info_i_25x25.png Our ticketing platform provider has scheduled a maintenance window on May 20th, 2018. It will start at 1:00 am UTC on Sunday, May 20th and end at 1:00 pm UTC on Sunday, May 20th. During this time there might be an interruption in the chat service, but all our users will still be able to submit support tickets via the ticket submission form.

EdgeRouter - L2TP IPsec VPN Server


Overview


Readers will learn how to configure the EdgeRouter as a L2TP (Layer 2 Tunneling Protocol) server.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. L2TP Server
  3. L2TP Client
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below.

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

topology_pptp_server_new.png


L2TP Server


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to L2TP are:

  • UDP 1701 (L2TP)
  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T) 
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add firewall rules for the L2TP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description l2tp
set firewall name WAN_LOCAL rule 60 destination port 1701
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp

3. Configure the server authentication settings (replace <secret> with your desired passphrases).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <username> password <secret>
NOTE: To use RADIUS authentication instead of local authentication, use the following two commands:
 
set vpn l2tp remote-access authentication mode radius
set vpn l2tp remote-access authentication radius-server <ip-address> key <secret>

4. Define the IP address pool that will be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
NOTE: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network.

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 <ip-address>
set vpn l2tp remote-access dns-servers server-2 <ip-address>

6. Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE

set vpn l2tp remote-access outside-address 0.0.0.0

7. Define the IPsec interface which will receive L2TP requests from clients.

set vpn ipsec ipsec-interfaces interface eth0

8. (Optional) Lower the MTU for L2TP traffic.

set vpn l2tp remote-access mtu <mtu-value>

9. Commit the changes and save the configuration.

commit ; save

 

You can verify the VPN settings using the following commands from operational mode:

show firewall name WAN_LOCAL statistics
show vpn remote-access
show vpn ipsec sa
show interfaces
show log | match 'xl2tpd|pppd'

L2TP Client


Back to Top

In this article, we are using a Windows 10 machine as the L2TP client.

Windows_logo_-_2012.svg.png

1. Add a new VPN connection.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)
Connection name: L2TP
Server name: 203.0.113.1
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: <secret>
Type of sign-in info: User name and password
User name: <username>
Password: <secret>

2. Navigate to the Windows 10 Network connections.

Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)

Related Articles


Back to Top