Using an ER-X as a VPN server for remote access. I've got L2TP/IPSec setup and working but I'm trying to figure out how to change the encryption/hash defaults. I see how to to do it for site-to-site configurations but see no way to use the esp and ike groups I've created with remote access.
firewall {
all-ping enable
broadcast-ping disable
group {
address-group DNAT-TCP-vpn-server {
address 10.0.0.22
address 10.0.0.23
description "DNAT-TCP-vpn-server (OpenVPN)"
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 10.0.0.9/24
duplex auto
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
encryption aes256
hash sha256
local-host 10.0.0.9
local-port 1194
mode server
openvpn-option "--push redirect-gateway def1"
openvpn-option "--push dhcp-option DNS 10.0.0.254"
openvpn-option --comp-lzo
openvpn-option "--dev tun"
openvpn-option "--max-clients 5"
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option "--verb 3"
openvpn-option "--keepalive 10 60"
openvpn-option "--reneg-sec 0"
openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
openvpn-option --client-cert-not-required
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--tls-auth /config/auth/keys/ta.key 0"
protocol udp
server {
subnet 10.71.87.0/24
}
tls {
ca-cert-file /config/auth/keys/ca.crt
cert-file /config/auth/keys/server.crt
dh-file /config/auth/keys/dh3072.pem
key-file /config/auth/keys/server.key
}
}
openvpn vtun1 {
encryption aes256
hash sha256
local-host 10.0.0.9
local-port 8443
mode server
openvpn-option "--push redirect-gateway def1"
openvpn-option "--push dhcp-option DNS 10.0.0.254"
openvpn-option --comp-lzo
openvpn-option "--dev tun"
openvpn-option "--max-clients 5"
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option "--verb 3"
openvpn-option "--keepalive 10 60"
openvpn-option "--reneg-sec 0"
openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
openvpn-option --client-cert-not-required
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--tls-auth /config/auth/keys/ta.key 0"
protocol tcp-passive
server {
subnet 10.87.77.0/24
}
tls {
ca-cert-file /config/auth/keys/ca.crt
cert-file /config/auth/keys/server.crt
dh-file /config/auth/keys/dh3072.pem
key-file /config/auth/keys/server.key
}
}
switch switch0 {
mtu 1500
}
}
service {
gui {
https-port 443
}
nat {
rule 1 {
description "DNAT TCP vpn-server (OpenVPN)"
destination {
port 443
}
inbound-interface eth0
inside-address {
address 10.0.0.9
port 8443
}
log disable
protocol tcp
source {
group {
address-group DNAT-TCP-vpn-server
}
}
type destination
}
rule 5000 {
description "UDP OpenVPN subnet to every where"
log disable
outbound-interface eth0
protocol ip
source {
address 10.71.87.0/24
}
type masquerade
}
rule 5001 {
description "TCP OpenVPN subnet to every where"
log disable
outbound-interface eth0
protocol ip
source {
address 10.87.77.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 10.0.0.254
host-name vpn-server
login {
user MYNAME {
authentication {
encrypted-password <removed>
plaintext-password ""
}
level admin
}
}
name-server 10.0.0.254
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Los_Angeles
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
esp-group remote_access {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group remote_access {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 10.0.0.0/24 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username MYNAME {
password PASS
}
}
mode local
}
client-ip-pool {
start 10.0.0.61
stop 10.0.0.65
}
dns-servers {
server-1 10.0.0.254
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret PASS
}
ike-lifetime 3600
}
outside-address 10.0.0.9
outside-nexthop 10.0.0.254
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.0.4853089.160219.1607 */
Thanks,
->g.