Reply
Member
Posts: 263
Registered: ‎11-29-2013
Kudos: 250
Solutions: 7

Edgemax- L2TP Server Setup For Client Use

[ Edited ]

The reason I am reposting  these directions because I am adding a few other things that I have collected from hours of going through this forum looking for directions, and nothing is consolidated into one area so that is my goal here. I ran across a few threads by chance that explained a few things and it wasnt even what I was looking for at the time.

If I missed anything feel free to let me know I will add it in.

Note: These instructions assume that eth0 is your WAN (Internet) connection. Early in the configuration, a specific command should be used in case you receive a DHCP-assigned IP address from your Internet service provider, while a separate command should be used if you receive a static IP address from your Internet service provider.

These steps also assume you are NOT using a radius server for client authentication.


Access the router's command line interface. You can do this using the CLI button while inside the Web UI or by using an SSH program such as PuTTY. PuTTY is generally quicker, as it allows easy copying and pasting (copy in Windows, paste using the right mouse button). 

The steps follow below:

#Enter configuration mode.

configure

 

Interface Configuration

Define the interface IPSec will use for internet connections (eth0 in this example).

set vpn ipsec ipsec-interfaces interface eth0

DHCP IP ONLY:  If you obtain your IP address from your ISP via DHCP, use this command:

set vpn l2tp remote-access dhcp-interface eth0

STATIC IP ONLY:  If you have a static IP address from your ISP and do NOT obtain your IP address from your internet service provider via DHCP, then use this command instead of the one above:

set vpn l2tp remote-access outside-address x.x.x.x

Replace x.x.x.x in the command above with your actual static IP address.

 

NAT Configuration

Enable NAT traversal (this is mandatory).

set vpn ipsec nat-traversal enable

Set the allowed subnet(s).

The 0.0.0.0/0 allows all subnets. (I use this one because well... it worked)

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

or the the L2TP Wiki says to:

set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16

 

Setting Up DHCP Address Pool

Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available. You can also issue IP addresses used in your subnet, but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network.

set vpn l2tp remote-access client-ip-pool start 10.0.2.10
set vpn l2tp remote-access client-ip-pool stop 10.0.2.20

 

Setting The DNS Servers

Set DNS Servers:

If I wanted to use Google's DNS for the VPN clients I would:

set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4

 OR

If I wanted to have the VPN clients use the router's DNS, I would :

set service dns forwarding options "listen-address=x.x.x.x"

The x.x.x.x is the IP address that L2TP is returning to the clients for DNS server (i.e., should be the router's own IP address). The above command assumes you have DNS Forwarding configured.

 

Setting Access Authentication Mode

Set the L2TP remote access authentication mode to local.

set vpn l2tp remote-access authentication mode local

 

 

Adding & Removing Users

Set theL2TP remote access username and password.  

Replace bademployee with your desired username and testpassword with your desired password.

Repeat this line changing the username and password for each user as needed.

set vpn l2tp remote-access authentication local-users username bademployee password testpassword

To delete a user use the following command:

Replace the username bademployee with the user you wish to delete.

delete vpn l2tp remote-access authentication local-users username bademployee


To see a list of the users programed enter the following command:

show vpn l2tp remote-access authentication local-users

 

 

Setting IPSec Authentication

Set the IPsec authentication mode to pre-shared secret.

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret

 

Set the pre-shared secret (replace secret phrase with your desired passphrase)

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret secret phrase


Set the IKE Lifetime

set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

 

Setting The MTU

Set the MTU

set vpn l2tp remote-access mtu 1492

 

Commit the changes.

commit

 

Showing the L2TP Configuration

Show the L2TP remote access configuration. This lets you see all your pretty work you just did.

show vpn l2tp remote-access

Save the settings. You must save your settings or everything you just did will be gone on the next reboot.

save

 

 

Opening The Required Ports

In the Web GUI.

