VPN for routers and monitoring of different networks.

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
aroldobossoni
Posts: 4
Joined: Wed Oct 09, 2024 9:24 pm

VPN for routers and monitoring of different networks.

Post by aroldobossoni » Wed Oct 09, 2024 10:40 pm

We need a server with a VPN to monitor several devices on several different networks. I intend to make the routers of these networks connect to the VPN via PPTP, SSTP, L2TP protocols.
We cannot use the VPN as a gateway for client networks.
A client network cannot have access to another client network.
We cannot connect to the VPN via L2TP without IPsec Pre-Shared Key; most routers do not have this option.
We also did not find a diagram in the documentation that would illustrate our scenario.

This image illustrates only one client network as an example. Instead of Laptop, it should be Printers.
Image

1. How can I allow L2TP connections without IPsec Pre-Shared Key?
2. How can I configure the VPN so that the Server can access all client networks without allowing access between them?

solo
Posts: 1505
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN for routers and monitoring of different networks.

Post by solo » Thu Oct 10, 2024 1:52 am

aroldobossoni wrote:
Wed Oct 09, 2024 10:40 pm
How can I allow L2TP connections without IPsec Pre-Shared Key?
How can I configure the VPN so that the Server can access all client networks without allowing access between them?
1. select option: "L2TP Server Function (Raw L2TP with No Encryption)"
2. the server's setup:
- vHUBs corresponding to the client networks (do not enable SecureNAT)
- install SE client (for connecting to "localhost")
- with the SE client connect to the networks on vNICs with static IPs.

aroldobossoni
Posts: 4
Joined: Wed Oct 09, 2024 9:24 pm

Re: VPN for routers and monitoring of different networks.

Post by aroldobossoni » Thu Oct 10, 2024 4:35 pm

Thank you very much for your help solo!

1. "L2TP Server Function (Raw L2TP with No Encryption)" Has always been enabled.

When trying to connect appears the following log line in the server_log/vpn_20241010.log file:
IPsec Client 9 (168.xxx.217.xxx:500 -> 192.168.3.2:500): A new IPsec client is created.
IPsec Client 9 (168.xxx.217.xxx:500 -> 192.168.3.2:500): There are no acceptable transform proposals from the client for establishing an IKE SA.

In Windows the following error message appears:
"A network connection between the computer and the VPN server was started, but it was not possible to complete it. This is usually caused by the use of an incorrect or expired certificate for customer and server authentication. Contact the administrator to verify that the certificate used in authentication is valid."

I am using a valid certificate Let's Encrypt that works to access Admin in the HTTPS and SSTP browser also works correctly with this certificate.

aroldobossoni
Posts: 4
Joined: Wed Oct 09, 2024 9:24 pm

Re: VPN for routers and monitoring of different networks.

Post by aroldobossoni » Thu Oct 10, 2024 5:31 pm

solo wrote:
Thu Oct 10, 2024 1:52 am
aroldobossoni wrote:
Wed Oct 09, 2024 10:40 pm
How can I allow L2TP connections without IPsec Pre-Shared Key?
How can I configure the VPN so that the Server can access all client networks without allowing access between them?
1. select option: "L2TP Server Function (Raw L2TP with No Encryption)"
2. the server's setup:
- vHUBs corresponding to the client networks (do not enable SecureNAT)
- install SE client (for connecting to "localhost")
- with the SE client connect to the networks on vNICs with static IPs.

2. Can I use the Virtual DHCP function (as illustrated in the image) or in this case is it recommended to install a DHCP server directly on the server?

Image

solo
Posts: 1505
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN for routers and monitoring of different networks.

Post by solo » Fri Oct 11, 2024 5:49 am

aroldobossoni wrote:
Wed Oct 09, 2024 10:40 pm
How can I allow L2TP connections without IPsec Pre-Shared Key?
...
IPsec Client 9 (168.xxx.217.xxx:500 -> 192.168.3.2:500): There are no acceptable transform proposals from the client for establishing an IKE SA.
So you insist on "without IPsec", but why is your client initiating IPsec?

Look, here is a SE log of my DD-WRT router connecting via L2TP and without IPsec...

Code: Select all

2024-10-11 16:10:54.479 The connection "CID-3-657B09DAD9" (IP address: 192.168.11.1, Host name: 192.168.11.1, Port number: 1701, Client name: "L2TP VPN Client - xelerance.com", Version: 4.42, Build: 9798) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "vpn".
2024-10-11 16:10:54.479 Connection "CID-3-657B09DAD9": Successfully authenticated as user "vpn".
2024-10-11 16:10:54.479 Connection "CID-3-657B09DAD9": The new session "SID-VPN-[L2TP]-1" has been created. (IP address: 192.168.11.1, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2024-10-11 16:10:54.479 Session "SID-VPN-[L2TP]-1": The parameter has been set. Max number of TCP connections: 1, Use of encryption: No, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2024-10-11 16:10:54.479 Session "SID-VPN-[L2TP]-1": VPN Client details: (Client product name: "L2TP VPN Client - xelerance.com", Client version: 442, Client build number: 9798, Server product name: "SoftEther VPN Server (64 bit)", Server version: 442, Server build number: 9798, Client OS name: "L2TP VPN Client - xelerance.com", Client OS version: "-", Client product ID: "-", Client host name: "DD-WRT", Client IP address: "192.168.11.1", Client port number: 1701, Server host name: "192.168.11.2", Server IP address: "192.168.11.2", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN", Client unique ID: "7B545CEF358C02E0409DC3FAE7B6DC80")
It works for me.

"Can I use the Virtual DHCP function (as illustrated in the image) or in this case is it recommended to install a DHCP server directly on the server?"

No and no.

aroldobossoni
Posts: 4
Joined: Wed Oct 09, 2024 9:24 pm

Re: VPN for routers and monitoring of different networks.

Post by aroldobossoni » Fri Oct 18, 2024 10:41 pm

I was able to solve the issue of connectivity between VPN, thank you very much.

I made a more detailed diagram to better explain the logical topology of the network: https://i.imgur.com/deLRwch.png

Where the network 172.16.0.0/16 is the internal subnet of VPN and 192.168.0.0/24 are the internal subnets of the devices to be accessed.

Openwrt routers will connect to the VPN server.
The VPN server needs to scan all devices on the 192.168.0.0/24 networks and connect to those who have the SMNP door open.

Limitations:
Not to change addresses 192.168.0.x.
Not to change the configuration or exchange generic routers.
There can be no communication between sub-rights 192.168.0.0/24.


I thought of doing Nat 1: 1 within the OpenWRT routers.
I wonder if Nat 1: 1 is the best option or if anyone suggests a better alternative?

solo
Posts: 1505
Joined: Sun Feb 14, 2021 10:31 am

Re: VPN for routers and monitoring of different networks.

Post by solo » Fri Oct 18, 2024 11:51 pm

aroldobossoni wrote:
Fri Oct 18, 2024 10:41 pm
I thought of doing Nat 1: 1 within the OpenWRT routers.
Are you moving the goalpost maybe? If your initial objectives still stand, then implement "the server's setup" exactly as advised.

Post Reply