One Bad Pixel

L2TP/IPSec on a Ubiquiti EdgeMax

As requested by FlakeB on Part 7: IPv6 enabling your Vyatta router (using a TunnelBroker), I wanted to take a few minutes and explain how to configure L2TP/IPSec Remote Access on an EdgeMax router. The process is simple, but there is definitely some little gotchas here and there.

Using this step-by-step process, you should have a functional Remote Access VPN in a couple minutes. For this example, I will assume the LAN interface is eth0 (with, and the WAN interface is eth1 (with DHCP and/or static).

While the GUI is still and constantly evolving, it currently does not support the configuration of L2TP/IPSec Remote Access VPNs. This setup will need to be done via the CLI.

First, we must set the ipsec interfaces, enable nat-t, and allow all remote networks.

#this is the WAN interface
set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network

Depending on whether your WAN interface is DHCP or static, decides which of these commands to use.

set vpn l2tp remote-access dhcp-interface eth1
set vpn l2tp remote-access outside-address
set vpn l2tp remote-access outside-nexthop

Next, lets define a DHCP pool for your L2TP server. Make sure it doesn’t overlap with your DHCP service.

set vpn l2tp remote-access client-ip-pool start
set vpn l2tp remote-access client-ip-pool stop

Then, let’s define our pre-shared secret..

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret "vpn_secret_psk"

Now, we are going to need some users.

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username jim password "aGreatPassword"
#to change a users password, just issue the same set command, with the same username, but a different password
#these are stored in plaintext, they can be viewed with the following command
show vpn l2tp remote-access authentication local-users
#you can also delete users with the following command
delete vpn l2tp remote-access authentication local-users username jim

We need to adjust the MTU of the VPN and add some DNS servers for the remote users…

set vpn l2tp remote-access mtu 1492
set vpn l2tp remote-access dns-servers server-1
set vpn l2tp remote-access dns-servers server-2

Almost done! Go ahead and commit and save that configuration.


If you have a LOCAL firewall on your WAN interface, you will need to add a rule as follows:
Basic Tab:

  • Description: Allow L2TP
  • Enable: checked
  • Action: Accept
  • Protocol: udp

Destination tab:

  • Port: 500,1701,4500

Click Save.

That’s it! Go ahead and setup your VPN on your client machine and test it.. Note that L2TP is not quite as flexible about controlling which routes are pushed to the client. It will route your local LAN and split-tunneling is controlled on the client side. If you need more flexible control over the routing, domain, and other options, I recommend looking into OpenVPN instead, which also can be done with a little tinkering on the EdgeMax, but that will be another article.

Happy routing!


10 Responses for “L2TP/IPSec on a Ubiquiti EdgeMax”

  1. Tony Says:

    This was exactly what I was looking for. Worked on the first try! Thank you very much, you saved me hours of digging around and pulling my hair out.

    The only thing I would change is slightly clearing up the firewall changes. As someone who is brand new to EdgeMAX, it took some head scratching to figure out where that rule was applied.

    Thanks again!

  2. Jesper Says:

    Hi, thanks of the great guide but as brand new on EdgeMax I did not get this to work. I followed everything step by step. Anything (simple) I have missed. Assume doing the VPN set up after first start of the router. Cant get a respond from the VPN server when trying to connect. Seems dead! What am I missing out here?

  3. Making Windows Network Policy Server work with VyOS/EdgeOS L2TP over IPSec VPN using Radius Auth | thomas. Says:

    […] L2TP/IPSec on a Ubiquiti EdgeMax | One Bad Pixel […]

  4. Ian Egland Says:

    Thank you for posting such a great guide! The UBNT wiki didn’t have the command for DHCP WAN connections on it. (set vpn l2tp remote-access dhcp-interface eth1)

    I’m trying to use this on a pppoe0 interface running off of eth1. I get a new public IP address dynamically every time the pppoe0 connection becomes active. I assumed that meant it used dhcp, but when I try to commit the following line, I get an error:

    set vpn l2tp remote-access dhcp-interface pppoe0

    L2TP VPN configuration error: The specified interface is not configured for DHCP.

    Is it possible to configure L2TP remote access on a PPPoE interface?

  5. Govind Says:

    Although the authentication is pppoe the WAN interface is still getting a dynamically allocated IP. Did you try using

    set vpn l2tp remote-access dhcp-interface eth1

  6. Govinda Raja Says:

    Try this

    set vpn l2tp remote-access interface pppoe0

  7. Ian Egland Says:

    Thank you for your responses.

    I just tried both commands. The first one was accepted when entered, but failed to commit with the following error:
    [ vpn ]
    L2TP VPN configuration error: The specified interface is not configured for DHCP.

    Commit failed

    The second command wasn’t accepted when entered. Tab-completion shows there is no “interface” option under “set vpn l2tp remote-access”. The error produced was:

    The specified configuration node is not valid
    Set failed

    I noticed that I used “set vpn ipsec ipsec-interfaces interface pppoe0” instead of “set vpn ipsec ipsec-interfaces interface eth1”. I tried switching to eth1, but that wouldn’t work either.

  8. Govinda Raja Says:

  9. Dale.E Says:

    This is pretty much my first experience with EdgeMax on this new ER8. 1.6fw

    I setup site-to-site vpn via IPsec with the gui quite easily, and it is connected to the Cisco RV220W at our remote office nicely.

    Now trying to get L2TP vpn to work for out outside workers with no luck 🙁 all I get is Error 789
    The config tree does seem to appear to allow for a near GUI setup of this but I used the CLI and your list of instructions as they appear quite clear, everything appears in order, the fixed outside IP, remote gateways everything. I adjusted slightly as I made eth0 a dedicated config port, eth1 wan and eth2 lan
    our DHCP is handled by w2k8 as is our DNS. I sloted in 19 addresses at x.x.x.80-99 that is outside the DHCP pool. Anyhow, I don’t know where to look from here, I checked the firewall rules, and set them as well. Is the site2site vpn interfearing with my endpoint vpn?

  10. Chris N. Says:


    Great work, but as i know L2TP do not encrypt the traffic? Is there also a Setup for CLIENT IPSEC instead of L2TP?


Leave a comment!