VPN Service with IPsec and L2TP/IPSEC

Zentyal integrates Libreswan [3] as its IPsec and L2TP/IPsec solution. This service uses the ports 500, 1701 and 4500 of UDP and the ESP protocol.

[3]Libreswan: http://libreswan.org/

Configuring an IPsec tunnel in Zentyal

Before starting with the configuration, note that this module is only available in the Commercial Editions.

To configure IPsec in Zentyal, go to VPN ‣ IPsec. Here you can define all the tunnels and IPsec connections you need. You can enable or disable each one of them and add an explanatory note.

VPN type IPsec

VPN type IPsec

In Configuration, and the General tab you will define the Zentyal’s IP address that you will use in each connection to access the external subnet, the local subnet behind Zentyal that will be accessible through the VPN tunnel, the remote IP address to which you will connect at the other end of the tunnel and the local subnetwork accesible at the other end. If you want to configure a tunnel between two subnets using IPsec, both ends must have a static IP address.

Currently Zentyal supports PSK authentication only (preshared key), which you can configure under PSK preshared key.

General IPsec configuration

General IPsec configuration

In the Authentication tab you will configure the specific parameters of the tunnel authentication. These parameters determine the behaviour of the IPsec protocol and have to be identical in both ends of the tunnel. To learn more about the meaning of each one of the options, check IPsec-specific documentation.

Authentication configuration phase 1

Authentication configuration phase 1

Authentication configuration phase 2

Authentication configuration phase 2

Configuring an L2TP/IPsec tunnel in Zentyal

To configure a L2TP-type tunnel the steps are similar, but in the VPN ‣ IPsec, you will choose the type L2TP/IPSEC.

VPN type L2TP/IPSEC

VPN type L2TP/IPSEC

In the general configuration, you can see some differences:

General L2TP/IPsec Configuration

General L2TP/IPsec Configuration

Instead of connecting subnets, as in the default configuration of IPsec, L2TP configures a LAC (L2TP Access Concentrator) with the IP specified in Tunnel IP. The users connected to this LAC will acquire a valid IP in the local network segment where the LAC is registered, thus being able to communicate with any other LAN client.

You can configure a range of dynamic IP addresses, in similar fashion to DHCP ranges, for the incoming L2TP/IPsec VPN clients.

Range of available IPs

Range of available IPs

L2TP/IPsec has two possible sources of users, a custom Users list or a Group of domain users.

Source of users for L2TP/IPsec

Source of users for L2TP/IPsec

The two possible sources are mutually exclusive. Also, to be able to use the Users group option, you need to have the Domain Controller and Directory Services module installed and configured. If you choose the Manual list of users option, you can - optionally - assign a static IP to each configured user, while the Samba users group will make use of the IP ranges described above.