Click on the "Firewall/NAT" tab.  Find the "WAN_Local" rule (or whatever you called the rule that controls access to the router), and click "Actions" to the right of it.  Select "Edit Ruleset" from the pull-down.  Click "Add New Rule", and enter the following information:

In the Basic Tab:  

  • Description:  Allow L2TP
  • Check Enable.
  • Action:  Accept.
  • Protocol:  UDP

In The Destination Tab:  

  • Ports: 500, 1701, 4500

#Click "Save", and close that window. In the same Wan_Local Ruleset click "Add New Rule" and add the followinf information:

In the Basic Tab:

  • Description: ESP Protocol
  • Check Enable.
  • Action:  Accept
  • Protocol: Choose a protocol by name - esp

Click "Save" and close that window. You can also close the ruleset window as well.

Congratulations!!! Your Client VPN service should now be functional. (Mine was.)

 

Definition of Ports & Protocols Opened:

  • ESP - Protocol 50
  • IKE -  UDP port 500
  • L2TP - UDP port 1701
  • NAT-T - UDP port 4500 (If Using NAT-T)

These directions are written for v1.5.0.

Member
Posts: 263
Registered: ‎11-29-2013
Kudos: 250
Solutions: 7

Re: Client VPN Setup Directions

@deeeirl Not sure if you got yours setup but this got mine working.

Member
Posts: 263
Registered: ‎11-29-2013
Kudos: 250
Solutions: 7

Re: Edgemax- L2TP Server Setup For Client Use

OS X and iOS function great with this.

Android functions great as well.

Windows well....

Just a heads up there is a Windows Registry Fix that I had to use on my Windows machines it can be found here. In the value data area I use option 2 default value is 0.

I also had to use this on a Windows 8 PC to get it to work.

Here are those directions:

By default, Windows Vista and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device. Therefore, if the virtual private network (VPN) server is behind a NAT device, a Windows Vista-based VPN client computer or a Windows Server 2008-based VPN client computer cannot make a Layer Two Tunneling Protocol (L2TP)/IPsec connection to the VPN server. This scenario includes VPN servers that are running Windows Server 2008 and Microsoft Windows Server 2003. 

Because of the way in which NAT devices translate network traffic, you may experience unexpected results when you put a server behind a NAT device and then use an IPsec NAT-T environment. Therefore, if you must have IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to from the Internet. However, if you have to put a server behind a NAT device and then use an IPsec NAT-T environment, you can enable communication by changing a registry value on the VPN client computer and the VPN server. 

To create and configure the

AssumeUDPEncapsulationContextOnSendRule

registry value, follow these steps:

  1. Log on to the Windows Vista, 7, or 8 client computer as a user who is a member of the Administrators group.
  2. Click Start Start button, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, clickContinue.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  4. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
  5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
  6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  7. In the Value Data box, type one of the following values:
    • 0
      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1
      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2
      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  8. Click OK, and then exit Registry Editor.
  9. Restart the computer.
New Member
Posts: 20
Registered: ‎10-06-2014
Kudos: 1

Re: Edgemax- L2TP Server Setup For Client Use

How can I statically set a client IP adress

Regular Member
Posts: 735
Registered: ‎12-14-2013
Kudos: 228
Solutions: 11

Re: Edgemax- L2TP Server Setup For Client Use

Sorry for the noobie vpn question, but once I set the configuration for the Edgerouter for L2TP server for client use, what needs to be done on my client device?  i.e. does anything need to be installed on my iphone? or do I simply hit the ip of my Edgerouter from my iphone and I'll be prompted for a username/passwd that I created using your steps?

 

Thanks in advance!

Derek

Regular Member
Posts: 735
Registered: ‎12-14-2013
Kudos: 228
Solutions: 11

Re: Edgemax- L2TP Server Setup For Client Use

Also -- I'm trying this with the latest version of software for the Edgerouter POE (v1.7.0) and I'm running into some issues.  For example set vpn 12tp remote-access is not a valid command.  Has anyone followed these directions to setup L2TP VPN with the Edgerouter running the latest software?

 

Thanks much!

