- cOS Core 11.x
- Microsoft Windows 10
Topics covered in this document
- Clavister - Preparing objects used by the gateway
- Clavister - Setting up the IPsec Tunnel
- Clavister - Setting up the L2TP Tunnel
- Clavister - Setting up the User Authentication Rule
- Clavister - Setting up the Policies
- Windows 10
First of all we need to create all needed objects.
Preparing the Host & Networks
The first thing to do is to add all objects needed by the L2TP tunne. The network, the IP range and an IP of the network that the L2TP clients will use. In this guide we use a range of the internal network (192.168.99.0/24).
When this is done, you should have three new object in the Address Book, it should look something like this:
Preparing an IKE and IPsec Proposal List
Create two new Algorithms, one for IKE and one for IPsec, this is done under Object -> VPN Objects -> IKE/IPsec Algorithms. Make sure to use AES and SHA1 to match the sending proposals from windows. Note: The proposals sent to the Clavister varies depending on which operating system that connects. For example, Android and iOS uses more secure algorithms, such as SHA256. We recommend using the more secure algorithms available when connecting to the IPsec-tunnel.
Preparing a new Local User Database
To be able to authenticate the users using the L2TP tunnel a local user database will be used, this can of course also be a RADIUS server. Create a new database under System -> Users -> Local User Databases. In this How-to a user database named L2TP will be used.
Add a few users to this database. There is no need to define groups to get L2TP up and running. But groups could later be used in the rules to setup different policies based on group membership.
Clavister - Setting up the IPsec Tunnel
Now it's time to setup the IPsec tunnel, this is done under Network -> VPN and Tunnels -> IPsec of the Security Gateway. Name
First of all, a name is needed for the VPN connection. This virtual interface will later be used in the L2TP section.
In this example, the name IPsec_L2TP is being used.
Here we use Transport since this is an L2TP-Tunnel.
This is the local address which the tunnel should accept incoming IKE/IPsec packets on. In this scenario we will use our Lan_ip.
Note: When the SGW is behind a NAT:ing device, Local endpoint should be all-nets because of the incorrect local ID that will be sent due to the SGW being behind NAT.
This specifies the interface which connections are allowed on. In this scenario we only want to be able to connect from our Lan interface, so we select Lan.
The remote endpoint none is used in roaming client scenarios. The Security Gateway will send its reply to the IP address that initiated the IKE/IPsec connection instead of a certain gateway. That makes it the obvious choice for roaming clients.
Here we choose our earlier created algorithms for both IKE and IPsec.
Under IKE DH Group we make sure Diffie-Hellman group 14 is selected to match the proposals from Windows.
Note: Other Operating Systems requires different DH groups.
Authentication As authentication method, choose X.509 Certificate. Then, in the Gateway Certificate drop-down list, select the gateway certificate you got from the CA and select the correct the Root certificate from the CA server.
Note:If you don't have a CA, you can create one using the guide we linked earlier in this How-To.
Automatic Route Creation The Add route statically is enabled by default. This should be disabled.
This is done under the Advanced tab of the IPsec tunnel dialog.
Clavister - Setting up the L2TP Tunnel
Now it's time to setup the L2TP Server, this is done in under Network ->VPN and Tunnels -> PPTP/L2TP Servers of the Security Gateway. Name
First of all, a name is needed for the L2TP interface. This virtual interface will be used later in the rules and user authentication rules sections.
In this example, the name L2TP is being used.
Inner IP Address
This IP shoud be a part of the network which the clients are assigned IP addresses from, in this case it should be IPsec_ip (192.168.99.1).
As we are setting up a L2TP server, L2TP is selected as Tunnel Protocol.
Outer Interface Filter
This is the interface that the L2TP server will accept connections on. As IPsec is used when running L2TP from Windows 10, this is the IPsec tunnel created earlier IPsec_L2TP.
Outer Server IP
This is the IP that the L2TP server is accepting connections on. It should be the same as the IPsec tunnel endpoint, i.e. Lan_ip.
Note! We strongly recommend that you disable all MPPE encryption when you already are using IPsec, for performance reasons.
Specify the addresses that are to be assigned to the clients. In this case use the pool created earlier, IPsec_range. You also have the option to specify up to two DNS and Wins Servers.
Add Route Proxy ARP
A ProxyARP needs to be configured for the IP's used by the L2TP Clients. What we do is publish the IP's from the IPsec_range on lan and the L2TP server will automatically route them over the L2TP interface.
Clavister - Setting up the User Authentication Rules A user authentication rule needs to be configured as below:
Here we set the name of the rule, in this scenario we use L2TP_Auth.
We should set this to L2TP/PPTP/SSL VPN since we are using L2TP.
This needs to be the interface we want this Authentication rule to trigger on, in this case L2TP.
Here all-nets needs to be selected as the clients are roaming.
This Should be the same as the Local Endpoint, in this case Lan_ip.
Since we are using a local user database, so the Authentication Source should be Local and then select L2TP under the Authentication Options tab.
Clavister - Setting up the Policy When the other parts are done, all that is left is the Policy. To let traffic trough from the tunnel a rule should be added with the following characteristics: Action is Allow, Source Interface is L2TP, Source Network is IPsec_range, the Destination Interface is any, the Destination Network is all-nets, the Service is all_services and finally the Source Translation is set to NAT.
The reason for using any as destination interface is to be able to both access the internal network and the internal IP on <core>.
Windows 10 - Setting up the new network connection
First of all, the certificates (user, private key and CA root certificates) need to be imported into windows.
Following the earlier mentioned How-To explains how this is done.
To setup the new L2TP network connection in Windows 10, press the Windows home button and i, or manually go to Windows settings, then we go to Network & Internet -> VPN -> Add a VPN connection.
Add a VPN connection
Choose the pre-defied Windows (Build-in).
Give your connection a name.
Server Name or address
Type in the hostname or the IP of the Clavister Security Gateway you're connected to.
Since we want to set up an L2TP/IPsec connection with Certificate choose L2TP/IPsec with Certificates.
Here we enter in one of the users we created in our Local User Database. In this case we created a user named testuser which we will use.
Password (optional) this password will have to match the user you want to connect as.
Note: If you don't enter the username or password, you will get a pop-up asking for your username and password.
You should now be able to connect to your Clavister Security Gateway using L2TP with Certificates.