L2TP/IPSec VPN server

Keenetic routers have an opportunity to connect to a VPN-server via L2TP over IPSec protocol (L2TP/IPSec) for access to home network resources.
In such tunnel you can absolutely not worry about confidentiality of IP-telephony or video surveillance streams. L2TP/IPSec provides completely secure access to your home network from a smartphone, tablet or computer with minimal configuration: Android, iOS and Windows have a convenient built-in client for this type of VPN. In addition, many Keenetic models offer hardware acceleration of data transfer over L2TP over IPsec.

NOTE: Important! The Keenetic router, where the IPsec VPN server will run, must be connected to the Internet with a global IP address, and when using the KeenDNS domain name, it must be configured in Direct Access mode. If any of these conditions are not met, it will not be possible to connect to such a server from the Internet.

To configure the server, it is necessary to install a component of the system 'L2TP/IPsec VPN server'. You can do this on the 'General system settings' page in the 'Updates and component options' section by clicking on 'Component options'.

l2tp-01-en.png

Then go to the 'Applications' page. Here you will see the 'L2TP/IPsec VPN server' panel. Click the 'L2TP/IPsec VPN server' link.

l2tp-02-en.png

In the 'L2TP/IPsec VPN server' window that appears, specify the security key in the 'Shared IPsec key' field. This security key will need to be specified on the client when configuring the VPN connection.

NOTE: Important! This key is also used by the IPsec VPN server (Virtual IP).

l2tp-03-en.png

The 'Multiple sign-in' parameter controls the ability to establish several simultaneous connections to the server using the same credentials. This is not a recommended scenario due to the lower security level and the disadvantages in monitoring. However, during the initial configuration, or in cases where you want to allow the installation of a tunnel from multiple devices of the same user, you can leave the option enabled.

NOTE: Important! If the 'Multiple sign-in' option is disabled, you can assign a static IP address to the L2TP/IPsec client. This can be done on the L2TP/IPsec VPN server configuration page in the 'Users' section.

By default, the 'NAT for clients' option is enabled in the server configuration. This setting is used to allow VPN server clients to access the Internet. In a built-in Windows client, this feature is enabled by default and when a tunnel is established, requests to the Internet will be sent through it.

NOTE: Important! If you disable the 'NAT for clients' function on the server, but do not reconfigure the default routing policy in the Windows client, the Internet access may not work after the installation of the tunnel on the computer.

In server settings in the 'Network access' field you can also specify a segment different from the Home segment, if necessary. In this case, the network of the specified segment will be available through the tunnel.

The total number of possible simultaneous connections depends on the IP address pool size setting. As with the starting IP address, it is not recommended to change this setting unnecessarily.

NOTE: Important! The specified IP subnet must not match or intersect with the IP addresses of other interfaces of the router, as this may result in an address conflict.

In the 'Users' section, select the users you want to allow access to the L2TP/IPsec server and the local network. Here you can also add a new user by specifying a username and password.

After configuring the server, set the switch to the 'Enabled' state.

l2tp-04-en.png

By clicking on the 'Connection statistics' link you can see the connection status and additional information about active sessions.

l2tp-05-en.png

If you want to provide clients with access not only to the local network of the VPN server, but also in the opposite direction, i.e. from the network of the VPN server to the remote network of the VPN client to provide data exchange between the two sides of the VPN-tunnel, refer to the instruction 'Routing networks through VPN'.

TIP: Note

To connect to the server as a client, you can use:

Keenetic router - 'L2TP/IPsec (L2TP over IPsec) client';

Windows 10 computer and mobile device with iOS - 'Connecting to the built-in L2TP/IPSec VPN server from a device on iOS and Windows';

Windows 7 computer - 'Example of L2TP/IPsec connection in Windows 7'.

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.