Derek

Member
Posts: 263
Registered: ‎11-29-2013
Kudos: 250
Solutions: 7

Re: Edgemax- L2TP Server Setup For Client Use

For iOS simply plug you info into the VPN setup and it works. 

 

set vpn 12tp remote-access -- Is not a valid command

 

set vpn l2tp remote -- give that a shot see what you get.

Regular Member
Posts: 735
Registered: ‎12-14-2013
Kudos: 228
Solutions: 11

Re: Edgemax- L2TP Server Setup For Client Use

Sorry for the questions -- and for the typo. :-)  Much appreciated for your help! - Derek

New Member
Posts: 14
Registered: ‎03-22-2016

Re: Edgemax- L2TP Server Setup For Client Use

Thanks for the command roundup this was very helpful to me. 

 

One quick question. In the Interface Configuration section there's no mention of PPPOE. According to this page you would use "set vpn l2tp remote-access outside-address 0.0.0.0" to point it to the PPPOE interface. Has anyone actually got this to work?

 

Thanks

New Member
Posts: 14
Registered: ‎03-22-2016

Re: Edgemax- L2TP Server Setup For Client Use

[ Edited ]

I found that when I went through the commands above for a DHCP internet connection I could not access a host located behind the router. Here's what I have. An Edegrouter X that is serving up a 192.168.2.0 subnet. There is a test fileserver on that network at 192.168.2.5. I use my computer to act as the remote. If I plug my computer into one of the spare Ethernet LAN ports on the Edgrouter and am therefore on the same subnet I can connect to the fileserver without any issues. However, when I tether my phone to my computer to simulate a remote connection that points to the VPN I can't ping or connect to the fileserver at 192.168.2.5.

 

Here's the configuration steps I used on the Edgerouter.

 

I Started with Factory Reset of the Edgrouter. Then I used a wizard to set up WAN+2LAN2 with only 1 LAN.
Router IP 192.168.2.1

 

I then connected via terminal and issues these commands

 

configure

set vpn ipsec ipsec-interfaces interface eth0
set vpn l2tp remote-access dhcp-interface eth0
set vpn ipsec nat-traversal enable

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn l2tp remote-access client-ip-pool start 192.168.100.101
set vpn l2tp remote-access client-ip-pool stop 192.168.100.110
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret presharedsecret
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access authentication local-users username user password password
set vpn l2tp remote-access mtu 1492

set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4

 

I thought that the nat-traversal command enabled the capability for you to ping hosts behind the firewall? I also have another similar question posted here.

 

Emerging Member
Posts: 71
Registered: ‎08-03-2016
Solutions: 2

Re: Edgemax- L2TP Server Setup For Client Use

Thanks very much. For noobs like me it's great to see the "what if my configuration is different" options.
Ubiquiti Employee
Posts: 2,270
Registered: ‎05-08-2017
Kudos: 414
Solutions: 340

Re: Edgemax- L2TP Server Setup For Client Use

Hi everyone,

 

Just informing you that the EdgeRouter - L2TP IPsec VPN Server article has been updated and should provide all of the information you need to setup a L2TP Server.

 

Best wishes.


Ben Pin - EdgeMAX Support

New Member
Posts: 36
Registered: ‎11-25-2016
Kudos: 1

Re: Edgemax- L2TP Server Setup For Client Use

@UBNT-benpin thanks for the heads up that the configuration article was updated. But I have a couple of questions... In all of the other forum posts I have seen the set vpn ipsec nat-traversal enable command is seen but in the updated guide it's not present.

And I have to ask the big question? Is there any way to access what I need on my home network without having access to the computers which I need to give access to?

I have the shares on my home network setup and anyone here can connect to them without issue. But I can't expect friends and family to setup a VPN on their laptops and fiddle with the settings for the adapter that is created and so on... there has GOT to be a solution that allows connections to these shares without all the client side programming, isn't there?
Ubiquiti Employee
Posts: 2,270
Registered: ‎05-08-2017
Kudos: 414
Solutions: 340

Re: Edgemax- L2TP Server Setup For Client Use

[ Edited ]

Those messages were probably posted when an older firmware was used for EdgeMAX.

