I need a secure (encrypted) connection from my mobile device. How do I configure a TransPort router as a L2TP/IPsec VPN responder for Apple devices such as the iPhone; iPad or Android devices such as smart phones; or tablets?
TransPort routers can be configured as a VPN server for mobile devices (Apple iOS & Android), using IPsec to create a secure connection to your router. This article will detail the steps needed to configure a L2TP/IPsec VPN using Pre-Shared keys.
TransPort firmware version 5157 or newer is recommended. A change has been made in this firmware version to ensure L2TP sockets are closed and immediately returned to the 'Listening' state as soon as the VPN is disconnected, previous firmware versions have to wait until the L2TP socket inactivity timer expires.
This solution assumes that the TransPort router has a static and public IP address configured on its WAN interface, for the purposes of this article, we'll assume PPP 1 is the WAN interface and has already been configured for internet access.
The commands listed should be entered via the CLI (telnet, serial connection, or 'Execute a command' in the web GUI)
Step 1:
Enable IPsec on the PPP1 interface
ppp 1 ipsec 1
Step 2:
Phase 1 of the VPN set up, IKE, is set by default to allow all combinations of authentication and encryption algorithm proposals. Only a couple of extra settings need to be configured.
Configure the VPN Phase 1, IKE, so that all relevant SAs are removed when a VPN is disconnected.
ike 0 delmode 1
ike 0 invspidel ON
Step 3:
Phase 2 of the VPN setup is specific to either Apple iOS or Android devices.
If you are configuring a VPN for Apple devices only, then just complete Step 3a and move on to Step 4.
If you are configuring a VPN for Android devices only, then just complete Step 3b and move on to Step 4.
If you are configuring VPNs for both Apple and Android devices, complete both Step 3a & Step 3b then continue with Step 4.
Step 3a:
Configure the VPN Phase 2, IPsec
eroute 0 descr "iPad L2TP IPsec VPN"
eroute 0 peerid "*"
eroute 0 locipifent "PPP"
eroute 0 locipifadd 1
eroute 0 mode "Transport"
eroute 0 ESPauth "SHA1"
eroute 0 ESPenc "AES"
eroute 0 proto "UDP"
eroute 0 locport 1701
eroute 0 ltime 3600
eroute 0 authmeth "PRESHARED"
eroute 0 enckeybits 256
Step 3b:
Configure the VPN Phase 2, IPsec
eroute 1 descr "Android L2TP IPsec VPN"
eroute 1 peerid "*"
eroute 1 locipifent "PPP"
eroute 1 locipifadd 1
eroute 1 mode "Transport"
eroute 1 ESPauth "SHA1"
eroute 1 ESPenc "3DES"
eroute 1 proto "UDP"
eroute 1 locport 1701
eroute 1 ltime 28800
eroute 1 authmeth "PRESHARED"
eroute 1 enckeybits 256
Step 4:
Configure the VPN users:
user 2 name "vpn-user1"
user 2 password "password1"
user 2 access 4
user 3 name "vpn-user2"
user 3 password "password2"
user 3 access 4
user 4 name "vpn-user3"
user 4 password "password3"
user 4 access 4
user 5 name "vpn-user4"
user 5 password "password4"
user 5 access 4
Step 5:
Configure the IPsec Pre-Shared Key, this is common for ALL VPN users.
user 10 name "*"
user 10 password "my-secure-psk"
user 10 access 4
user 10 dun_en off
Step 6:
Configure enough L2TP instances for the total number of required VPNs, we'll use 4 for the number of VPN users configured in Step 4.
l2tp 0 listen ON
l2tp 0 swap_io ON
l2tp 0 rnd_srcport ON
l2tp 1 listen ON
l2tp 1 swap_io ON
l2tp 1 rnd_srcport ON
l2tp 2 listen ON
l2tp 2 swap_io ON
l2tp 2 rnd_srcport ON
l2tp 3 listen ON
l2tp 3 swap_io ON
l2tp 3 rnd_srcport ON
Step 7:
Configure enough PPP instances that will be linked with the L2TP instances configured in step 6.
This is quickest and easiest via the routers web GUI.
In the router web GUI, browse to
Configuration - Network > Interfaces > Advanced > PPP 0 - 9 > PPP 5
Click the button labelled 'Load answering defaults'. DO NOT CLICK 'APPLY'.
