EdgeRouter - Set up L2TP over IPsec VPN server

Overview


Readers will learn how to set up an L2TP-based VPN via CLI.

Video Tutorial


Note:  the command "set vpn ipsec nat-networks allowed-network" that appears in this video is deprecated and not needed (this is currently handled by auto firewall or firewall rulesets).

Steps


Choose Authentication Mode

You can use only one authentication mode, local or radius.

set vpn l2tp remote-access authentication mode (local or radius)

Local Authentication

To authenticate to a local user(s) on the EdgeRouter, use the following command:

set vpn l2tp remote-access authentication local-users username wizard password toto

RADIUS Authentication

To authenticate using an external RADIUS server, use the following command:

set vpn l2tp remote-access authentication radius-server 10.1.0.121 key testing123

Pool Address

To define an address pool to hand out to clients, use the following commands:

set vpn l2tp remote-access client-ip-pool start 172.16.44.111
set vpn l2tp remote-access client-ip-pool stop 172.16.44.120

IPSec Authentication

To configure the IPSec authentication settings, use the following commands:

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testing123
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

Auto Firewall

To automatically add firewall and exclude IPsec from NAT use this command:

set vpn ipsec auto-firewall-nat-exclude enable

MTU

You have the option to change the MTU:

set vpn l2tp remote-access mtu 1024

Note: this Set MTU command is completely optional. 

Outside Address and Next Hop

To configure the outside address and next hop, use the following commands:

set vpn l2tp remote-access outside-address 10.1.0.124
set vpn l2tp remote-access outside-nexthop 10.1.0.1

If a dynamic IP is received from ISP, the two previous commands are not needed. Rather, one should use the following command instead:

set vpn l2tp remote-access dhcp-interface eth0 

Note: When using a PPPoE connection, set the outside-address to 0.0.0.0.

Show Command

Once connected, use the show vpn remote-access command to view the session:

ubnt@ubnt:~$ show vpn remote-access
Active remote access VPN sessions:
User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
wizard 00h56m38s L2TP l2tp0 172.16.44.112 301 29.2K 240 19.3K

Firewall Guidelines

The remote users will be trying to establish a L2TP session with the server running on the router, so for the local firewall rule, we must allow the following:

  • IKE - UDP port 500
  • L2TP - UDP port 1701
  • ESP - protocol 50
  • NAT-T - UDP port 4500 (if using NAT-T)

 

Powered by Zendesk