New Member
Posts: 3
Registered: ‎11-20-2016

Re: L2TP VPN - Multiple connections from same NAT'd location

Hi, i'm facing this issue aswell, is there any solution for this except site-site l2tp?

New Member
Posts: 38
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

I think I have the same problem.  Any progress on a fix?

 

thanks

New Member
Posts: 3
Registered: ‎11-20-2016

Re: L2TP VPN - Multiple connections from same NAT'd location

I'm use OpenVPN now, so far so good for multiple connection at same NAT subnet. But it need alot more steps to setup compared to L2TP.

New Member
Posts: 38
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

Bummer....Did you follow any write-ups on OpenVPN from here or another site?

 

Thanks

New Member
Posts: 3
Registered: ‎11-20-2016

Re: L2TP VPN - Multiple connections from same NAT'd location

I followed this page: https://loganmarchione.com/2016/05/edgerouter-lite-openvpn-setup/ Things need to be clear, the common name when creating certificate must be unique. Eg. CA cert = SERVER Server cert = ERX Client 1 cert = client1 Client 2 cert = client2 and so on I use putty for the terminal & WinSCP for the SFTP. I tried few times but failed, I have to reset the router if i did something wrong, or the certificate will not work. So always backup your configurations. Now I'm successfully make 2 different customer site to use OpenVPN.
New Member
Posts: 38
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

Thanks, I'll check that out and test!!
Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

New firmware 1.9.1 - problem with L2tp over ipsec still not resolved. OpenVPN is not acceptable. It is third party program that couldn't be installed.

New Member
Posts: 33
Registered: ‎08-15-2015
Kudos: 224

Re: L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

As I cannot have more than 1 active L2TP VPN client in 1.9.1 I'm guessing this STILL hasn't been fixed?

 

This is getting a bit rediculous. Underlying software was fixed over 2 years ago. This was known about a year ago and mentioned about being put into a release.

 

Maybe Ubiquiti are going downhill, fast. Seem to use a lot of old packages, maybe to save time/money on having to update other parts of their software? (for example, the 20 year old PHP implementation in AirOS) and obscure reasons to refuse to plug other security issues.

Regular Member
Posts: 711
Registered: ‎01-06-2017
Kudos: 166
Solutions: 59

Re: L2TP VPN - Multiple connections from same NAT'd location

 


@DC3011 wrote:

As I cannot have more than 1 active L2TP VPN client in 1.9.1 I'm guessing this STILL hasn't been fixed?

 

This is getting a bit rediculous. Underlying software was fixed over 2 years ago. This was known about a year ago and mentioned about being put into a release.

 

Maybe Ubiquiti are going downhill, fast. Seem to use a lot of old packages, maybe to save time/money on having to update other parts of their software? (for example, the 20 year old PHP implementation in AirOS) and obscure reasons to refuse to plug other security issues.


I suggest you start a new thread and explain your specific problem and show your router configuration.

 

This thread was about "having multiple clients connect from a single NAT'd external location."

 

This works for me on 1.9.1 (for iOS clients anyway), so you might have something misconfigured in your setup.

New Member
Posts: 38
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location


@stshaw wrote:

 


@DC3011 wrote:

As I cannot have more than 1 active L2TP VPN client in 1.9.1 I'm guessing this STILL hasn't been fixed?

 

This is getting a bit rediculous. Underlying software was fixed over 2 years ago. This was known about a year ago and mentioned about being put into a release.

 

Maybe Ubiquiti are going downhill, fast. Seem to use a lot of old packages, maybe to save time/money on having to update other parts of their software? (for example, the 20 year old PHP implementation in AirOS) and obscure reasons to refuse to plug other security issues.


I suggest you start a new thread and explain your specific problem and show your router configuration.

 

This thread was about "having multiple clients connect from a single NAT'd external location."

 

This works for me on 1.9.1 (for iOS clients anyway), so you might have something misconfigured in your setup.


 

 

FWIW, I still cannot have multiple L2TP VPN connections from a single NAT'd location.

