Setting up cOS Core as an L2TP/IPsec client

Description

L2TP over IPsec requires an IPsec tunnel that encapsulates the L2TP data when it is transported over an insecure network. This means that the IPsec tunnel will be established first, then the L2TP tunnel will be established inside the IPsec tunnel. This article provides an explanation of how to set up cOS Core to act as a client for an L2TP/IPsec tunnel connection. However, the following points should be noted:

• L2TP/IPsec is no longer recommended for use (since Jan 2023) as many of the default ciphers are now not recommended (such as MD5 and SHA1) and could pose a security risk. Unless the option exists to select and use stronger ciphers, it is recommended to instead use a normal IKEv2 IPsec tunnel. The use of double-encapsulation (L2TP inside an IPsec tunnel) also causes more overhead and only a maximum MTU of 1376 can be used which results in lower performance and potential fragmentation.
• When the L2TP client receives an IP address from the server IP pool, it will cause the cOS Core to initiate a reconfigure (similar to DHCP client).
• If no specific/option setting is mentioned, the default value should be used.

Setting up the IPsec interface

Name: IPsec_For_L2TP
IKE Version: IKEv1 (Important)
Encapsulation Mode: Transport (important)
Remote Endpoint: Server_IP (L2TP/IPsec server IP)
Authentication: PSK or Certificate
IKE and IPsec Algorithms: If possible, we recommend choosing safe proposals such as SHA256 and AES256. (you will need to match the algorithms used by the L2TP Server).
Add Route Dynamically: Disabled
Add Route Statically: Disabled

* *

Note: Local Network and Remote Network is not applicable when Transport mode is used. The IPv4 address all-nets (0.0.0.0/0) is not used even though it looks that way visually when examining the IPsec tunnel summary (above).

Setting up the L2TP client interface

Name: L2TP _Client
Tunnel Protocol: L2TP
Remote Endpoint: Server_IP (same IP/object as used on the IPsec tunnels Remote Endpoint).
Remote Network: RemoteNetWork (this is the network we want to access beyond the L2TP client tunnel).
Authentication: Here we enter the username and password for a user on the L2TP Server.
Under the Security tab: Select the IPsec interface created earlier.
Note: Keep the “Statically Add Route” option enabled
MTU: 1376

IP Policies to allow traffic to and from the network(s) behind the L2TP server

This IP policy allows traffic to be sent to the network(s) behind the L2TP server. If traffic is allowed to be initiated in the other direction, another IP policy for that would be needed.
Name: To_L2TP_RemoteNetWork
Action: Allow
Source Interface: If2
Source Network: If2_net
Destination Interface: L2TP_Client
Destination Network: RemoteNetWork
Service: all_services

Note the following:

• Make sure that the destination interface is the L2TP_Client interface and NOT the IPsec tunnel (this is a common setup mistake).
• NAT will most likely be needed (depending on how the server is configured) since the server would most likely not accept incoming traffic from the client's local network range.

Related articles