[SOLVED] Question about L2TP configuration

[gtsolid]

Hi everyone!
I'm configuring my TL-R600VPN for a L2TP VPN connection and I have a doubt: in the manual there's a server, a client and a user (optional) configuration.

• Why is "user configuration" optional? How could I connect using simply the "client" configuration
• Under "client" configuration, what should I use as "Server IP" and "Remote Subnet"? I think the IP of the device itself and as remote subnet I chose 192.168.1.0/28, I think 16 nodes are enough (in my idea I only need 4 users accessing VPN

 

[kanewolf]

What kind of VPN are you trying to create? An outbound VPN to a provider or an inbound VPN to allow access to your network ?

 

[gtsolid]

I'm into the company LAN trying to create an inbound VPN so that I can access from home

 

[kanewolf]

I'm into the company LAN with a device trying to create an inbound VPN so that I can access from home

Let me re-phrase so I can be sure I understand -- You are trying to setup your home router so that ALL devices on your your network can get to the corporate network ?
Normally for remote access to corporate network the VPN client would be on the device rather than the router.
Or am I misinterpreting and the TL-R600VPN is the router on the business ?

 

[gtsolid]

Currently TL-R600VPN is simply the VPN manager (it's linked via ethernet to the main corporate switch). I'm on it, trying to configure L2TP VPN in order to access to corporate network from outside. No reference to home for now.

 

[kanewolf]

Currently TL-R600VPN is simply the VPN manager (it's linked via ethernet to the main corporate switch). I'm on it, trying to configure L2TP VPN in order to access to corporate network from outside. No reference to home for now.

So you are trying to setup as the server, rather than the client.

I will also say that you should verify you are allowed to do this with management and/or company IT.

 

[gtsolid]

I'm the company IT manager. No problem about security.
I have those questions because it's the first time I set up a VPN.

You mean I don't need to configure client but only server? And why users are optional?

 

[kanewolf]

I'm the company IT manager. No problem about security.
I have those questions because it's the first time I set up a VPN.

You mean I don't need to configure client but only server? And why users are optional?

Yes, I believe you would only configure the server. The clients are the remote users.

 

[bill001g]

I assume you are going to use IPSEC also ? L2TP is not a secure protocol it purely is a method of tunnel data.

There are ways to setup ipsec without l2tp also. L2TP is kinda old it was used back in the days where there was a need to transfer protocols like netbios over IP.

If you really need layer 2 tunnels you should use the newer L2TPv2 this will actually tunnel even vlan tags.

Most vpn uses openvpn which is a form of vpn over HTTPS. It tends to simpler to setup and has less issues being blocked by things like public hotspot and other network. IPSEC does have much less overhead so it is faster.

 

[gtsolid]

IPSec is also a possibility. If I try to configure it, Remote Subnet is necessary and quite tricky: If I connect from my home of from another branch, subnet will change.
Is there any way to avoid this? something open and universal. I could use Dropbox, but I'd loose the mail server connection

 

[bill001g]

There are a couple of ways to do this. Many times the gateway box runs a form of NAT if you don't use L2TP but use ipsec. You could also using simple routing between the subnets...as long as they are not the same subnet. IPSEC has so many options.

You really don't want to use just L2TP you need IPSEC over the internet. The session is completely open and if someone really wanted they could inject data into the stream in addition to just reading it.

The reason they use run L2TP over IPSEC is to solve issue where you actually have to be on the same subnet. Something like microsoft device discovery that sends layer 2 broadcasts.

 

[gtsolid]

Often I use my mobile hotspot, so it's quite difficult to play with NAT, etc... from the client side. Maybe PPTP is the solution?
But also in that case i'm request for "Remote subnet", so no solutions. Or Dropbox

 

[bill001g]

PPTP in many ways have more trouble with NAT than other protocols. First pptp is not considered secure. It also uses GRE protocol. NAT only works on UDP and TCP. To setup vpn you need to have a pretty good understanding of what "protocol" really means when it comes to internet communications.

All this messy stuff both with PPTP and IPSEC/L2TP is why openvpn is so popular. It is based on the same encryption used by HTTPS. It is designed to get past the NAT issues and it tends to also not be blocked by firewall that attempt to block vpn like ipsec and pptp. Even china great firewall for a very long time could not tell this was not normal web surfing.

You really need to determine if you absolutely must be on the same layer 2 subnet. This too requires a good understanding of what the term "layer 2" means. It is not something that is very common to actually need a layer 2 tunnel.

 

[gtsolid]

I don't need layer 2, I only need to access files and a server mail from home, so I need an IP given by corporate server to my home computer.
Or if it's too complicated, something only to access files on corporate server.

 

[bill001g]

If it supports openvpn that tends to be the easiest for a new person to implement. I would try it and see if it works. The whole purpose of vpn servers is to give you access to the local resources. This is huge difference between that and the pc being on the same layer 2 network.

Otherwise I would try IPSEC next. Depending on the implementation you might be able to skip the l2tp.

IPSEC though is complex for a new person. Try to find a example configuration for your router/vpn server that uses ip nat traversal. This is the feature that allows IPSEC and NAT to function together.

 

[gtsolid]

Or a desktop remote management tool as UltraVNC