Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Category:Incoming L2TP: Difference between revisions

m
no edit summary
mNo edit summary
= Some Notes from customers setting up L2TP IN to AAISP: =
 
== FireBrick FB2500/2700 Fully Loaded ==
 
The FireBrick can connect as an L2TP client for fallback and for its main connection. One thing to watch out for is making sure that the FB doesn't set its own gateway to be the tunnel (which would logically send tunnel packets up the tunnel, which is horrid). You can get around this by using separate routing tables.
 
This example is for L2TP being the main connection:
 
<interface name="WAN"
port="WAN1"
table="1"
comment="DHCP client">
 
<l2tp>
<outgoing name="AAISP"
ip="90.155.53.19"
graph="AAISP"
table="1"
payload-table="0"
username="example@a"
password="secret"
tcp-mss-fix="true"
comment="L2TP tunnel to AAISP"/>
</l2tp>
 
You can set to fall back to NAT if the tunnel is down. Traffic on routing table 0 won't have a default gateway if the L2TP is down, so will match this rule set that has target interface "nowhere":
 
<rule-set name="Fallback"
target-interface="nowhere"
no-match-action="continue"
comment="NAT fallback if can't establish L2TP">
<rule name="NAT"
set-nat="true"
set-table="1"
action="accept"/>
</rule-set>
 
If the L2TP is being used for fallback, you are probably better off setting the routing table for the L2TP to something other than 0. Remember firewall rules only apply to single routing tables.
 
== RouterBoard ==
 
Connecting to L2TP with a RouterBoard was pretty seamless - put in the L2TP server IP, username and password and it just connects. Have to mess about with IP / Route and NAT / masquerading a bit to get devices behind the RouterBoard online but that all depends on whether you have an additional IP block and what you want to do with it anyway.
 
==Apple OSX==
An Apple computer can be used to create an L2TP connection in to AAISP, here's how:
 
*Apple Menu - Settings - Network
*Click the + Icon
*Create a new VPN Interface with Type L2TP over IPSec
[[File:l2tp-osx-newconnection.png]]
*In the Authentication settings set the Password
*For ease of use Tick 'Show VPN status in menu bar
*Optionally, in the Advanced Settings Tick, 'Send all Traffic over VPN connection'
*Then Connect
[[File:l2tp-osx-connected.png]]
*To Disconnect, click Disconnect
 
You can use the new icon in the Status bar (Up by the clock, to connect and disconnect the connection
 
[[File:l2tp-osx-ipsecmenu.png]]
 
===VPN Connection - IPsec Error===
Use this at your own risk. The notes below involves editing/creating system files, and whilst 'worked for us' may not work for you.
 
By default, OSX requires the L2TP connection to use IPSec encryption. At the moment the AAISP service is just plain L2TP and does not offer encryption.
 
[[File:L2tp-osx-ipsecerror.png]]
 
To enable OSX to connect without IPSec, then the /etc/ppp/options file needs to be edited. A simple way of doing this is as follows:
 
#Use the Search icon to search for Terminal
[[File:osx-finding-terminal.png]]
 
and then enter in:
 
echo "plugin L2TP.ppp" > options
echo "l2tpnoipsec" >> options
sudo mv options /etc/ppp
 
If the mv (move) fails, then you may already have a /etc/ppp/options file, in this case it would need to be edited manually.
 
To undo this change delete the /etc/ppp/options file.
 
== Windows 7 ==
 
Connecting with Windoze 7 was almost as easy except that the default connection settings don't work. You have to edit the connection properties and on the Security tab change 'Type of VPN:' to 'Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)' otherwise it only tries PPTP, and change 'Data encryption:' to 'Optional encryption (connect even if no encryption)' as it doesn't like A+A's certificate (because RevK declines to use a root certification authority recognised by Microsoft, or is it that Microsoft declines to recognise the root certification authority chosen by RevK). I guess the alternative would probably be to add the root certificate to the machine in question. Anyway, with those two changes it works fine.
 
Watch out if you are using [[IPv6]]. It seems that Win7 negotiates a non-routable [[IPv6]] address with the LNS. You have to discard this address and manually configure one of your routed [[IPv6]] addresses. ipconfig /release6 is your friend here.
 
