+----------+         +----------+                           +----------+           +----------+
|          |         |          |                           |          |           |          |
|          |eth0 eth1|          |eth0                   eth0|          |eth1   eth0|          |
+localPC-A +---------+ vyatta-A +--------  INTERNET --------+ vyatta-B +-----------+localPC-B +
|          |         |          |                           |          |           |          |
|          |         |          |                           |          |           |          |
+----+-----+         +----+-----+                           +----+-----+           +----+-----+

# set interfaces ethernet eth0 address 10.10.10.246/24
# set interfaces ethernet eth1 address 192.168.10.246/24
# set system gateway-address '10.10.10.1'
# set system host-name 'vyatta-A'

# set interfaces ethernet eth0 address 10.10.20.75/24
# set interfaces ethernet eth1 address 192.168.20.75/24
# set system gateway-address '10.10.20.1'
# set system host-name 'vyatta-A'

# set vpn ipsec esp-group ns-esp mode 'tunnel'
# set vpn ipsec esp-group ns-esp pfs 'enable'
# set vpn ipsec esp-group ns-esp proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike lifetime '28800'
# set vpn ipsec ike-group ns-ike proposal 1 dh-group '2'
# set vpn ipsec ike-group ns-ike proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike proposal 1 hash 'sha1'
# set vpn ipsec ipsec-interfaces interface 'eth0'
# set vpn ipsec nat-networks allowed-network '192.168.10.0/24'
# set vpn ipsec nat-traversal 'enable'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication mode 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication pre-shared-secret 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 connection-type 'initiate'
# set vpn ipsec site-to-site peer 10.10.20.75 ike-group 'ns-ike'
# set vpn ipsec site-to-site peer 10.10.20.75 local-ip '10.10.10.246'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 esp-group 'ns-esp'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 local subnet '192.168.10.0/24'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 remote subnet '192.168.20.0/24'

※pre-shared-secretは任意のものを設定

vyatta-B側は、インターネットからL2TPで接続できるようにするので

allow-networkは0.0.0.0/0にしておく

# set vpn ipsec esp-group ns-esp mode 'tunnel'
# set vpn ipsec esp-group ns-esp pfs 'enable'
# set vpn ipsec esp-group ns-esp proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike lifetime '28800'
# set vpn ipsec ike-group ns-ike proposal 1 dh-group '2'
# set vpn ipsec ike-group ns-ike proposal 1 encryption 'aes128'
# set vpn ipsec ike-group ns-ike proposal 1 hash 'sha1'
# set vpn ipsec ipsec-interfaces interface 'eth0'
# set vpn ipsec nat-networks allowed-network '0.0.0.0/0'
# set vpn ipsec nat-traversal 'enable'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication mode 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 authentication pre-shared-secret 'pre-shared-secret'
# set vpn ipsec site-to-site peer 10.10.20.75 connection-type 'initiate'
# set vpn ipsec site-to-site peer 10.10.20.75 ike-group 'ns-ike'
# set vpn ipsec site-to-site peer 10.10.20.75 local-ip '10.10.20.75'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 esp-group 'ns-esp'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 local subnet '192.168.20.0/24'
# set vpn ipsec site-to-site peer 10.10.20.75 tunnel 1 remote subnet '192.168.10.0/24'

※pre-shared-secretは任意のものを設定

下記のNat設定を追加して、LocalPC-A - LocalPC-B 間でPing疎通が取れて

LocalPC-A - LocalPC-B共に外部へ接続する事ができれば完成。

この際に、Natを通っては行けない相手側のネットワークを
Not条件でしてしておくのがポイント。

# set nat source rule 10 destination address '!192.168.20.0/24'
# set nat source rule 10 outbound-interface 'eth0'
# set nat source rule 10 translation address 'masquerade'

# set nat source rule 10 destination address '!192.168.10.0/24'
# set nat source rule 10 outbound-interface 'eth0'
# set nat source rule 10 translation address 'masquerade'

最後に、vyatta-Bへ外部からL2TPで接続する用の設定

基本的にVyatta - L2TP(IPSec)と同じ

設定後、L2TPで接続したPCからLocalPC-A,LocalPC-BにPing疎通が取れていれば完成

# set vpn l2tp remote-access authentication local-users username vpn-user password 'vpn-user-passwod'
# set vpn l2tp remote-access authentication mode 'local'
# set vpn l2tp remote-access client-ip-pool start '192.168.20.200'
# set vpn l2tp remote-access client-ip-pool stop '192.168.20.220'
# set vpn l2tp remote-access dns-servers server-1 '10.10.20.1'
# set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
# set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'pre-shared-secret'
# set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
# set vpn l2tp remote-access outside-address '10.10.20.75'

※vpn-user-passwodは任意のものを設定

※pre-shared-secretは任意のものを設定

KVMで同じethから出てる、3台目のサーバを追加してみたら下記のようなエラーでブツブツとVPNが切れて

パケロスが50%くらい出ました。

同じethが出てるのが問題なのかな・・・たぶん

Dec 14 00:45:12 vyatta01 pluto[20335]: packet from 10.10.20.76:500: Informational Exchange is for an unknown (expired?) SA