I need to setup L2TP IPsec connection to remote server. For authentication I should use certificates + login and password for L2TP client.
All works fine if I run my connection on Windows PC. I imported two certificates into local storage, then create basic l2tp connection with login and password and run it.
Here is configuration of L2TP client:
-Encryption – not necessarily
-Authentication protocol – PAP
IPsec configuration of the remote server:
For IKE SA (phase 1)
-Encryption algorithm – AES-256
-Data integrity – SHA1
-DH group – Group 2 (1024 bit)
For IPsec SA (phase 2)
-Encryption algorithm – 3DES
-Data integrity – SHA1
But when I configure L2TP IPsec VPN on my router – it is not working.
Config of my router is listed below.
Imported certificates
[R] > certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 K L T c_1 USER srf334fd34f34f3…
1 A T ca_2 323rf34f43rf4f….
L2TP client with security profile for connection
[R] > interface l2tp-client print
Flags: X - disabled, R - running
0 name="l2tp-out1" max-mtu=1400 max-mru=1400 mrru=disabled connect-to=Y.Y.Y.Y
user="USER" password="password" profile=default-encryption
keepalive-timeout=disabled add-default-route=no dial-on-demand=no allow=pap
[R] > ppp profile print
Flags: * - default
3 * name="default-encryption" use-mpls=default use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes address-list=""
Where Y.Y.Y.Y – address of the remote server.
IPsec peer configuration
[R] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address= Y.Y.Y.Y /32 local-address=X.X.X.X passive=no port=500
auth-method=rsa-signature certificate=cert_1 remote-certificate=ca_2
generate-policy=no policy-template-group=group1 exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=no hash-algorithm=sha1
enc-algorithm=des,3des,aes-128,aes-256 dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5
Where X.X.X.X– address of the router interface with public IP.
Configuration of IPsec policy and policy
R] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T group=group1 src-address= X.X.X.X /32 dst-address= Y.Y.Y.Y/32 protocol=all
proposal=test template=yes
[R] > ip ipsec proposal print
Flags: X - disabled, * - default
0 name="test" auth-algorithms=md5,sha1 enc-algorithms=3des lifetime=30m pfs-group=none
I have such messages when I enable connection
may/11 15:34:56 ipsec,error phase1 negotiation failed due to time up X.X.X.X [500]<=> Y.Y.Y.Y [500] 0122bb7d6c8274fb:8086b42dee24db7b
may/11 15:35:16 l2tp,ppp,info l2tp-out1: terminating... - session closed
may/11 15:35:16 l2tp,ppp,info l2tp-out1: disconnected
may/11 15:35:26 l2tp,ppp,info l2tp-out1: initializing...
may/11 15:35:26 l2tp,ppp,info l2tp-out1: connecting...
may/11 15:35:50 l2tp,ppp,info l2tp-out1: terminating... - session closed
may/11 15:35:50 l2tp,ppp,info l2tp-out1: disconnected
may/11 15:36:00 l2tp,ppp,info l2tp-out1: initializing...
may/11 15:36:00 l2tp,ppp,info l2tp-out1: connecting...
Can anybody help ?