Setting up a L2TP/IPsec VPN and firewall on a Ruggedcom RX1500

NOTE: This post has a number of mistakes in it - please refer to theĀ new post on this subject.

This quick howto explains the setup required to get a basic L2TP/IPsec VPN up and running with a Windows 7/8 native client and a Ruggedcom RX1500 Backbone Router (and hopefully explains it better than the manual!)

First, make sure all the connected systems have the same time! This is required for some types of encryption and its generally best to make sure the time on everything is right so we can be sure it won't cause problems.

Network setup:

To keep things easy, we will stick with some defaults that come out of the box for the RX1500 - our 'outside' network is the 192.168.0.0/24 subnet (vlan 1), and we will create an 'local' (inside for cisco people) subnet 192.168.10.0/24, on vlan 100, and vlan 100 should have an interface ip of 192.168.10.2 (to keep it consistent). We will need two hosts attached to the switch, one in each vlan. I have used 192.168.0.1 and 192.168.10.10 for my external hosts (vlans 1 and 100 respectively).

Once we have assigned interface(s) to vlans 1 (should be done by default) and 100, and assigned the appropriate ip addresses to the vlan interfaces, we are ready to setup IPsec.

Create the tunnel configuration, which should look similar to the following:

tunnel
 ipsec
  enabled
  no nat-traversal				#dont need it for this case
  no keep-alive
  preshared-key any 192.168.0.2					
   key $4$1YY/e9pJkScV5vRtpbVtdoezEr8LauNhae3wEYv7mhg=
  !
  connection ipsec1
   startup         add				#add seems to be important!
   authenticate    secret
   connection-type transport			#when using L2TP, we use transport mode
   pfs             no				
   l2tp						
   ike algorithm aes128 sha1 modp1024		#windows likes this particular combination
   !
   esp modpgroup modp1024			
   esp algorithm aes128 sha1			
   !
   left
    public-ip type address
    public-ip value 192.168.0.2			#our public facing IP
    subnet 192.168.0.2/32			#we seem to need to have this...
    !
    subnet 192.168.10.0/24			#this is the IP Range of our internal network
    !
   !
   right
    public-ip type any				#allow access from any IP Address
    subnet 192.168.0.1/32			#unfortunately, windows seems to want us to specify our client address here 
						#which might be very inconvenient.  Would like to know how to avoid this.
    !
   !
  !
 !
!

At this stage we should be able to create an IPsec tunnel to the switch. If we run tunnel ipsec status in config mode at the command line, we should see something like this at the bottom:

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "ipsec1/1x0": 192.168.0.2/32===192.168.0.2[+S=C]:17/1701...%any[+S=C]:17/1701===192.168.0.1/32; unrouted; eroute owner: #0
000 "ipsec1/1x0": myip=unset; hisip=unset;
000 "ipsec1/1x0": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ipsec1/1x0": policy: PSK+ENCRYPT+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: switch.0001;
000 "ipsec1/1x0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ipsec1/1x0": aliases: ipsec1
000 "ipsec1/1x0": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "ipsec1/1x0": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "ipsec1/1x0": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "ipsec1/1x0": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "ipsec1/2x0": 192.168.10.0/24===192.168.0.2[+S=C]:17/1701...%any[+S=C]:17/1701===192.168.0.1/32; unrouted; eroute owner: #0
000 "ipsec1/2x0": myip=unset; hisip=unset;
000 "ipsec1/2x0": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ipsec1/2x0": policy: PSK+ENCRYPT+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: switch.0001;
000 "ipsec1/2x0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ipsec1/2x0": aliases: ipsec1
000 "ipsec1/2x0": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "ipsec1/2x0": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "ipsec1/2x0": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "ipsec1/2x0": ESP algorithms loaded: AES(12)_128-SHA1(2)_160

If you only see

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

something isn't right (check all the interfaces are up and your IPsec config is committed and ok).

