Hi! Just found an issue, when user behind NAT can't connect to l2tp+ipsec server with right config (posted above), without fixing (adding some options) to /etc/ipsec.d/tunnels/remote-access (posted above, lines that were added marked with ->>> <<<-
Client running MacOS Sierra
- macos uses 3des-sha1-modp1024 which is not added to config by default
- without specifying rightsubnet=0.0.0.0/0 ipsec could not find child SA. But allowed networks were added to vyos config...
Please, test and confirm.
CONFIG:
vpn { ipsec { ipsec-interfaces { interface eth0.900 } nat-networks { allowed-network 10.0.0.0/24 { } allowed-network 172.16.0.0/20 { } allowed-network 192.168.0.0/16 { } } nat-traversal enable } l2tp { remote-access { authentication { local-users { username mihon { password **************** } } mode local } client-ip-pool { start 192.168.255.1 stop 192.168.255.254 } ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret **************** } } outside-address A.B.C.D } }
/etc/ipsec.d/tunnels/remote-access:
conn remote-access authby=secret ->>> installpolicy=yes <<<- ->>> type=transport <<<- pfs=no left=A.B.C.D leftprotoport=17/1701 right=%any rightsubnet=vhost:%no,%priv ->>> rightsubnet=0.0.0.0/0 <<<- auto=add ->>> ike=aes256-sha1,3des-sha1-modp1024! <<<- dpddelay=15 dpdtimeout=45 dpdaction=clear esp=aes256-sha1,3des-sha1! rekey=no ikelifetime=3600 keylife=3600