So first time on this forum, I hope I don't break some kind of rule by asking the question directly.
This is my scenario, in the main offices we have as a gateway/firewall a Ubiquiti USG-4PRO device configured with 2 VPN interfaces.
The first one an OpenVPN site-to-site interface with another Ubiquiti USG-3P device on a remote office.
The second, an L2TP interface for users from outside to connect to the internal network.
Due to this configuration, I do not want to enter custom configurations in the USG, more than configurations made through its UI because I don't want to break any of the services and provoke a commit error on the USG that ends on a complete config clean and restart of the device.
I investigated with SSH on all types of configuration regarding the OpenVPN or L2TP interfaces within the USG to get its configuration methods.
On OpenVPN I couldn't find any config file, besides, I think the service could be started without it because it could be started with all the parameters on the command that starts the service itself (it is difficult but it can be done).
So next, Ive proceeded with the config files for the L2TP PSK VPN and I was able to find them, because of Ubiquiti uses StrongSwan for the LT2P service it makes OpenWrt the number one candidate because its also able to do so.
So far, what has been obtained by those files, these are the lines they use:
ipsec.conf:
conn $default
keyexchange=ikev1
conn remote-access
authby=secret
type=transport
keyexchange=ikev1
left=<VPN SERVER IP>
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
auto=add
ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1,3des-sha1-modp1024,3des-sha1!
dpddelay=15
dpdtimeout=45
dpdaction=clear
esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1,aes256-sha1,3des-sha1!
rekey=no
ikelifetime=3600
keylife=3600
ipsec.secrets:
<VPN SERVER IP> %any : PSK "<PreShared Key>"
xl2tpd.conf:
[global]
listen-add = <VPN SERVER IP>
[lns default]
ip range = <VPN IP POOL SET>
local ip = <LOCAL LAN BRODCAST IP>
refuse pap = yes
require authentication = yes
name = (for security reasons I hide this)
ppp debug = yes
pppoptfile = ../options.xl2tpd
length bit = yes
options.xl2tpd:
name (for security reasons I hide this)
linkname (for security reasons I hide this)
ipcp-accept-local
ipcp-accept-remote
ms-dns <VPN SET DNS IP 1 SERVER>
ms-dns <VPN SET DNS IP 2 SERVER>
ms-wins <VPN SET WINS IP SERVER>
auth
nodefaultroute
debug
proxyarp
connect-delay 5000
require-mschap-v2
idle 1800
plugin radius.so
radius-config-file .../radiusclient-l2tp.conf
plugin radar.so
After this, Ive created on the OpenWrt device this config:
opkg update
opkg install strongswan-default xl2tpd
ipsec.conf:
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug=all
conn %default
ikelifetime=3600
keylife=3600
keyexchange=ikev1
conn <NAME OF VPN>
authby=secret
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024
auto=add
dpddelay=15
dpdtimeout=45
dpdaction=clear
ikelifetime=3600
keylife=3600
type=transport
left=%defaultroute
leftprotoport=17/1701
right=<VPN SERVER IP>
rightprotoport=17/1701
auto=start
ipsec.secrets:
: PSK "<PreShared Key>"
xl2tpd.conf:
[global]
port = 1701
auth file = /etc/xl2tpd/xl2tpd-secrets
acces control = no
[lac <NAME OF VPN>]
lns = <VPN SERVER IP>
;ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
options.l2tpd.client:
ipcp-accept-local
ipcp-accpet-remote
require-mschap-v2
noauth
defaultroute
replacedefaultroute
usepeerdns
#debug
connect-delay 5000
idle 1800
name <VPN USER>
password <VPN USER PASS>
/etc/init.d/ipsec enable
/etc/init.d/xl2tpd enable
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
ipsec restart
ipsec up <NAME OF VPN>
So far connection is established, ok, lets continue. First time I did this I thought that ppp0 interfaces would show up but it was missing on ifconfig, then it hit me:
echo "c <NAME OF VPN>" > /var/run/xl2tpd/l2tp-control
After that it showed up the ppp0 interface with an VPN IP, the connection only lasts for some minutes and then its gone and ppp0 its no longer on ifconfig.
During the ppp0 when its up Ive tried to ping an IP on the local network that its behind the USG but there isn't a response. Also I know that there are more steps to be done but ppp0 doesn't lasts that long to establish that config, and even if I proceed with them, then there is no more internet connection (not even for bringing up the VPN up again).
The next command should be something like this:
route add <VPN SERVER IP> gw <OPENWRT LOCAL IP>
route add default dev ppp0
What Im doing wrong? Whats missing?