Next, we need to enable l2tp and configure IPs for the tunnel endpoints. Because our internal net is 192.168.10.0/24, we will use this range to assign to our clients. This means we must be sure these IPs aren't being used on the internal network! Alternatively, we could assign a different range, but we would need to make sure that our devices on the internal network had a default route set so they can respond to our pings. For this example, we will use 192.168.10.100 for the First IP Address, leave the local IP address blank, and set eh max number of connections to 3. This means we can't use 192.168.10.100-192.168.10.104 internally!

After making these changes, the l2tp configuration should look like:

tunnel
 l2tp
  enabled
  first-ip 192.168.10.100
  max-connection 3
  ppp auth-local
 !
!

The final step is to add some users for authentication (this bit doesn't seem to me mentioned in the manual). In the global settings, add some ppp dial-in profiles. For example:

global
 ppp profiles
  dial-in profile1
   password password1
  !
 !
!

Now we need to configure our Windows 7 client on 192.168.0.1:

Set up a new L2TP VPN connection with the correct secret key that was created above, and enable only MS-CHAPv2 authentication protocol. You may also want to enable split tunnelling in the IPv4 advanced settings. You should now be able to connect the VPN, and ping the device on 192.168.10.10! Note that the route to 192.168.10.0/24 via 192.168.10.100 was added automagically because we defined it in the left side subnet earlier.

Now that we have a successful VPN, we can go about turning on the firewall...

The following is based off the advice from http://www.shorewall.net/IPSEC-2.6.html

Create a firewall configuration and add the following zones:

zone	type
net	ipv4		#traffic to/from the outside network ie 192.168.0.0/24 in our case
vpn	ipsec		#traffic to/from ipsec hosts
l2tp	ipv4		#traffic to/from the l2tp tunnels
loc	ipv4		#traffic to/from the local/inside subnet ie 192.168.10.0/24 in our case
fw	firewall	#traffic to/from interfaces that reside on the RX1500

Next, add the interfaces to the zones:

interface	zone
switch.0001	net	#vlan 1
switch.0100	loc	#vlan 100
ppp+		l2tp	#the l2tp interfaces (the + means include ppp-l2tp-0, ppp-l2tp-1, ppp-l2tp-2 etc

And we also need to add a host which defines the vpn:

name	ipsec	zone	interface	ip address list
vpn	yes	vpn	switch.0001	0.0.0.0/0

This means that ipv4 traffic on interface switch.0001 will by default belong to the net zone, unless it is encrypted, in which case it will get put into the vpn zone. Once the L2TP tunnel is created, any traffic over the tunnel will belong to the ppp+ interface, and will belong to the l2tp zone.

Next, create the policies - these define the general rules for new connections:

name		src-zone	dest-zone	policy
fw2all		fw		all		accept	#allow fw outbound traffic
loc2net		loc		net		reject	#set to accept if you want to allow loc to net traffic
loc2l2tp	loc		l2tp		accept	#allow local traffic to the l2tp tunnel
l2tp2loc	l2tp		loc		accept	#allow l2tp traffic to the local/inside subnet
l2tp2net	l2tp		net		reject	#could be set to accept, but dont need it for this case
net2all		net		all		drop	#default case for net traffic
all2all		all		all		reject	#default for all other traffic

Next we need to create some rules - exceptions to the policies:

name		policy		src-zone	dest-zone	protocol/port (d = dest, s = src)
netl2tp		reject		net		fw		l2tp		#reject l2tp connections from net (must be over ipsec)
fwl2tp		reject		fw		net		udp/1701s	#same as above in opposite direction
vpnl2tp		accept		vpn		fw		udp/1701d	#accept only l2tp traffic over ipsec
netfwping	accept		net		fw		icmp		#accept pings
netfwhttpssh	accept		net		fw		tcp/443d,22d	#accept web traffic, ssh for admin
netfwipsec1	accept		net		fw		udp/500		
netfwipsec2	accept		net		fw		ah,esp

