As requested by FlakeB on Part 7: IPv6 enabling your Vyatta router (using a TunnelBroker), I wanted to take a few minutes and explain how to configure L2TP/IPSec Remote Access on an EdgeMax router. The process is simple, but there is definitely some little gotchas here and there.
Using this step-by-step process, you should have a functional Remote Access VPN in a couple minutes. For this example, I will assume the LAN interface is eth0 (with 192.168.1.0/24), and the WAN interface is eth1 (with DHCP and/or 1.1.1.2/30 static).
While the GUI is still and constantly evolving, it currently does not support the configuration of L2TP/IPSec Remote Access VPNs. This setup will need to be done via the CLI.
First, we must set the ipsec interfaces, enable nat-t, and allow all remote networks.
configure #this is the WAN interface set vpn ipsec ipsec-interfaces interface eth1 set vpn ipsec nat-traversal enable set vpn ipsec nat-networks allowed-network 0.0.0.0/0
Depending on whether your WAN interface is DHCP or static, decides which of these commands to use.
#dhcp set vpn l2tp remote-access dhcp-interface eth1 #static set vpn l2tp remote-access outside-address 1.1.1.2 set vpn l2tp remote-access outside-nexthop 1.1.1.1
Next, lets define a DHCP pool for your L2TP server. Make sure it doesn’t overlap with your DHCP service.
set vpn l2tp remote-access client-ip-pool start 192.168.1.240 set vpn l2tp remote-access client-ip-pool stop 192.168.1.254
Then, let’s define our pre-shared secret..
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret "vpn_secret_psk"
Now, we are going to need some users.
set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username jim password "aGreatPassword" #to change a users password, just issue the same set command, with the same username, but a different password #these are stored in plaintext, they can be viewed with the following command show vpn l2tp remote-access authentication local-users #you can also delete users with the following command delete vpn l2tp remote-access authentication local-users username jim
We need to adjust the MTU of the VPN and add some DNS servers for the remote users…
set vpn l2tp remote-access mtu 1492 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4
Almost done! Go ahead and commit and save that configuration.
commit save
If you have a LOCAL firewall on your WAN interface, you will need to add a rule as follows:
Basic Tab:
- Description: Allow L2TP
- Enable: checked
- Action: Accept
- Protocol: udp
Destination tab:
- Port: 500,1701,4500
Click Save.
That’s it! Go ahead and setup your VPN on your client machine and test it.. Note that L2TP is not quite as flexible about controlling which routes are pushed to the client. It will route your local LAN and split-tunneling is controlled on the client side. If you need more flexible control over the routing, domain, and other options, I recommend looking into OpenVPN instead, which also can be done with a little tinkering on the EdgeMax, but that will be another article.
Happy routing!
October 18th, 2014 at 2:10 am
This was exactly what I was looking for. Worked on the first try! Thank you very much, you saved me hours of digging around and pulling my hair out.
The only thing I would change is slightly clearing up the firewall changes. As someone who is brand new to EdgeMAX, it took some head scratching to figure out where that rule was applied.
Thanks again!
November 6th, 2014 at 5:55 pm
Hi, thanks of the great guide but as brand new on EdgeMax I did not get this to work. I followed everything step by step. Anything (simple) I have missed. Assume doing the VPN set up after first start of the router. Cant get a respond from the VPN server when trying to connect. Seems dead! What am I missing out here?
March 5th, 2015 at 4:24 am
[…] L2TP/IPSec on a Ubiquiti EdgeMax | One Bad Pixel […]
March 16th, 2015 at 2:34 pm
Thank you for posting such a great guide! The UBNT wiki didn’t have the command for DHCP WAN connections on it. (set vpn l2tp remote-access dhcp-interface eth1)
I’m trying to use this on a pppoe0 interface running off of eth1. I get a new public IP address dynamically every time the pppoe0 connection becomes active. I assumed that meant it used dhcp, but when I try to commit the following line, I get an error:
set vpn l2tp remote-access dhcp-interface pppoe0
L2TP VPN configuration error: The specified interface is not configured for DHCP.
Is it possible to configure L2TP remote access on a PPPoE interface?
March 25th, 2015 at 3:06 pm
Although the authentication is pppoe the WAN interface is still getting a dynamically allocated IP. Did you try using
set vpn l2tp remote-access dhcp-interface eth1
March 26th, 2015 at 3:07 pm
Try this
set vpn l2tp remote-access interface pppoe0
March 26th, 2015 at 3:50 pm
Thank you for your responses.
I just tried both commands. The first one was accepted when entered, but failed to commit with the following error:
[ vpn ]
L2TP VPN configuration error: The specified interface is not configured for DHCP.
Commit failed
The second command wasn’t accepted when entered. Tab-completion shows there is no “interface” option under “set vpn l2tp remote-access”. The error produced was:
The specified configuration node is not valid
Set failed
I noticed that I used “set vpn ipsec ipsec-interfaces interface pppoe0” instead of “set vpn ipsec ipsec-interfaces interface eth1”. I tried switching to eth1, but that wouldn’t work either.
March 29th, 2015 at 11:23 am
http://community.ubnt.com/t5/EdgeMAX/Help-configuring-L2PT-VPN-for-pppoe-dynamic-ip/td-p/654911
June 8th, 2015 at 5:22 pm
This is pretty much my first experience with EdgeMax on this new ER8. 1.6fw
I setup site-to-site vpn via IPsec with the gui quite easily, and it is connected to the Cisco RV220W at our remote office nicely.
Now trying to get L2TP vpn to work for out outside workers with no luck 🙁 all I get is Error 789
The config tree does seem to appear to allow for a near GUI setup of this but I used the CLI and your list of instructions as they appear quite clear, everything appears in order, the fixed outside IP, remote gateways everything. I adjusted slightly as I made eth0 a dedicated config port, eth1 wan and eth2 lan
our DHCP is handled by w2k8 as is our DNS. I sloted in 19 addresses at x.x.x.80-99 that is outside the DHCP pool. Anyhow, I don’t know where to look from here, I checked the firewall rules, and set them as well. Is the site2site vpn interfearing with my endpoint vpn?
December 15th, 2016 at 7:52 pm
Hello!
Great work, but as i know L2TP do not encrypt the traffic? Is there also a Setup for CLIENT IPSEC instead of L2TP?
BR