Reply
Highlighted
New Member
Posts: 8
Registered: ‎03-24-2014

USG L2TP VPN Setup Help

Been using Edgerouter lites with VPN's for a little bit and love them. Simple stupid. Since i see you guys using USG's i thought I would give them a try. Have a few problems. In order to do a L2TP Vpn I have to SSH in like the ERL. No problem, got that far. I then have to set firewall rules for it to work. This is were I hit a road block. There is no way in the GUI like the ERL to make the changes. So I am assuming I have to make these changes with SSH. Can anyone point me into the rite direction for the SSH commands I need to make these changes? Second problem is as soon as I provision it, it deletes my VPN settings. I am using AWS to manage. I know I have to import a JOS file into my AWS.. A little lost on that one. Any suggestions?

Senior Member
Posts: 3,645
Registered: ‎09-26-2013
Kudos: 898
Solutions: 258

Re: USG L2TP VPN Setup Help

There are some examples on how to set up VPNs for the USG here.  To persist changes you need to dump the config from the USG and store it on the controller so that during provisioning your CLI custom changes are re-applied, which is described in the articles.

 

Cheers,
Andrew

New Member
Posts: 10
Registered: ‎06-18-2015
Kudos: 1

Re: USG L2TP VPN Setup Help

New Member
Posts: 3
Registered: ‎01-27-2014
Kudos: 8

Re: USG L2TP VPN Setup Help

[ Edited ]

I got this up and running on my USG and I though I'd make everyone's life easier by just giving the config.gateway.json.  Take the attachement.  Replace the CHANGEME comments.  Place it in <UniFi Install Dir>/data/sites/default/config.gateway.json and re-provision/reboot.  Viola!

 

This is a minimal set of settings in the config.gateway.json file to get the L2TP VPN up and running.

 

 

New Member
Posts: 1
Registered: ‎05-01-2015

Re: USG L2TP VPN Setup Help

[ Edited ]
ryttingm, Very nice, thank you!
Emerging Member
Posts: 61
Registered: ‎04-09-2015
Kudos: 16
Solutions: 4

Re: USG L2TP VPN Setup Help

I also applied this remote L2TP remote config from CLI, basically it's working fine until you deploy a site-to-site connection (2 usg:s) from the UI - then the connection just hang (not possible to connect)

 

Wonder if someone know the hack for that? the messages i've got from usg during the vpn client tries to connect:

  • NAT-Traversal: Result using RFC 3947: no NAT detected
  • ignoring informational payload, type IPSEC_INITIAL_CONTACT
  • cannot respond to IPsec SA request because no connection is known

 

Here is my VPN codeblock from mca-ctrl -t dump-cfg

 

"vpn": {
                "ipsec": {
                        "auto-firewall-nat-exclude": "enable",
                        "esp-group": {
                                "ESP0": {
                                        "compression": "disable",
                                        "lifetime": "3600",
                                        "mode": "tunnel",
                                        "pfs": "enable",
                                        "proposal": {
                                                "1": {
                                                        "encryption": "aes256",
                                                        "hash": "sha1"
                                                }
                                        }
                                }
                        },
                        "ike-group": {
                                "IKE0": {
                                        "key-exchange": "ikev1",
                                        "lifetime": "28800",
                                        "proposal": {
                                                "1": {
                                                        "dh-group": "14",
                                                        "encryption": "aes256",
                                                        "hash": "sha1"
                                                }
                                        }
                                }
                        },
                        "ipsec-interfaces": {
                                "interface": [
                                        "eth0"
                                ]
                        },
                        "nat-networks": {
                                "allowed-network": {
                                        "0.0.0.0/0": "''"
                                }
                        },
                        "nat-traversal": "enable",
                        "site-to-site": {
                                "peer": {
                                        "xx.xx.xx.xx": {
                                                "authentication": {
                                                        "mode": "pre-shared-secret",
                                                        "pre-shared-secret": "22dbfc9e7325167d8e4e31ea4ec2d9bad8865b653f1237a0c211fed38cd04986f346fd9ae6c97b3fa1aac631432cb5bee7bdbeb030568a295eebe1779b556c2f0390e5d21c38a80c6c433fd51a470ae940971ea42eb8876760555b2a0199d90fcd085bce3b5e6b53d1e4ee3dd875a1cdbc1fd26456924311f136411191f7e53ef7c80d12450774ebcca345940a11894677432390217bdf9f2d5ee8e53a2b84e49beb4003ed177c88d544e3bb0818190c220ded0e7e43a38a27dbd09855b931a1676ae0d0a131433c03ec5fe6767f3d3d627eb33c435c8e996161079b54a0b611162608e4b0b7e30ff2648cc6c839d4e198542910e291bb387ad1f73abd961ea3"
                                                },
                                                "connection-type": "initiate",
                                                "ike-group": "IKE0",
                                                "local-address": "xx.xx.xx.xx",
                                                "vti": {
                                                        "bind": "vti0",
                                                        "esp-group": "ESP0"
                                                }
                                        }
                                }
                        }
                },
                "l2tp": {
                        "remote-access": {
                                "authentication": {
                                        "local-users": {
                                                "username": {
                                                        "test": {
                                                                "password": "testpass"
                                                        }
                                                }
                                        },
                                        "mode": "local"
                                },
                                "client-ip-pool": {
                                        "start": "10.5.5.10",
                                        "stop": "10.5.5.50"
                                },
                                "dns-servers": {
                                        "server-1": "8.8.8.8",
                                        "server-2": "8.8.4.4"
                                },
                                "ipsec-settings": {
                                        "authentication": {
                                                "mode": "pre-shared-secret",
                                                "pre-shared-secret": "secretpskkey"
                                        },
                                        "ike-lifetime": "3600"
                                },
                                "mtu": "1492",
                                "outside-address": "xx.xx.xx.xx"
                        }
                }
        }
}
New Member
Posts: 6
Registered: ‎02-25-2016

Re: USG L2TP VPN Setup Help

Thanks for this thread.