Our final firewall configuration should look like this (names might be slightly different):

security
 firewall
  fwconfig default
   fwzone net
    no description
   !
   fwzone vpn
    type ipsec
    no description
   !
   fwzone l2tp
    no description
   !
   fwzone loc
    no description
   !
   fwzone fw
    type firewall
    no description
   !
   fwhost vpn
    zone      vpn
    interface switch.0001
    ipaddress 0.0.0.0/0
    options
     ipsec
    !
    no description
   !
   fwinterface switch.0001
    zone net
    broadcast-addr detect
    options
     routefilter
    !
    no description
   !
   fwinterface switch.0100
    zone loc
    broadcast-addr detect
    no description
   !
   fwinterface ppp+
    zone l2tp
    no description
   !
 fwpolicy fw2all
    source-zone fw
    destination-zone all
    policy accept
    no description
   !
   fwpolicy loc2net
    source-zone loc
    destination-zone net
    no description
   !
   fwpolicy loc2l2tp
    source-zone loc
    destination-zone l2tp
    policy accept
    no description
   !
   fwpolicy l2tp2loc
    source-zone l2tp
    destination-zone loc
    policy accept
    no description
   !
   fwpolicy l2tp2net
    source-zone l2tp
    destination-zone net
    no description
   !
   fwpolicy net2all
    source-zone net
    destination-zone all
    policy    drop
    log-level info
    no description
   !
   fwpolicy all2all
    source-zone all
    destination-zone all
    log-level info
    no description
   !
   fwrule netl2tpreject
    source-zone net
    destination-zone fw
    protocol l2tp
    no description
 fwrule fwl2tpreject
    source-zone fw
    destination-zone net
    protocol     udp
    source-ports 1701
    no description
   !
   fwrule vpnl2tpaccept
    action            accept
    source-zone vpn
    destination-zone fw
    protocol          udp
    destination-ports 1701
    no description
   !
   fwrule netfwping
    action   accept
    source-zone net
    destination-zone fw
    protocol icmp
    no description
   !
   fwrule netfwhttpssh
    action            accept
    source-zone net
    destination-zone fw
    protocol          tcp
    destination-ports 22,443
    no description
   !
   fwrule netfwipsec1
    action            accept
    source-zone net
    destination-zone fw
    protocol          udp
    destination-ports 500
    no description
   !
   fwrule netfwipsec2
    action            accept
    source-zone net
    destination-zone fw
    destination-ports esp,ah
    no description
   !
  !
 !
!

Don't forget to enable the firewall and set the default configuration to active, and we finally have a complete IPsec/L2TP with firewall implementation.

| May 17th, 2013 | Posted in Networking |

6 Responses to “Setting up a L2TP/IPsec VPN and firewall on a Ruggedcom RX1500”

  1. Josh Says:

    Excellent post. I'm trying to follow the directions, but am getting an error when I try to commit saying that ipsec requires a Default Gateway. I will happily admit to being a Juniper guy, and this is my first time trying to get a Ruggedcom configured. I can't for the life of me figure out where to define a Default Gateway.

  2. Raggles Says:

    I don't recall ever getting that error... are you using an RX1500? I'll see if I can take a look on Monday

  3. Josh Says:

    Sorry, I didn't get any notification that you had responded! Yea, using an RX1500.

  4. Josh Says:

    Thanks for being so willing to help. I forgot to let you know that I figured out what was going on. Apparently the device doesn't like being configured in a vacuum. When it can not reach out and talk to a gateway, it gives you that warning, even if you have one configured. What had to be done to resolve the issue was:

    1 - Place the device on an actual network with an actual gateway running
    2 - Configure a port with a VLAN to talk to that network (Switch > VLANs, then IP > switch.xxxx > ipv4 > Add Address)
    3 - Setup a static route for the Gateway (Routing > static > ipv4 > Add a route for 0.0.0.0/0 > via > enter the real Gateway IP)

    Once I did that, everything starting working without issue. Thanks again for the guide, it got me 99% of the way there!

  5. Raggles Says:

    Awesome, glad you got it sorted.

  6. Evgeny Belkin Says:

    It's very helpfull manual. Thank you!

Leave a Reply