 

I am going to state this in detail here, so other people that stumble on this topic will know as well. The NAT traversal and NAT networks commands are deprecated in EdgeOS since version 1.8.0. The IPsec interface command has been deprecated in EdgeOS since version 1.8.5.

 

set vpn ipsec ?
Possible completions:
  ipsec-interfaces Interface to use for VPN (DEPRECATED)
  nat-networks  Network Address Translation (NAT) networks (DEPRECATED)
  nat-traversal Network Address Translation (NAT) traversal (DEPRECATED)

The reason is that these commands are deprecated is that they are no longer needed in the newer versions of strongSwan (which is implemented in EdgeOS since v1.8.0). In other words, IPsec/L2TP automatically detects if devices are behind NAT, so you no longer have specifically enable this. 

 

Please see this topic as well.

 

Normally you would use Active Directory Group-Policy to update all of the client computers at once. There has to be some form of manual configuration on the clients if you are not running an AD infrastructure. 

 

Edit: I am going to repeat this line here. The ipsec-interfaces command is NOT needed to setup a L2TP server on an EdgeMAX device that is running the latest firmware. If adding this command 'magically' made L2TP work for you, then you either:

 

1. Added another command in the same commit statement that made L2TP work.

2. Involuntarily restarted the IPsec process by adding the ipsec-interfaces statement. In which case the sudo ipsec restart command will achieve exactly the same.

 

Proof:

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <password>
set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
set vpn l2tp remote-access outside-address 203.0.113.1
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username ubnt password <password>

cat /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN Begin ###
conn remote-access
  authby=secret
  type=transport
  keyexchange=ikev1
  left=203.0.113.1


  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  rekey=no
  ikelifetime=3600
  
sudo cat /etc/ipsec.conf
# No VPN configuration exists.
### Vyatta L2TP VPN Begin ###
include /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN End ###

Add:
set vpn ipsec ipsec-interfaces interface eth0

sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1

### Vyatta L2TP VPN Begin ###
include /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN End ###

sudo cat /etc/ipsec.d/tunnels/remote-access
### Vyatta L2TP VPN Begin ###
conn remote-access
  authby=secret
  type=transport
  keyexchange=ikev1
  left=203.0.113.1


  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  rekey=no
  ikelifetime=3600

 

Ben

 


Ben Pin - EdgeMAX Support

New Member
Posts: 36
Registered: ‎11-25-2016
Kudos: 1

Re: Edgemax- L2TP Server Setup For Client Use

[ Edited ]

EDIT: During setup I was connected to my network via WiFi. So I then tried to connect to my router's GUI via a tether with my cell phone and although I was successful in "Connecting" to the VPN I am unable to access the GUI via my web browser nor can I SSH in to the CLI over that same tethered connection.  I guess I should mention that I do have my DDNS host name punched in to the DDNS section and that's what I used to configure the VPN as well if that makes a difference.I'd also like to mention that before setting up the VPN, I was remotely accessing the GUI with a firewall rule that allowed traffic on ports 80 and 443, and even connected to my wifi, if I delete that rule and try to SSH in to the router using the DDNS host name, it does not allow me. So, the only thing that I can tell is working as it should is the connection to the VPN from the Windows client but am I supposed to lose internet connectivity while connected to the ERL´s VPn?

 

Ubiquiti Employee
Posts: 2,270
Registered: ‎05-08-2017
Kudos: 414
Solutions: 340

Re: Edgemax- L2TP Server Setup For Client Use

[ Edited ]

When you connect via L2TP (at least in Windows) you will use the tunnel adapter for DNS and default gateway. In other words the ER will be used for all routing and DNS lookups. If you lose internet connectivity, that means that either your routing or more likely your DNS is not working through the ER.