== Cisco Routers ==
If you get stuck, pop into the IRC channel and see if I'm around (basil_uk) and I'll help if possible.
 
== OpenWRT ==
 
I'll give details about doing things without LuCI - if you want to do it through the web UI, it should be obvious from the text config what you need to twiddle.
 
Tested with the following package versions -
 
kmod-l2tp - 3.18.10-1
kmod-l2tp-eth - 3.18.10-1
kmod-l2tp-ip - 3.18.10-1
kmod-pppol2tp - 3.18.10-1
ppp-mod-pppol2tp - 2.4.7-5
xl2tpd - 1.3.6-5619e1771048e74b729804e8602f409af0f3faea
luci-proto-ipv6 - git-15.090.50849-576e235-1
luci-proto-ppp - git-15.090.50849-576e235-1
 
You'll first need to create a static route for <code>l2tp.aa.net.uk</code> via your bulk interface (usually <code>wan</code>) in <code>/etc/config/network</code> -
 
config route
option interface 'wan'
option target '90.155.53.19'
 
Then add the tunnel to <code>/etc/config/network</code> - note that even though we enable it, the interface won't get an IPv6 address. Fear not, we can fix that in a minute.
 
config interface 'aaisp'
option proto 'l2tp'
option server 'l2tp.aa.net.uk'
option username 'yourusername@a'
option password 'YOURPASSWORD'
option ipv6 '1'
option peerdns '0'
option metric '50'
 
Next let's configure DHCPv6 over the tunnel interface since PPP IPV6CP doesn't seem to work properly. Again in <code>/etc/config/network</code> - edit to taste if you don't want to gobble up your entire /48. Though this shows as a separate interface in OpenWRT-land, they'll both assign addresses to the same underlying interface, 'l2tp-aaisp'.
 
config interface 'aaisp6'
option proto 'dhcpv6'
option reqprefix '48'
option peerdns '0'
option _orig_ifname 'aaisp'
option _orig_bridge 'false'
option ifname 'l2tp-aaisp'
option reqaddress 'force'
 
Now we have -
 
* All IPv4 traffic going out of our bulk WAN interface (metric 0)
* The L2TP tunnel has its default gateway set, but unused (metric 50)
* All IPv6 traffic going out of the tunnel (haven't tested what would happen if your bulk interface was also IPv6 capable)
* DNS unchanged from original setup (I use dnscrypt-proxy and some REDIRECT iptables plumbing to secure DNS query traffic)
 
Next steps
 
* iptables PREROUTING rules to mark traffic that should egress via the tunnel
* iproute2 magic to route the marked traffic properly
* a painful sense of irony that we're dodging nasty shaping and filtering on our bulk interface only to do it ourselves
* a really sweet hat
 
Prod me (<code>daveio</code>) on IRC if you have trouble, I'll try to assist if I'm around.
 
== Linux / xl2tpd ==
 
<ol>
<li>Ensure the following kernel options are set or the corresponding modules are available:</li>
<ol>
<li><code>CONFIG_PPPOL2TP</code>
<li><code>CONFIG_L2TP</code>
</ol>
<li>Install xl2tpd and pppd on your Linux router.</li>
<li>Edit <code>/etc/xl2tpd/xl2tpd.conf</code> to contain the following:<br />
<code>[lac aaisp]<br />
lns = l2tp.aaisp.net.uk<br />
require authentication = no<br />
pppoptfile = /etc/ppp/options.aaisp</code></li>
<li>Create <code>/etc/ppp/options.aaisp</code> containing the following (obviously change the name and password to match your L2TP login details):<br />
<code>+ipv6<br />
ipv6cp-use-ipaddr<br />
name xyz@a.X<br />
password Your_xyz@A.X_password<br />
noauth</code></li>
<li>Create the xl2tpd control file:<br />
<code>mkdir -p /var/run/xl2tpd<br />
touch /var/run/xl2tpd/l2tp-control</code></li>
<li>Start the xl2tpd service (for systemd, use service command for older RC systems):<br />
<code>systemctl start xl2tpd</code></li>
<li>Tell the daemon to connect to aaisp:<br />
<code>echo "c aaisp" > /var/run/xl2tpd/l2tp-control</code></li>
</ol>
This should give you a new PPP device which encapsulates the L2TP connection.
 
== Other Hardware ==
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,264

edits