 

Highlighted
Regular Member
Posts: 711
Registered: ‎01-06-2017
Kudos: 166
Solutions: 59

Re: L2TP VPN - Multiple connections from same NAT'd location

Multiple l2tp clients definitely works. Clients can ping each other and other sites connected to server. 

 

I tested two clients behind same NAT this am and it worked, but the NAT'd LAN also had an IPSec tunnel to the server. I will test again later today with the IPSec tunnel down just to make sure both clients were coming through the NAT. 

New Member
Posts: 38
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location


@stshaw wrote:

Multiple l2tp clients definitely works. Clients can ping each other and other sites connected to server. 

 

I tested two clients behind same NAT this am and it worked, but the NAT'd LAN also had an IPSec tunnel to the server. I will test again later today with the IPSec tunnel down just to make sure both clients were coming through the NAT. 


 

Did this change in 1.9.1 by chance?

 

Just tried with one of my clients.  My connection  L2TP Vpn connection fine.  A second connection fails.

They are on 1.9.0

 

 

I have 1.9.1 here on my network

Regular Member
Posts: 711
Registered: ‎01-06-2017
Kudos: 166
Solutions: 59

Re: L2TP VPN - Multiple connections from same NAT'd location

 

I confirmed that v1.9.1 works fine with two l2tp remote-access connections to a single ERL-3 server, with both remotes connecting from behind the same NAT.

 

ubnt@ubnt:~$ show vpn remote-access 

Active remote access VPN sessions:

 

User       Time      Proto Iface  Remote IP       TX pkt/byte   RX pkt/byte  

---------- --------- ----- -----  --------------- ------ ------ ------ ------

user1      00h01m37s L2TP  l2tp1  192.168.200.201  7.3K   7.6M   5.6K 562.5K

user1      00h02m35s L2TP  l2tp0  192.168.200.200  1.5K 879.8K   1.9K 342.0K

 

This is using one PSK/User combination for multiple connections.

New Member
Posts: 8
Registered: ‎11-01-2016
Kudos: 1
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location


@stshaw wrote:

 

I confirmed that v1.9.1 works fine with two l2tp remote-access connections to a single ERL-3 server, with both remotes connecting from behind the same NAT.

 

ubnt@ubnt:~$ show vpn remote-access 

Active remote access VPN sessions:

 

User       Time      Proto Iface  Remote IP       TX pkt/byte   RX pkt/byte  

---------- --------- ----- -----  --------------- ------ ------ ------ ------

user1      00h01m37s L2TP  l2tp1  192.168.200.201  7.3K   7.6M   5.6K 562.5K

user1      00h02m35s L2TP  l2tp0  192.168.200.200  1.5K 879.8K   1.9K 342.0K

 

This is using one PSK/User combination for multiple connections.


I just tried again and NOPE can't connect more than once from the same NAT'd location.

Regular Member
Posts: 711
Registered: ‎01-06-2017
Kudos: 166
Solutions: 59

Re: L2TP VPN - Multiple connections from same NAT'd location

 

Strange. I have no idea why it doesn't work for you guys.

New Member
Posts: 8
Registered: ‎11-01-2016
Kudos: 1
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

Would you share your config?

I'm on an ERL POE-5

 

Regular Member
Posts: 711
Registered: ‎01-06-2017
Kudos: 166
Solutions: 59

Re: L2TP VPN - Multiple connections from same NAT'd location


@FECivil wrote:

Would you share your config?

I'm on an ERL POE-5

 


Here it is. Some bits have been removed.  This is on an ER-X.  It works on an ERL-3 too.

