1st here's the design;
Okay here's the configuration;
1st
Setup the L2TP daemon settings
-->
config vpn l2tp
set eip
10.100.101.4
set sip
10.100.101.1
set status enable
set usrgrp
"Roadwarriors"
end
The usergroup known as Roadwarriors give only those users access via L2TP.
show user group Roadwarriors
config user group
edit "Roadwarriors"
set member "kfelix" "Jill" "Mike" "Louis" "Rey" "Alan"
next
end
2nd
Now we go for the fun parts; "we craft our ipsec phase1 & phase 2 settings" ;
-->
config vpn ipsec phase1
edit
"l2tp_dialupRA01"
set type
dynamic
set interface
"EXT_NET01"
set dhgrp 2
set proposal
aes256-md5 3des-sha1 aes192-sha1
set
psksecret mysecuredpsk_make_a_strong_key
next
and
config vpn ipsec phase2
edit
"l2tp_dialupRA01p2p2"
set
encapsulation transport-mode
set pfs
disable
set phase1name
"l2tp_dialupRA01"
set proposal
aes256-md5 3des-sha1 aes192-sha1
set
keylifeseconds 3600
next
Key points to take away upto this point;
- L2TP uses the transport-mode vrs tunnel-mode for ipsec
- For windows/mac/iphone/android ; the crypto proposals aes256-md5 and 3des-sha1 are supported
- disable pfs
- create the pool of address big enough to cover your needs, growth and the users
- place the users in a group that you want access ( user group )
3rd
we now must craft a fwpolicy
NOTE: I crafted a firewall address for my L2tp range
Okay now you have the basic configuration in place, we can give it a try. In this example I'm using my macosx client. The user kfelix@blahblah was crafted as a local user on the fortigate.
To trouble shoot;
- make sure your username password is correct
- make sure the server specified in the configuration is correct ( correct ip_addr/hostname/etc )
- ensure you type the PSK correctly
- use the following diag debug cmds on the fortigate
-->
fw01 # diag debug application l2tp 255
fw01 # diag debug en
fw01 # diag debug console
When a end-user authenticates and is assigned an address, the debug output will show you the following;
-->
L2TPD 97: 179:Connection established to 172.98.122.155,
51942. Local: 1, Remote: 8.
L2TPD 29: 166:Starting call (launching pppd, opening GRE)
L2TPD 25: 334:Client 172.98.122.155 control connection
started (id 1), assigned ip 10.100.101.2
NOTE:c and your diag vpn tunnel list will have a entry that co-relates to the client's address
diag vpn tunnel list name l2tp_dialupRA01_0
list ipsec tunnel by names in
vd 0
------------------------------------------------------
name=l2tp_dialupRA01_0 ver=1
serial=c X.X.X.2:4500->X.X.X.155:1205 lgwy=static tun=tunnel mode=dial_inst
bound_if=27
parent=l2tp_dialupRA01
index=0
proxyid_num=1 child_num=0
refcnt=8 ilast=0 olast=0
stat: rxp=252 txp=126
rxb=42992 txb=12309
dpd: mode=active on=1
idle=5000ms retry=3 count=0 seqno=7
natt: mode=silent draft=32
interval=10 remote_port=1205
proxyid=l2tp_dialupRA01p2p2
proto=17 sa=1 ref=2 auto_negotiate=0 serial=1 transport-mode
src: 17:X.X.X.2-X.X.X.2:1701
dst: 17:X.X.X.155-X.X.X.155:51942
SA: ref=4 options=00000006 type=00 soft=0
mtu=1424 expire=3415 replaywin=2048 seqno=7f
life: type=01 bytes=0/0 timeout=3590/3600
dec: spi=e17a8329 esp=aes key=32
cfed5ed6d2f7c3934b172c2ca6572a16a1db68d5d135220ed73a032a43fb39c9
ah=md5 key=16
dce803b15318bd87822d05c7edd87db0
enc: spi=05604708 esp=aes key=32
ad8c14dee466147f9fa1f8ba313693a2f0c342eb46f911016f4d7cf03dca556a
ah=md5 key=16
8793434295200d87885aab46505d38be
npu_flag=00 npu_rgwy=X.X.X.155 npu_lgwy=X.X.X.2
npu_selid=b, dec:pkts/bytes=252/24811, enc:pkts/bytes=126/18976
I hope this post helps you with your l2tP configurations and with fortigate firewalls
Ken Felix
Freelance Network & Security Engineer
kfelix at hyperfeed . com
Hello Ken, what i found out is that creating only the l2tp configuration allows the l2tp client to connect without even adding the IPSEC portion and any policy. Im able to ping to the L2TP client from one of the internal servers and honestly, thats make no sense to me. Any help would be really appreciated.
ReplyDelete