VPN Service with IPsec and L2TP/IPSEC¶
Zentyal integrates Libreswan [3] as its IPsec and L2TP/IPsec solution. This service uses the ports 500, 1701 and 4500 of UDP and the ESP protocol.
[3] | Libreswan: http://libreswan.org/ |
Configuring an IPsec tunnel in Zentyal¶
Before starting with the configuration, note that this module is only available in the Commercial Editions.
To configure IPsec in Zentyal, go to
. Here you can define all the tunnels and IPsec connections you need. You can enable or disable each one of them and add an explanatory note.In Configuration, and the General tab you will define the Zentyal’s IP address that you will use in each connection to access the external subnet, the local subnet behind Zentyal that will be accessible through the VPN tunnel, the remote IP address to which you will connect at the other end of the tunnel and the local subnetwork accesible at the other end. If you want to configure a tunnel between two subnets using IPsec, both ends must have a static IP address.
Currently Zentyal supports PSK authentication only (preshared key), which you can configure under PSK preshared key.
In the Authentication tab you will configure the specific parameters of the tunnel authentication. These parameters determine the behaviour of the IPsec protocol and have to be identical in both ends of the tunnel. To learn more about the meaning of each one of the options, check IPsec-specific documentation.
Configuring an L2TP/IPsec tunnel in Zentyal¶
To configure a L2TP-type tunnel the steps are similar, but in the L2TP/IPSEC.
, you will choose the typeIn the general configuration, you can see some differences:
Instead of connecting subnets, as in the default configuration of IPsec, L2TP configures a LAC (L2TP Access Concentrator) with the IP specified in Tunnel IP. The users connected to this LAC will acquire a valid IP in the local network segment where the LAC is registered, thus being able to communicate with any other LAN client.
You can configure a range of dynamic IP addresses, in similar fashion to DHCP ranges, for the incoming L2TP/IPsec VPN clients.
L2TP/IPsec has two possible sources of users, a custom Users list or a Group of domain users.
The two possible sources are mutually exclusive. Also, to be able to use the Users group option, you need to have the Domain Controller and Directory Services module installed and configured. If you choose the Manual list of users option, you can - optionally - assign a static IP to each configured user, while the Samba users group will make use of the IP ranges described above.