Repeat Step 7 for PPP 6, PPP 7 & PPP 8.
Step 8:
Create a link between the PPP interfaces configured in step 7 with the L2TP instances configured in Step 6.
This is quickest and easiest via the routers CLI.
PPP 5 will be linked to L2TP 0, PPP 6 to L2TP 1, PPP 7 to L2TP 2, PPP 8 to L2TP 3
ppp 5 l1iface "L2TP"
ppp 5 l1nb 0
ppp 6 l1iface "L2TP"
ppp 6 l1nb 1
ppp 7 l1iface "L2TP"
ppp 7 l1nb 2
ppp 8 l1iface "L2TP"
ppp 8 l1nb 3
Step 9:
Save the configuration.
config 0 save
The TransPort router configuration is now complete.
The next step is to configure the iPad or Android device to connect to the TransPort using an L2TP / IPsec VPN.
iPad & iPhone settings
Step 10:
On the iPad, browse to Settings > VPN
Press 'Add VPN Configuration'
Step 11:
Choose L2TP, which is actually L2TP/IPsec but just named L2TP. The option for IPsec is a Cisco VPN client and is not required.
Step 12:
Enter the following information:
Description = TransPort L2TP IPsec VPN
Server = <WAN IP ADDRESS OF ROUTER>
Account = vpn-user1
RSA SecurID = OFF
Password = password1
Secret = my-secure-psk
Send All Traffic = ON
Proxy = OFF
Note:
The 'Server' is the TransPort routers IP public IP address.
The 'Account' is a user name configured in Step 4.
The 'Password' is the corresponding password for the user configured in Step 4.
The 'Secret' is the Pre-Shared Key (password) configured in Step 5.
Step 13:
Press 'Save' in the top right corner.
Step 14:
You will now see the newly created VPN connection listed. If there is more than 1 VPN connection shown on this screen, press on the new VPN named 'TransPort L2TP IPsec VPN' so a tick appears to the left of the name.
Move the 'VPN' slider over to the right from 'OFF' to 'ON' and the iPad will now try and connect.
When connected, the iPad will show 'Connected' with a timer showing the amount of time the VPN has been connected for.
Android device settings
Step 15:
On the Android device, browse to Settings > Wireless and network > VPN settings
Press 'Add VPN'
Step 16:
Choose 'Add L2TP/IPSec PSK VPN'.
Step 17:
Enter the following information:
VPN name = TransPort L2TP IPsec VPN
Set VPN server = <WAN IP ADDRESS OF ROUTER>
Set IPsec pre-shared key = my-secure-psk
Enable L2TP secret = disabled
DNS search domains = not set
Note:
The 'VPN server' is the TransPort routers IP public IP address.
The 'IPsec pre-shared key' is the Pre-Shared Key (password) configured in Step 5.
The VPN username & password will be requested when initiating the VPN.
Step 18:
Save the configuration, method used is specific to device.
Step 19:
You will now see the newly created VPN connection listed. If there is more than 1 VPN connection shown on this screen, press on the new VPN named 'TransPort L2TP IPsec VPN'.
A username and password will be requested.
Username = vpn-user2
Password = password2
Press 'Connect' and the Android device will now try and connect.
When connected, the Android device will show 'Connected' with a key symbol in the top status bar.
This is a brief configuration guide, an Application Note will be available soon.
--------
iPad VPN proposal information:
Phase 1 proposal = AES256, SHA1, DH group 2, Lifetime 3600 seconds
Authentication method = Pre-Shared Keys
ID Type used = IPv4 address
Phase 2 proposal = ESP, AES256, SHA1, Lifetime 3600 seconds, Mode: UDP transport, Local UDP port: Variable, Remote UDP port: 1701
Android (Froyo) VPN proposal information:
Phase 1 proposal = 3DES, SHA1, DH group 2, Lifetime 28800 seconds
Authentication method = Pre-Shared Keys
ID Type used = IPv4 address
Phase 2 proposal = ESP, AES256, SHA1, Lifetime 28800 seconds, Mode: UDP transport, Local UDP port: Variable, Remote UDP port: 1701
BG 3/10/14
Last updated:
Sep 20, 2024