Preface
This article will describe how to use OneView to configure an L2TP/IPsec VPN on a OneView-managed router. Using the method described, OneView will restore the settings if the router ever needs to be replaced or factory reset.
To follow this article, you should have OneView, a OneView-managed router, and have WAN access set up properly for the Connect network (see Router Management with OneView™ for more details).
The VPN is of the type: L2TP/IPsec with pre-shared key.
IMPORTANT:
Text in red represents example values, so you will need to enter your own values in place of these ones. However, all other text should be entered exactly as shown.
Navigate to the menu
Follow the menu sequence:
Config > Advanced Settings > Router > Manual Management
Go to the "Custom Saved Commands" section of the page.
Apply custom commands
1. Add an address pool for the VPN using the "Create new add/other" menu.
/ip/pool/add name=vpn-pool ranges=192.168.200.2-192.168.200.254
2. Add a firewall rule to allow L2TP and IPsec traffic using the "Create new add/other" menu.
/ip/firewall/filter/add action=accept chain=input port=500,1701,4500 protocol=udp
3. Increase the priority of the firewall rule using the "Create new modify" menu.
For Command, use the text below:
/ip/firewall/filter/move destination=5
For Filter, use the text below:
/ip/firewall/filter/print comment=OV_HASH:272b6f23426c9e21252ba9eea93ec66938d793b6b454766a6b3a77d93d6bc5e4
You should not need to modify anything in the above text. However, if for some reason the text after OV_HASH (i.e. 272b6f...) does not match the hash of the added command, you should replace it with the correct hash.
4. Add a firewall rule to allow IPSec-ESP traffic using the "Create new add/other" menu.
/ip/firewall/filter/add action=accept chain=input protocol=ipsec-esp
5. Increase the priority of the firewall rule above using the "Create new modify" menu.
For Command, use the text below:
/ip/firewall/filter/move destination=5
You do not need to modify anything in the above text.
For Filter, use the text below:
/ip/firewall/filter/print comment=OV_HASH:828a5e865250bb2b0137f4bad181707ecc8c0ac51a7bbf001e72a3d4d5ed9860
You should not need to modify anything in the above text. However, if for some reason the text after OV_HASH (i.e. 828a5e...) does not match the hash of the added command, you should replace it with the correct hash.
6. Modify the default-encryption ppp profile using the "Create new modify" menu.
For Command, use the text below:
/ppp/profile/set local-address=192.168.200.1 remote-address=vpn-pool
The local-address value (the gateway IP address for the VPN subnet) should correspond to the ranges value in step 1 and the remote-address value should be exactly the same as the name value from step 1.
For Filter, use the text below:
/ppp/profile/print name=default-encryption
7. Enable the L2TP server using the "Create new add/other" menu.
/interface/l2tp-server/server/set default-profile=default-encryption enabled=yes ipsec-secret=useGoodPasswordHere use-ipsec=required
Please note that the ipsec-secret value may also be called the "pre-shared key" when configuring your VPN client.
8. Add a user using the "Create new add/other" menu.
/ppp/secret/add name=usernameGoesHere password=uniqueUserPassGoesHere
The name and password values are the credentials that you will use when configuring your VPN client. You can repeat this command to create additional users as needed.
Done
You should now be able to connect to the OneView managed router using a VPN client.
Comments
0 comments
Please sign in to leave a comment.