Readers will learn how to set up an L2TP-based VPN via CLI.
Note: the command "set vpn ipsec nat-networks allowed-network" that appears in this video is deprecated and not needed (this is currently handled by auto firewall or firewall rulesets).
Choose Authentication Mode
You can use only one authentication mode, local or radius.
set vpn l2tp remote-access authentication mode (local or radius)
To authenticate to a local user(s) on the EdgeRouter, use the following command:
set vpn l2tp remote-access authentication local-users username wizard password toto
To authenticate using an external RADIUS server, use the following command:
set vpn l2tp remote-access authentication radius-server 10.1.0.121 key testing123
To define an address pool to hand out to clients, use the following commands:
set vpn l2tp remote-access client-ip-pool start 172.16.44.111 set vpn l2tp remote-access client-ip-pool stop 172.16.44.120
To configure the IPSec authentication settings, use the following commands:
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testing123 set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
To automatically add firewall and exclude IPsec from NAT use this command:
set vpn ipsec auto-firewall-nat-exclude enable
You have the option to change the MTU:
set vpn l2tp remote-access mtu 1024
Note: this Set MTU command is completely optional.
Outside Address and Next Hop
To configure the outside address and next hop, use the following commands:
set vpn l2tp remote-access outside-address 10.1.0.124 set vpn l2tp remote-access outside-nexthop 10.1.0.1
If a dynamic IP is received from ISP, the two previous commands are not needed. Rather, one should use the following command instead:
set vpn l2tp remote-access dhcp-interface eth0
Note: When using a PPPoE connection, set the outside-address to 0.0.0.0.
Once connected, use the show vpn remote-access command to view the session:
ubnt@ubnt:~$ show vpn remote-access Active remote access VPN sessions: User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte ---------- --------- ----- ----- --------------- ------ ------ ------ ------ wizard 00h56m38s L2TP l2tp0 172.16.44.112 301 29.2K 240 19.3K
The remote users will be trying to establish a L2TP session with the server running on the router, so for the local firewall rule, we must allow the following:
- IKE - UDP port 500
- L2TP - UDP port 1701
- ESP - protocol 50
- NAT-T - UDP port 4500 (if using NAT-T)