LT2P over IPsec

LT2P over IPsec

This recipe provides an example configuration of LT2P over IPsec. A locally defined user is used for authentication, a Windows PC or Android tablet is acting as the client, and net-device is set to enable in the phase1-interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

The following shows the network topology for this example:

To configure LT2P over an IPsec tunnel using the CLI:

  1. Configure the WAN interface and static route on HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next end

  1. Configure IPsec phase1-interface and phase2-interface on HQ:

config vpn ipsec phase1-interface edit “L2tpoIPsec” set type dynamic set interface “port9” set peertype any

set proposal aes256-md5 3des-sha1 aes192-sha1 set dpd on-idle set dhgrp 2 set net-device enable set psksecret sample set dpd-retryinterval 60

next

end

config vpn ipsec phase2-interface edit “L2tpoIPsec” set phase1name “L2tpoIPsec”

set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable

set encapsulation transport-mode

set l2tp enable

next

end

  1. Configure a user and user group on HQ:

config user local edit “usera” set type password set passwd usera

next

end config user group edit “L2tpusergroup” set member “usera”

next

end

  1. Configure L2TP on HQ:

config vpn l2tp set status enable set eip 10.10.10.100 set sip 10.10.10.1 set usrgrp “L2tpusergroup”

end

  1. Configure a firewall address, that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established:

config firewall address edit “L2TPclients” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.100

next end

  1. Configure a firewall policy:

config firewall policy edit 1 set name “Bridge_IPsec_port9_for_l2tp negotiation” set srcintf “L2tpoIPsec” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “L2TP”

next edit 2 set srcintf “L2tpoIPsec” set dstintf “port10” set srcaddr “L2TPclients” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL” set nat enable

next

end

  1. Optionally, view the VPN tunnel list on HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg

parent=L2tpoIPsec index=0

proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0 stat: rxp=470 txp=267 rxb=57192 txb=12679

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:10.1.100.15-10.1.100.15:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048 seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0

life: type=01 bytes=0/0 timeout=3585/3600

dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432

enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9 ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a

dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744

npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0

—-

name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg

parent=L2tpoIPsec index=1

proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0 stat: rxp=5 txp=4 rxb=592 txb=249

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:22.1.1.2-22.1.1.2:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000005 itn=0

life: type=01 bytes=0/0 timeout=28790/28800 dec: spi=ca646446 esp=aes key=32

ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec

enc: spi=0b514df2 esp=aes key=32

a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196 ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d

dec:pkts/bytes=5/245, enc:pkts/bytes=4/464

npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0

  1. Optionally, view the L2TP VPN status, by enabling debug (diagnose debug enable), then using the diagnose vpn l2tp status command:

—-

—-

HQ # Num of tunnels: 2

—-

Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1, assigned ip = 10.10.10.2 data_seq_num = 0,

tx = 152 bytes (2), rx= 21179 bytes (205)

Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2, assigned ip = 10.10.10.3 data_seq_num = 0,

tx = 152 bytes (2), rx= 0 bytes (0)

—-

–VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100 enforece-ipsec = false

—-

To configure LT2P over an IPsec tunnel using the GUI:

  1. Go to VPN > IPsec Wizard.
  2. Enter a name for the VPN in the Name In this example L2tpoIPsec is used.
  3. Set the following, then click Next: l Template Type to Remote Access l Remote Device Type to Native and Windows Native
  4. Set the following, then click Next:
    • Incoming Interface to port9 l Authentication Method to Pre-shared Key l Pre-shared Key to your-psk l UserGroup to L2tpusergroup
  5. Set the following, then click Create: l Local Interface as port10 l Local Address as 16.101.0
    • Client Address Range as 10.10.1-10.10.10.100 l Subnet Mask is left as its default value.

VxLAN over IPsec tunnel

This recipe provides an example configuration of VxLAN over IPsec tunnel. VxLAN encapsulation is used in the phase1-interface setting and virtual-switch is used to bridge the internal with VxLAN over IPsec tunnel.