 

 

Before L2TP
C:\Users\bpin>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     2 ms     1 ms     2 ms  192.168.0.1 (normal gateway)
  2    11 ms    16 ms    11 ms  203.0.113.1

^C
After L2TP
C:\Users\bpin>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1   109 ms   109 ms   104 ms  10.255.255.0 (tunnel adapter)
  2   108 ms   113 ms   104 ms  198.51.100.1

C:\Users\bpin>nslookup
Default Server:  UnKnown
Address:  10.0.30.1 (internal address of the ER)

> google.com
Server:  UnKnown
Address:  10.0.30.1

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4002:805::200e
          216.58.217.238

 

You can override both of these behaviors in Windows under the IPv4 settings of the tunnel adapter.

Untitled.png

 

If you do this, you will need to manually add routes to your Windows tunnel adapter.

 

cmd
1. route print -4 2. determine tunnel adapter interface ID (32 in my case) 3. route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

 

You can create a batch file (.bat) to do this:

 

rasdial <tunnel adapter name> <l2tp username> <l2tp user password>
route add 10.0.0.0 mask 255.255.255.0 0.0.0.0 IF 32

 

Or configure the L2TP client-address range on your ER to be in the same subnet as your local LAN.

 

If you are using an ER-X/ER-X-SFP, you also want to disable IPsec offloading. Reason here.

 

It is better to connect to the router using the internal IP address when connecting over the VPN.

 

Ben 

 

 


Ben Pin - EdgeMAX Support

New Member
Posts: 36
Registered: ‎11-25-2016
Kudos: 1

Re: Edgemax- L2TP Server Setup For Client Use


UBNT-benpin wrote:

When you connect via L2TP (at least in Windows) you will use the tunnel adapter for DNS and default gateway. In other words the ER will be used for all routing and DNS lookups. If you lose internet connectivity, that means that either your routing or more likely your DNS is not working through the ER.

 

Or configure the L2TP client-address range on your ER to be in the same subnet as your local LAN.

 

It is better to connect to the router using the internal IP address when connecting over the VPN.

 

Ben 

 

 


Well I don't have any special setup on my router except for using a service called SmartDNSProxy which I have to use to view Amazon Video, Hulu and Netflix here in Costa Rica, so in my DHCP server, their values are what's programmed into the DNS server settings but it's only supposed to pickup requests made to Netflix, Hulu, Amazon as well as the providers for the Smart devices whose menu choices vary depending on region... without it, my Smart TVs and BluRay players don't even offer those apps as an option, they disappear from the menu. Not sure if that has an effect...

 

But I went into the Config tree and changed vpn-l2tp-remote access-client ip pool to fall within my DHCP addresses 192.168.1.100 and 192.168.1.150 and also went into vpn-l2tp-remote access-dns servers and set that at 192.168.1.1 (local address for my Edge Router) in both spaces.

 

After doing that, I can still connect TO the VPN from Windows, it even says Connected, secured below the WiFi connection, but there is no connectivity

New Member
Posts: 2
Registered: ‎06-22-2017
Kudos: 1

Re: Edgemax- L2TP Server Setup For Client Use

I have this working properly, but I have another challenge:

I set up port forwarding to our internal L2TP VPN server on eth0 with our main WAN IP so that we can authenticate users to our directory server.

I'd also like to assign eth1 a separate static IP and configure the built in L2TP server to use this as as an emergency backup VPN in order to avoid turning on PPTP.  I had trouble getting this configured. Has anyone done something like this?

New Member
Posts: 36
Registered: ‎11-25-2016
Kudos: 1

Re: Edgemax- L2TP Server Setup For Client Use

Topology.jpg

 

This is my topology and what I'm trying to accomplish.

New Member
Posts: 5
Registered: ‎06-21-2017

Re: Edgemax- L2TP Server Setup For Client Use

[ Edited ]

Hello - Can someone please let me know which ports need to be opened on my cable modem?

 

I am configured like so:

 

Internet---------CableModem--------EdgeRouter Lite 3--------Internal Home wired/wirelessNetwork

Reply