Readers will learn how to configure the EdgeRouter to act as an L2TP (Layer-2 Tunnel Protocol) server for remote access.
Note: These instructions assume that eth0 is your WAN (Internet) connection. Early in the configuration, a specific command should be used in case you receive a DHCP-assigned IP address from your Internet service provider, while a separate command should be used if you receive a static IP address from your Internet service provider.
Access the router's command line interface. You can do this using the CLI button while inside the Web UI or by using an SSH program such as PuTTY. PuTTY is generally quicker, as it allows easy copying and pasting (copy in Windows, paste using the right mouse button).
Note: Commands that start with a pound (#) are explanatory comments that you do not need to enter.
The steps follow below:
1. Enter configuration mode.
2. Show the ipsec configuration.
show vpn ipsec
3. (A) DHCP ONLY: If you obtain your IP address from your internet service provider via DHCP, use this command:
set vpn l2tp remote-access dhcp-interface eth0
(B) STATIC IP ONLY: If you have a static IP address and do NOT obtain your IP address from your internet service provider via DHCP, then use this command instead of the one above:
set vpn l2tp remote-access outside-address STATICIP
(B) Replace "STATICIP" in the command above with your actual static IP address!
(C) PPPoE: When using a PPPoE connection, set the outside-address to 0.0.0.0.
4. Set up the pool of IP addresses that remote VPN connections will assume. In this case we make 10 addresses available (from.101 to .110) on subnet #192.168.100.0/24. You can also issue IP addresses used in your subnet, but make sure that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on your network.
set vpn l2tp remote-access client-ip-pool start 192.168.100.101
set vpn l2tp remote-access client-ip-pool stop 192.168.100.110
5. Set the IPsec authentication mode to pre-shared secret.
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
6. Set the pre-shared secret (replace "secret phrase" with your desired passphrase)
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret "secret phrase"
7. Set the L2TP remote access authentication mode to local.
set vpn l2tp remote-access authentication mode local
8. Set theL2TP remote access username and password.
9. Replace testuser with your desired username and testpassword with your desired password. Repeat this line as needed.
set vpn l2tp remote-access authentication local-users username testuser password testpassword
10. Set the MTU
set vpn l2tp remote-access mtu 1492
Note: this Set MTU command is completely optional.
11. Set DNS Servers:
set vpn l2tp remote-access dns-servers server-1 126.96.36.199
set vpn l2tp remote-access dns-servers server-2 188.8.131.52
12. Commit the change.
13. Show the l2tp remote access configuration.
show vpn l2tp remote-access
14. Save the settings
15. Open the required ports and protocol using the Web UI.
16. Access the Web UI.
Click on the "Security Tab" (in earlier versions of the firmware) or the "Firewall/NAT" tab and then "Firewall Policies" (in firmware version 1.5).
Find the "WAN_LOCAL" rule (or whatever you called the rule that controls access to the router), and click "Actions" to the right of it.
Select "Edit Ruleset" from the pull-down.
Add a new rule somwhere before you drop invalid packets as follows:
• Description: Allow L2TP
• Check Enable.
• Action: Accept.
• Protocol: Either UDP (1.5) or Choose a protocol by name: udp (earlier versions)
• Port: 500,1701,4500
Add a new rule somwhere after the previous rule as follows:
• Description: Allow ESP
• Check Enable.
• Action: Accept.
• Protocol: Either enter a procotol number 50 or Choose a protocol by name: esp