny - Do not negotiate IPv4
Defines the maximum <number> of unanswered echo requests. Upon reaching the value <number>, the session will be reset. Default value is 3.
If this option is specified and is greater than 0, then the PPP module will send LCP echo requests every <interval> seconds. Default value is 30.
Specifies timeout in seconds to wait for any peer activity. If this option is specified it turns on adaptive lcp echo functionality and “lcp-echo-failure” is not used. Default value is 0.
Defines the minimum acceptable MTU. If a client tries to negotiate an MTU lower than this it will be NAKed, and disconnected if it rejects a greater MTU. Default value is 100.
Specifies MPPE negotiation preference.
require - ask client for mppe, if it rejects drop connection
prefer - ask client for mppe, if it rejects don’t fail. (Default value)
deny - deny mppe
Default behavior - don’t ask the client for mppe, but allow it if the client wants. Please note that RADIUS may override this option with the MS-MPPE-Encryption-Policy attribute.
Global Advanced options
Maximum accepted connection rate (e.g. 1/min, 60/sec)
Maximum number of concurrent session start attempts
Connected clients should use <address> as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured for IPv4, up to three for IPv6.
Monitoring
vyos@vyos:~$ show l2tp-server sessions
ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
--------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+----------
l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB
vyos@vyos:~$ show l2tp-server statistics
uptime: 0.02:49:49
cpu: 0%
mem(rss/virt): 5920/100892 kB
core:
mempool_allocated: 133202
mempool_available: 131770
thread_count: 1
thread_active: 1
context_count: 5
context_sleeping: 0
context_pending: 0
md_handler_count: 3
md_handler_pending: 0
timer_count: 0
timer_pending: 0
sessions:
starting: 0
active: 0
finishing: 0
l2tp:
tunnels:
starting: 0
active: 0
finishing: 0
sessions (control channels):
starting: 0
active: 0
finishing: 0
sessions (data channels):
starting: 0
active: 0
finishing: 0