 

Spoiler

 

firewall {

    all-ping enable

    broadcast-ping disable

    ipv6-receive-redirects disable

    ipv6-src-route disable

    ip-src-route disable

    log-martians enable

    name WAN_IN {

        default-action drop

        description "WAN to internal"

        rule 10 {

            action accept

            description "Allow established/related"

            state {

                established enable

                related enable

            }

        }

        rule 20 {

            action drop

            description "Drop invalid state"

            state {

                invalid enable

            }

        }

    }

    name WAN_LOCAL {

        default-action drop

        description "WAN to router"

        rule 10 {

            action accept

            description "Allow established/related"

            state {

                established enable

                related enable

            }

        }

        rule 20 {

            action drop

            description "Drop invalid state"

            state {

                invalid enable

            }

        }

        rule 30 {

            action accept

            description "Allow GUI"

            destination {

                port 80,443

            }

            ipsec {

                match-ipsec

            }

            log disable

            protocol tcp

            source {

                address 10.0.0.0/24

            }

        }

        rule 40 {

            action accept

            description "Allow L2TP"

            destination {

                port 500,1701,4500

            }

            log disable

            protocol udp

        }

        rule 60 {

            action drop

            description "Drop invalid state"

            state {

                invalid enable

            }

        }

    }

    receive-redirects disable

    send-redirects enable

    source-validation disable

    syn-cookies enable

}

 

vpn {

    ipsec {

        auto-firewall-nat-exclude enable

        esp-group FOO0 {

            compression disable

            lifetime 3600

            mode tunnel

            pfs enable

            proposal 1 {

                encryption aes128

                hash sha1

            }

        }

        ike-group FOO0 {

            dead-peer-detection {

                action restart

                interval 30

                timeout 60

            }

            ikev2-reauth no

            key-exchange ikev1

            lifetime 28800

            proposal 1 {

                dh-group 2

                encryption aes128

                hash sha1

            }

        }

        ipsec-interfaces {

            interface eth0

        }

        nat-traversal enable

        site-to-site {

            peer MYDOMAIN.COM {

                authentication {

                    mode pre-shared-secret

                    pre-shared-secret SECRET

                }

                connection-type respond

                description DESCRIPTION

                ike-group FOO0

                ikev2-reauth inherit

                local-address FIRST.STATIC.IP

                tunnel 1 {

                    allow-nat-networks disable

                    allow-public-networks disable

                    esp-group FOO0

                    local {

                        prefix 192.168.1.0/24

                    }

                    remote {

                        prefix 10.0.0.0/24

                    }

                }

                tunnel 2 {

                    allow-nat-networks disable

                    allow-public-networks disable

                    esp-group FOO0

                    local {

                        prefix 192.168.200.0/24

                    }

                    remote {

                        prefix 10.0.0.0/24

                    }

                }

            }

        }

    }

    l2tp {

        remote-access {

            authentication {

                local-users {

                    username USER {

                        password PASSWORD

                    }

                }

                mode local

            }

            client-ip-pool {

                start 192.168.200.200

                stop 192.168.200.210

            }

            dns-servers {

                server-1 192.168.1.1

            }

            ipsec-settings {

                authentication {

                    mode pre-shared-secret

                    pre-shared-secret SECRET

                }

                ike-lifetime 3600

            }

            mtu 1492

            outside-address SECOND.STATIC.IP

            outside-nexthop WAN.GATEWAY.IP

        }

    }

}

 

New Member
Posts: 8
Registered: ‎11-01-2016
Kudos: 1
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

Thanks I'll test!!!

 

 

I DON'T have these:

 

dead-peer-detection {

                action restart

                interval 30

                timeout 60

            }

         

        }

        ipsec-interfaces {

            interface eth0

        }

       

nat-traversal enable

 

 

Everything else is there.

Regular Member
Posts: 437
Registered: ‎10-21-2016
Kudos: 96
Solutions: 7

Re: L2TP VPN - Multiple connections from same NAT'd location

Just out of curiosity since it was stated earlier that the VPN implementation is strongSwan, couldn't one just use IPSec + IKEV2 to get around all of this [if any issues remain] or is the implementation within the ERs not the full strongSwan? I know the GUI only advertises L2TP, PPTP and OpenVPN but the easiest way I have seen to configure strongSwan is always over the CLI.
New Member
Posts: 1
Registered: ‎10-27-2016

Re: L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

I just update my ERL-3 to EdgeOS v1.9.7 and still not working multiple L2TP connections from the same NAT'd location.

 

There's any estimation to add this feature in the next EdgeOS version?