ASL-Corp members, Bureaucrats, Check users, Structured Discussions bots, oversight, Suppressors, Administrators, Upload Wizard campaign editors
1,714
edits
Changes
Jump to navigation
Jump to search
Line 299:
Line 299: − + Line 310:
Line 310: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Softether
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
== Softether ==
== SoftEther ==
SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan.
SoftEther VPN is an Open-Source Free Cross-platform Multi-protocol VPN Program, that is an academic project from the University of Tsukuba in Japan.
*Embedded dynamic-DNS and NAT-traversal
*Embedded dynamic-DNS and NAT-traversal
*SSL-VPN (HTTPS) and support for 6 major VPN protocols: [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_OpenVPN_Protocol OpenVPN], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server IPSEC], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server L2TP], [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_Microsoft_SSTP_VPN_Protocol MS-SSTP], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup L2TPv3], and [http://www.softether.org/3-spec EtherIP])
*SSL-VPN (HTTPS) and support for 6 major VPN protocols: [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_OpenVPN_Protocol OpenVPN], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server IPSEC], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server L2TP], [http://www.softether.org/1-features/1._Ultimate_Powerful_VPN_Connectivity#Support_Microsoft_SSTP_VPN_Protocol MS-SSTP], [http://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup L2TPv3], and [http://www.softether.org/3-spec EtherIP])
====Cisco L2TPv3====
Use the setup of SoftEther [https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/6.Cisco_IOS_L2TPv3%2F%2F%2F%2FIPsec_Edge-VPN_Router_Setup here] as a guide for an L2TPv3 connection to a Cisco device.
=====SoftEther settings=====
Now make the following adjustments to the IPSEC/L2TPv3 settings shown there:
* Under IPSEC/L2TP setting select the checkbox for Enable EtherIP/L2TPv3 over IPsec Server Function
* Select EtherIP / L2TP Detail Settings
* ISAKMP Phase 1 ID: Specify local IP address of Cisco device here
* Fill in username/password settings
* Under Virtual Hub management
* Select Virtual NAT and virtual DHCP server function
* Secure NAT settings wtill be used to set Virtual DHCP server settings
{| class="wikitable" style="text-align: center; width: 85%"
|+ Ports used by Softether for this configuration
! Type
! Port #
|-
| UDP
| 500
|-
| UDP
| 4500
|-
| UDP
| 1701
|}
* Encryption: If you have an issue with using AES during your initial testing, try using DES or 3DES. Once you have the connection established try switching to a more secure algorithm.
=====Cisco config=====
And then use the following config below on your Cisco device instead of what is listed on the SoftEther site to get L2TPv3 working:
{| class="wikitable" style="text-align: center; width: 85%"
|+ Information used in this example
! Local IP addess
! Peer IP (SoftEhter Public IP)
! Pre-shared key
|-
| 192.168.100.100 (ISAKMP Phase 1 ID)
| 1.1.1.100
| CHANGEME
|}
* Note: By default Cisco may have NAT-Traversal enabled. This settings is not required.
* Specify the L2TPv3 settings and interface (change FastEterhnet0/0 to match your device's interface).
<pre>
pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface FastEthernet0/0
</pre>
* Note: You can chance the pseudowire-class interface's name from L2TPv3 to something more descriptive if you want.
* ISAKMP settings:
<pre>
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key CHANGEME address 1.1.1.100
crypto isakmp keepalive 10 periodic
</pre>
Note: You can use AES 256 encryption here. DH group uses type 2 1024 bit encryption.
* IPSEC settings:
<pre>
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
</pre>
Note: 3des is being used here in this example. If you put this tunnel into production make sure you change the cipher used to AES!!!
* Cryptographic map:
<pre>
crypto map MAP 1 ipsec-isakmp
set peer 1.1.1.100
set transform-set IPSEC
match address IPSEC_MATCH_RULE
</pre>
* Interface configuration
<pre>
interface FastEthernet0/0
ip address 192.168.100.100 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
crypto map MAP
</pre>
Note: FastEthernet0/0 uses the local IP address specified above and has the crypto map applied.
* Use FastEthernet0/1 as the interface for the tunnel
<pre>
interface FastEthernet0/1
no ip address
duplex auto
speed auto
no cdp enable
xconnect 1.1.1.100 1 encapsulation l2tpv3 pw-class L2TPv3
bridge-group 1
</pre>
* Access list:
<pre>
ip access-list extended IPSEC_MATCH_RULE
permit 115 any any
</pre>
* Now connect a device to FastEthernet0/1. It should get a DHCP lease from SoftEther and be on the network.
=====Troubelshooting=====
To troubleshoot the tunnel use the following commands:
<pre>
debug crypt isakmp
debug crypt ipsec
debug l2tp all
</pre>
* Show ISAKMP SA status:
<pre>
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.100 192.168.100.100 QM_IDLE 1011 ACTIVE
IPv6 Crypto ISAKMP SA
・IPSec
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAP, local addr 192.168.100.100
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0)
current_peer 1.1.1.100 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 54342, #pkts encrypt: 54342, #pkts digest: 54342
#pkts decaps: 179917, #pkts decrypt: 179917, #pkts verify: 179917
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 23, #recv errors 0
local crypto endpt.: 192.168.100.100, remote crypto endpt.: 1.1.1.100
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x48E82D7A(1223175546)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1B68FD22(459865378)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2107, flow_id: NETGX:107, sibling_flags 80000046, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4386973/1557)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x48E82D7A(1223175546)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2108, flow_id: NETGX:108, sibling_flags 80000046, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4386975/1557)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
</pre>
* Check L2TP session:
<pre>
#show l2tp session
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
23239**** 1900**** 2306***** 1, Fa0/1 est 01:32:52 1
</pre>
* Check L2TP tunnel:
<pre>
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
230**** 1 ******* est 1.1.1.100 1 l2tp_default_cl
</pre>
Note: If you use AES for IPSEC it will become TunID 0.
== WireGuard ==
== WireGuard ==