L2TP Server - IPSEC-PSKs

Stril · May 12, 2018, 6:04pm

Hi!

I am trying to setup an L2TP-Server with IPSec-Encryption for multiple clients with dynamic IPs.
The first client was easy, but now, there is one thing, I do not understand:

/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=XXXXX use-ipsec=required

I can only set the IPSEC-secret for the whole server. How is it possible to use different IPSEC-keys for every L2TP-Peer?

Thank you and best wishes
Stril

sindy · May 12, 2018, 6:25pm

It is only possible if each L2TP client connects from an IP address or subnet different from all the other L2TP client’s addresses/subnets. In such case, you can define an individual IPsec peer for each such client manually and let a common l2tp-server use all of them instead of the one it creates dynamically if you configure it with use-ipsec=yes or required.

If it is not the case, all the clients share the same IPsec pre-shared key, and only differ by individual username and password.

Stril · May 12, 2018, 6:30pm

Hi!

But how can I define the IPSEC manually, as the IPs are dynamic? The “automatically created” IPSEC-policy from L2TP is created with the current IP of the peer…

How is this done manually?

sindy · May 12, 2018, 6:54pm

If the client’s IP addresses are dynamic, the second case applies - you cannot have an individual IPsec pre-shared key per client. Only the l2tp passwords can be individual.

Stril · May 12, 2018, 6:57pm

Hi!

Then, it is useless for me. If ever one client gets compromised, I have to change all the accounts…

Is there any alternative, you see?

sindy · May 12, 2018, 7:21pm

This one should work, but I have never tested that myself. And not every OS seems to have a native client supporting IKEv2. You can invalidate the certificates individually by placing them on Certificate Revocation List, so if one of the clients gets compromised, you invaldate its certificate and the server won’t accept the connection.

Stril · May 12, 2018, 7:44pm

Hi!

The only possibility, I found, was SSTP which is running fine, but I am not sure, if this is a good idea…

sindy · May 12, 2018, 7:48pm

Security-wise I have not enough information to build an opinion.

Network-wise, use of TCP to transport TCP is always a bad idea, imagine what happens if a transport (encrypted) packet gets lost. WIthout packet loss and if you don’t need to transport e.g. VoIP it should be fine.

Stril · May 14, 2018, 7:31am

Hi!

Thats not very nice…

I want to avoid TCP-VPNs → no SSTP
I need to use Multi-WAN on both sides of my VPNs with dynamic IPs on one of the sides. → IPSEC is VERY bad to configure

Do you have any other idea on how to do this “nicer”?

Stril

sindy · May 14, 2018, 8:08am

Changing IPs at one end are the same issue or non-issue regardless whether you use L2TP over IPsec or plain IPsec. You configure the peer with 0.0.0.0 as remote address on the machine which has fixed addresses and it works.

As you talk about multi-WAN environment, I assume you are going to have routers as both the clients and the server. In such case, I would build one IPsec connection in transport mode via each pair of WANs (or, if you are afraid of more than one WAN to be down, a full mesh), and use GRE or IPIP tunnels on top of these two or four IPsec connections. The tunnels create virtual interfaces so you can use normal routing and normal failover methods as IPsec policies don’t interfere if done this way.