 

I used the text file that was posted and it worked perfectly for client L2TP with Windows 10.

 

But I ran into a snag.  When you assign a static IP to the external interface, the device goods into a provisioning loop.  It also removes the default gateway, so for the few moments the USG is up, you can't get to the internet.

 

Any thoughts on how to solve this?

New Member
Posts: 15
Registered: ‎06-17-2016
Kudos: 1

Re: USG L2TP VPN Setup Help

Hi all,

 

I've used the json file of @ryttingm

 

New Member
Posts: 6
Registered: ‎02-25-2016

Re: USG L2TP VPN Setup Help

Is your site name Default?  If you've changed the site name, you need to put this file into the directory for the site name you're using.

 

When you SSH into the USG, do you see the config from the json file in the USG's config?

New Member
Posts: 15
Registered: ‎06-17-2016
Kudos: 1

Re: USG L2TP VPN Setup Help

Yes, my site name is default.

 

Where do I find the USG's config file on the USG?

New Member
Posts: 6
Registered: ‎02-25-2016

Re: USG L2TP VPN Setup Help

You have to SSH into the USG and run the command (which I don't recall what it is now) to get the output of the running config on the USG.  Then compare that to what's in the JSON file.

New Member
Posts: 15
Registered: ‎06-17-2016
Kudos: 1

Re: USG L2TP VPN Setup Help

The file is /config/config.boot

 

Only the firewall rules I've added myself through the interface are in it

 

Can't I edit this file instead of the json file on the controller?

New Member
Posts: 15
Registered: ‎06-17-2016
Kudos: 1

Re: USG L2TP VPN Setup Help

Anyone?

New Member
Posts: 12
Registered: ‎11-27-2015

Re: USG L2TP VPN Setup Help

I used this configuration on my USG and it works to connect remotely and I can contact devices on my internal network but don't have Internet access while connected to the vpn. I used to same configuration on my Edgrouter Lite and it all works properly. 

 

Any ideas? Let me know if I need to provide further information. 

Emerging Member
Posts: 56
Registered: ‎12-15-2015
Kudos: 18
Solutions: 1

Re: USG L2TP VPN Setup Help

@Nerds2You Are you sure it's no Internet or is it no DNS?

 

What DNS servers are you using for your remote clients in your config.gateway.json file?

 

Do you have any firewall rules on the WAN interface dropping DNS? (Such as if you want to only allow OpenDNS or the like)

What is your remote client OS?

 

Are you also trying to split tunnel?

 

Is your remote client IP address space different from your local IP address space?

New Member
Posts: 12
Registered: ‎11-27-2015

Re: USG L2TP VPN Setup Help

[ Edited ]

I am using the same config that worked in my Edgrouter lite.  I did notice that the VPN connection does not get a default gateway address.

 

DNS isn't the issue, I tried to ping google via it's IP address and tried to ping 8.8.8.8 and no response. 

 

I am using multiple devices, 1 Windows 10 laptop, 1 Android phone and 1 Android Tablet (both on Marshmallow)

 

DNS servers I am using is the address for my DNS server 192.168.11.20 in my Win 2008 Server and 8.8.8.8 as the secondary.

 

The remote address space is in 192.168.13.x and the LAN is on 192.168.11.x

 

I am not trying a split tunnel.

 

Exact same settings worked on the Edgerouter Lite

 

I have no DNS firewall rules in place.

New Member
Posts: 4
Registered: ‎10-16-2014

Re: USG L2TP VPN Setup Help

Ehi guys

 

I've got the configuration and placed the JSON file in   /usr/lib/unifi/data/sites/mymap/default  on my cloud key

 

But nothing happens

 

Did I place it in the wrong folder ?

 

I have several files in ~/sites ; some of them are folders and some of them are files  but the map is only one 

New Member
Posts: 12
Registered: ‎11-27-2015

Re: USG L2TP VPN Setup Help

I believe it should be in /data/sites/ 

 

in the sites folder you will either see a folder called default or more likely will see a folder generated from a random string ex. ceb1m27d

 

I don't have a cloudkey just going from what I found on a ubiquiti help page.

New Member
Posts: 12
Registered: ‎11-27-2015

Re: USG L2TP VPN Setup Help

I figured out a way to make it work.  I changed the pool of assigned addresses to be in the same subnet as my regular network and I have access to the local network as well as the remote network.

 

I still would like to know if there is a setting that needs to be added to make it work if I set the vpn address pool to a different subnet, it works perfectly on my EdgeRouer lite using the same config.  The only difference is that I have a WINS server set on the ERL to point to my DC/DNS/DHCP (Win 2008) server

New Member
Posts: 4
Registered: ‎10-16-2014

Re: USG L2TP VPN Setup Help

Mine is already in the same subnet of the main network but doesn't work.

 

Not even in /data/sites

 

What else did you do to make it work ?

Reply