The following shows the network topology for this example:

To configure GRE over an IPsec tunnel:

  1. Configure the WAN interface and default route:
  2. HQ1:

config system interface edit “port1” set ip 172.16.200.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.200.3 set device “port1”

next

end

  1. HQ2:

config system interface edit “port25” set ip 172.16.202.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

  1. Configure IPsec phase1-interface:
  2. HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan

set encapsulation-address ipv4 set encap-local-gw4 172.16.200.1 set encap-remote-gw4 172.16.202.1 set remote-gw 172.16.202.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 172.16.202.1 set encap-remote-gw4 172.16.200.1 set remote-gw 172.16.200.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ1” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the firewall policy:
  2. HQ1:

config firewall policy edit 1 set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept

set schedule “always” set service “ALL”

next

end

  1. HQ2:

config firewall policy edit 1 set srcintf “port9” set dstintf “to_HQ1” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the virtual switch:
    1. HQ1:

config system switch-interface edit “vxlan-HQ2” set member “dmz” “to_HQ2” set intra-switch-policy explicit

next

end

  1. HQ2:

config system switch-interface edit “vxlan-HQ1” set member “port9” “to_HQ1” set intra-switch-policy explicit

next

end

  1. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_HQ2 ver=1 serial=2 172.16.200.1:0->172.16.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/2 options[0002]= encap-addr: 172.16.200.1->172.16.202.1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=0 ad=/0 stat: rxp=13 txp=3693 rxb=5512 txb=224900

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=45 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41944/0B replaywin=2048 seqno=e6e esn=0 replaywin_lastseq=0000000e itn=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=635e9bb1 esp=aes key=16 c8a374905ef9156e66504195f46a650c ah=sha1 key=20 a09265de7d3b0620b45441fb5af44dab125f2afe

enc: spi=a4d0cd1e esp=aes key=16 e9d0f3f0bb7e15a833f80c42615a3b91 ah=sha1 key=20 609a315c385471b8909b771c76e4fa7214996e50

dec:pkts/bytes=13/4640, enc:pkts/bytes=3693/623240

  1. Optionally, view the bridge control interface on HQ1 with the diagnose netlink brctl name host vxlan-HQ1 command:

show bridge control interface vxlan-HQ1 host.

fdb: size=2048, used=17, num=17, depth=1 Bridge vxlan-a host table

port no device devname mac addr                ttl     attributes

1      1.       dmz     00:0c:29:4e:33:c9        1.        Hit(1)

1      1.       dmz     00:0c:29:a8:c3:ea       105      Hit(105)

1      1.       dmz     90:6c:ac:53:76:29       18       Hit(18)

1      1.       dmz     08:5b:0e:dd:69:cb        1.       Local Static

1      1.       dmz     90:6c:ac:84:3e:5d        1.        Hit(5)

  • dmz    00:0b:fd:eb:21:d6   1.     Hit(0)
  • 38 to_HQ2 56:45:c3:3f:57:b4        Local Static
  • dmz    00:0c:29:d2:66:40   78     Hit(78)
  • 38 to_HQ2 90:6c:ac:5b:a6:eb   124    Hit(124)

1      1.       dmz     00:0c:29:a6:bc:e6       19       Hit(19)

1      1.       dmz     00:0c:29:f0:a2:e7        1.        Hit(0)

1      1.       dmz     00:0c:29:d6:c4:66       164      Hit(164)

1      1.       dmz     00:0c:29:e7:68:19        1.        Hit(0)

1      1.       dmz     00:0c:29:bf:79:30       19       Hit(19)

1      1.       dmz     00:0c:29:e0:64:7d        1.        Hit(0)

1      1.       dmz     36:ea:c7:30:c0:f1       25       Hit(25)

1      1.       dmz     36:ea:c7:30:cc:71        1.        Hit(0)

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.