Emerging Member
Posts: 67
Registered: ‎12-05-2014
Kudos: 4
Solutions: 3
Accepted Solution

l2tp vpn simple setup

[ Edited ]

Yesterday i was setting up a simple l2tp vpn on my edge router light (older model with the rounded top) and i followed the video to the letter and i still could not get it and i ran across some directions on the spiceworks fourm i thought id add here to help others that are having issues (as far as i see its often ... i wish ubnt would add a wizard for it but i digress)

 

change bolded sections to match your network setup

 

Show Running VPN Configuations
 

configure
show vpn l2tp
show vpn pptp
show vpn ipsec

 
Delete VPN Configurations

configure
delete vpn pptp
delete vpn l2tp
delete vpn ipsec
commit
save

 
L2TP Server Configuration

# change eth1 to whatever is the external interface port of the Edge


set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication mode local

 

#Add local users for L2TP
set vpn l2tp remote-access authentication local-users username WhateverUserName password WhatEverUserPassword

 

# Set a range of IP addresses that are not being used by your LAN DHCP
set vpn l2tp remote-access client-ip-pool start 192.168.x.x
set vpn l2tp remote-access client-ip-pool stop 192.168.x.x

 

# Set the DNS servers to give out over DHCP for VPN Name Resolution
set vpn l2tp remote-access dns-servers server-1 192.168.x.x
set vpn l2tp remote-access dns-servers server-2 192.168.x.x

 

# Set the authentication mode for L2TP
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ThisIsYourLongPassword
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

 

# Set the l2tp listening address to the WAN IP and WAN Gateway
set vpn l2tp remote-access outside-address ThisIsYourWANIP
set vpn l2tp remote-access outside-nexthop ThisIsYourWAN-GW-IP

 

# Optional to set the MTU but I do this just in case they end up on DSL or T1
set vpn l2tp remote-access mtu 1492

commit
save
exit

 
Add The Firewall Rules For L2TP Traffic
 

Open the web browser of choice and enter the LAN IP of the edge to login to the portal.
Go to the Security Tab and then find WAN_Local in the Firewall Rules.
Click Actions on the right and drop down choosing Edit Ruleset
Add a new rule with the following settings:
Basic Tab:
Description = L2TP
Enable = Checked (true)
Action = Accept
Protocol = UDP
Choose the Destination Tab
Ports = 500,1701,4500 (no spaces)
Save
Add another rule in the ruleset
Description = ESP
Enable = Checked (true)
Action = Accept
Protocol = choose by name then choose ESP
Save
Save again to exit the firewall settings

 

 


Accepted Solutions
Highlighted
Emerging Member
Posts: 67
Registered: ‎12-05-2014
Kudos: 4
Solutions: 3

Re: l2tp vpn simple setup

correct those esact connands are what i used to get an l2tp vpn to work. the video that ubiquiti was close. 

 

the easiest way i found to do it was ssh into the device and copy and paste it

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: l2tp vpn simple setup

Just to confirm, you mean the posted config is working for your setup, right? Thanks for sharing your experience.

Highlighted
Emerging Member
Posts: 67
Registered: ‎12-05-2014
Kudos: 4
Solutions: 3

Re: l2tp vpn simple setup

correct those esact connands are what i used to get an l2tp vpn to work. the video that ubiquiti was close. 

 

the easiest way i found to do it was ssh into the device and copy and paste it

Member
Posts: 167
Registered: ‎10-06-2015
Kudos: 104

Re: l2tp vpn simple setup

Greetings all. New to the forum, and product.

 

I have tried the above setup with mixed succes and could use some guidance. When I have my laptop on the eth1 side of my ERPro-8 (using a hub) and assign my laptop an IP in the WAN pool, I can acess the ERPro-8 without issue. When putting the ERPro-8 into service, and not on my bench, I can no longer connect to the ERPro-8 in this manner.

 

Both ends utilize cable internet with sufficient bandwidth, the ERPro-8 has a static IP assigned. The ERPro-8 connects directly to a cable modem, my end conencts to a cable modem through a new USG with dynamic DHCP. All products (ERPro-8 and USG)  are runing the latest beta releases wihtout any service issues. I am not sure how to view the longs on the ERPro-8...

