Line 299: |
Line 299: |
| Calling tinc with -k or --kill option will cause it to automatically unregister itself. | | Calling tinc with -k or --kill option will cause it to automatically unregister itself. |
| | | |
− | == Softether == | + | == SoftEther == |
| SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan. | | SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan. |
| | | |
Line 310: |
Line 310: |
| *Embedded dynamic-DNS and NAT-traversal | | *Embedded dynamic-DNS and NAT-traversal |
| *SSL-VPN (HTTPS) and support for 6 major VPN protocols: [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_OpenVPN_Protocol OpenVPN], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server IPSEC], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server L2TP], [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_Microsoft_SSTP_VPN_Protocol MS-SSTP], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup L2TPv3], and [http://www.softether.org/3-spec EtherIP]) | | *SSL-VPN (HTTPS) and support for 6 major VPN protocols: [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_OpenVPN_Protocol OpenVPN], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server IPSEC], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server L2TP], [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_Microsoft_SSTP_VPN_Protocol MS-SSTP], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup L2TPv3], and [http://www.softether.org/3-spec EtherIP]) |
| + | |
| + | ====Cisco L2TPv3==== |
| + | Use the setup of SoftEther [https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup here] as a guide for an L2TPv3 connection to a Cisco device. |
| + | |
| + | =====SoftEther settings===== |
| + | Now make the following adjustments to the IPSEC/L2TPv3 settings shown there: |
| + | |
| + | * Under IPSEC/L2TP setting select the checkbox for Enable EtherIP/L2TPv3 over IPsec Server Function |
| + | * Select EtherIP / L2TP Detail Settings |
| + | * ISAKMP Phase 1 ID: Specify local IP address of Cisco device here |
| + | * Fill in username/password settings |
| + | |
| + | * Under Virtual Hub management |
| + | * Select Virtual NAT and virtual DHCP server function |
| + | * Secure NAT settings wtill be used to set Virtual DHCP server settings |
| + | |
| + | {| class="wikitable" style="text-align: center; width: 85%" |
| + | |+ Ports used by Softether for this configuration |
| + | ! Type |
| + | ! Port # |
| + | |- |
| + | | UDP |
| + | | 500 |
| + | |- |
| + | | UDP |
| + | | 4500 |
| + | |- |
| + | | UDP |
| + | | 1701 |
| + | |} |
| + | |
| + | * Encryption: If you have an issue with using AES during your initial testing, try using DES or 3DES. Once you have the connection established try switching to a more secure algorithm. |
| + | |
| + | =====Cisco config===== |
| + | And then use the following config below on your Cisco device instead of what is listed on the SoftEther site to get L2TPv3 working: |
| + | |
| + | {| class="wikitable" style="text-align: center; width: 85%" |
| + | |+ Information used in this example |
| + | ! Local IP addess |
| + | ! Peer IP (SoftEhter Public IP) |
| + | ! Pre-shared key |
| + | |- |
| + | | 192.168.100.100 (ISAKMP Phase 1 ID) |
| + | | 1.1.1.100 |
| + | | CHANGEME |
| + | |} |
| + | |
| + | * Note: By default Cisco may have NAT-Traversal enabled. This settings is not required. |
| + | |
| + | * Specify the L2TPv3 settings and interface (change FastEterhnet0/0 to match your device's interface). |
| + | |
| + | <pre> |
| + | pseudowire-class L2TPv3 |
| + | encapsulation l2tpv3 |
| + | ip local interface FastEthernet0/0 |
| + | </pre> |
| + | |
| + | * Note: You can chance the pseudowire-class interface's name from L2TPv3 to something more descriptive if you want. |
| + | |
| + | * ISAKMP settings: |
| + | |
| + | <pre> |
| + | crypto isakmp policy 1 |
| + | encr aes 256 |
| + | authentication pre-share |
| + | group 2 |
| + | crypto isakmp key CHANGEME address 1.1.1.100 |
| + | crypto isakmp keepalive 10 periodic |
| + | </pre> |
| + | |
| + | Note: You can use AES 256 encryption here. DH group uses type 2 1024 bit encryption. |
| + | |
| + | * IPSEC settings: |
| + | |
| + | <pre> |
| + | crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac |
| + | mode transport |
| + | crypto ipsec fragmentation after-encryption |
| + | </pre> |
| + | |