 

Again, worked fine when there was no middle-man in the picture...

 

Thanks in advance!

 

Here is my log fom my laptop when I am *not able* connect: 

Mon Jan 18 10:28:07 2016 : publish_entry SCDSet() failed: Success!
Mon Jan 18 10:28:07 2016 : publish_entry SCDSet() failed: Success!
Mon Jan 18 10:28:07 2016 : l2tp_get_router_address
Mon Jan 18 10:28:07 2016 : l2tp_get_router_address 10.0.1.1 from dict 1
Mon Jan 18 10:28:07 2016 : L2TP connecting to server ‘xxx.xxxxx.org’ (xx.xx.xx.81)...
Mon Jan 18 10:28:07 2016 : IPSec connection started
Mon Jan 18 10:28:07 2016 : IPSec phase 1 client started
Mon Jan 18 10:28:17 2016 : IPSec connection failed
 
Here is my log from my laptop when I *can* connect:
Fri Jan  8 19:21:30 2016 : publish_entry SCDSet() failed: Success!
Fri Jan  8 19:21:30 2016 : publish_entry SCDSet() failed: Success!
Fri Jan  8 19:21:30 2016 : l2tp_get_router_address
Fri Jan  8 19:21:30 2016 : l2tp_get_router_address xx.xxx.xxx.xxx from dict 1
Fri Jan  8 19:21:30 2016 : L2TP connecting to server ‘xx.xxxxx.org' xx.xxx.xx.81)...
Fri Jan  8 19:21:30 2016 : IPSec connection started
Fri Jan  8 19:21:31 2016 : IPSec connection established
Fri Jan  8 19:21:34 2016 : L2TP connection established.
Fri Jan  8 19:21:34 2016 : L2TP set port-mapping for en4, interface: 11, protocol: 0, privatePort: 0
Fri Jan  8 19:21:34 2016 : Using interface ppp0
Fri Jan  8 19:21:34 2016 : Connect: ppp0 <--> socket[34:18]
Fri Jan  8 19:21:34 2016 : L2TP port-mapping for en4, interfaceIndex: 0, Protocol: None, Private Port: 0, Public Address: 18f96144, Public Port: 0, TTL: 0.
Fri Jan  8 19:21:34 2016 : L2TP port-mapping update for en4 indicates no NAT. Public Address: 18f96144, Protocol: None, Private Port: 0, Public Port: 0
Fri Jan  8 19:21:34 2016 : L2TP port-mapping for en4 inconsistent. is Connected: 1, Previous interface: 11, Current interface 0
Fri Jan  8 19:21:34 2016 : L2TP port-mapping for en4 initialized. is Connected: 1, Previous publicAddress: (0), Current publicAddress 18f96144
Fri Jan  8 19:21:34 2016 : L2TP port-mapping for en4 fully initialized. Flagging up
Fri Jan  8 19:21:37 2016 : local  IP address 10.0.0.45
Fri Jan  8 19:21:37 2016 : remote IP address 10.255.255.0
Fri Jan  8 19:21:37 2016 : primary   DNS address 68.105.28.16
Fri Jan  8 19:21:37 2016 : secondary DNS address 68.105.29.16
Fri Jan  8 19:21:37 2016 : l2tp_wait_input: Address added. previous interface setting (name: en4, address: xx.xxx.xx.68), current interface setting (name: ppp0, family: PPP, address: 10.0.0.45, subnet: 255.0.0.0, destination: 10.255.255.0).
Fri Jan  8 19:21:37 2016 : Committed PPP store on install command
Fri Jan  8 19:21:37 2016 : Committed PPP store on install command
Fri Jan  8 19:21:43 2016 : Committed PPP store on install command
UniFi AP-nanoHD • UniFi AP-AC-Pro • UniFi Switch 48 POE-500W • UniFi Switch 48 • UniFi Security Gateway 3P • UniFi Security Gateway 4P • UniFi Cloud Key G2+ • UVC G3 Dome