| + | Note: 3des is being used here in this example. If you put this tunnel into production make sure you change the cipher used to AES!!! |
| + | |
| + | * Cryptographic map: |
| + | |
| + | <pre> |
| + | crypto map MAP 1 ipsec-isakmp |
| + | set peer 1.1.1.100 |
| + | set transform-set IPSEC |
| + | match address IPSEC_MATCH_RULE |
| + | </pre> |
| + | |
| + | * Interface configuration |
| + | |
| + | <pre> |
| + | interface FastEthernet0/0 |
| + | ip address 192.168.100.100 255.255.255.0 |
| + | no ip proxy-arp |
| + | duplex auto |
| + | speed auto |
| + | crypto map MAP |
| + | </pre> |
| + | |
| + | Note: FastEthernet0/0 uses the local IP address specified above and has the crypto map applied. |
| + | |
| + | * Use FastEthernet0/1 as the interface for the tunnel |
| + | |
| + | <pre> |
| + | interface FastEthernet0/1 |
| + | no ip address |
| + | duplex auto |
| + | speed auto |
| + | no cdp enable |
| + | xconnect 1.1.1.100 1 encapsulation l2tpv3 pw-class L2TPv3 |
| + | bridge-group 1 |
| + | </pre> |
| + | |
| + | * Access list: |
| + | |
| + | <pre> |
| + | ip access-list extended IPSEC_MATCH_RULE |
| + | permit 115 any any |
| + | </pre> |
| + | |
| + | * Now connect a device to FastEthernet0/1. It should get a DHCP lease from SoftEther and be on the network. |
| + | |
| + | =====Troubelshooting===== |
| + | To troubleshoot the tunnel use the following commands: |
| + | |
| + | <pre> |
| + | debug crypt isakmp |
| + | debug crypt ipsec |
| + | debug l2tp all |
| + | </pre> |
| + | |
| + | * Show ISAKMP SA status: |
| + | |
| + | <pre> |
| + | #show crypto isakmp sa |
| + | IPv4 Crypto ISAKMP SA |
| + | dst src state conn-id status |
| + | 1.1.1.100 192.168.100.100 QM_IDLE 1011 ACTIVE |
| + | |
| + | IPv6 Crypto ISAKMP SA |
| + | |
| + | ・IPSec |
| + | #show crypto ipsec sa |
| + | |
| + | interface: FastEthernet0/0 |
| + | Crypto map tag: MAP, local addr 192.168.100.100 |
| + | |
| + | protected vrf: (none) |
| + | local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) |
| + | remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) |
| + | current_peer 1.1.1.100 port 4500 |
| + | PERMIT, flags={origin_is_acl,} |
| + | #pkts encaps: 54342, #pkts encrypt: 54342, #pkts digest: 54342 |
| + | #pkts decaps: 179917, #pkts decrypt: 179917, #pkts verify: 179917 |
| + | #pkts compressed: 0, #pkts decompressed: 0 |
| + | #pkts not compressed: 0, #pkts compr. failed: 0 |
| + | #pkts not decompressed: 0, #pkts decompress failed: 0 |
| + | #send errors 23, #recv errors 0 |
| + | |
| + | local crypto endpt.: 192.168.100.100, remote crypto endpt.: 1.1.1.100 |
| + | path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 |
| + | current outbound spi: 0x48E82D7A(1223175546) |
| + | PFS (Y/N): N, DH group: none |
| + | |
| + | inbound esp sas: |
| + | spi: 0x1B68FD22(459865378) |
| + | transform: esp-3des esp-sha-hmac , |
| + | in use settings ={Tunnel UDP-Encaps, } |
| + | conn id: 2107, flow_id: NETGX:107, sibling_flags 80000046, crypto map: MAP |
| + | sa timing: remaining key lifetime (k/sec): (4386973/1557) |
| + | IV size: 8 bytes |
| + | replay detection support: Y |
| + | Status: ACTIVE |
| + | |
| + | inbound ah sas: |
| + | |
| + | inbound pcp sas: |
| + | |
| + | outbound esp sas: |
| + | spi: 0x48E82D7A(1223175546) |
| + | transform: esp-3des esp-sha-hmac , |
| + | in use settings ={Tunnel UDP-Encaps, } |
| + | conn id: 2108, flow_id: NETGX:108, sibling_flags 80000046, crypto map: MAP |
| + | sa timing: remaining key lifetime (k/sec): (4386975/1557) |
| + | IV size: 8 bytes |
| + | replay detection support: Y |
| + | Status: ACTIVE |
| + | |
| + | outbound ah sas: |
| + | |
| + | outbound pcp sas: |
| + | </pre> |
| + | |
| + | * Check L2TP session: |
| + | |
| + | <pre> |
| + | #show l2tp session |
| + | L2TP Session Information Total tunnels 1 sessions 1 |
| + | |
| + | LocID RemID TunID Username, Intf/ State Last Chg Uniq ID |
| + | Vcid, Circuit |
| + | 23239**** 1900**** 2306***** 1, Fa0/1 est 01:32:52 1 |
| + | </pre> |
| + | |
| + | * Check L2TP tunnel: |
| + | |
| + | <pre> |
| + | L2TP Tunnel Information Total tunnels 1 sessions 1 |
| + | LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/ |
| + | Count VPDN Group |
| + | 230**** 1 ******* est 1.1.1.100 1 l2tp_default_cl |
| + | </pre> |
| + | |
| + | Note: If you use AES for IPSEC it will become TunID 0. |
| | | |
| == WireGuard == | | == WireGuard == |