×

EdgeRouter - L2TP IPsec VPN Server

Overview

Readers will learn how to configure a L2TP (Layer 2 Tunneling Protocol) server on the EdgeRouter.

NOTES & REQUIREMENTS:
  • Applicable to the latest EdgeOS firmware on all EdgeRouter models.
  • Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required.

Table of Contents

  1. Configuring the L2TP Server
  2. Setting up the L2TP Client
  3. Related Articles

Configuring the L2TP Server

Back to Top

topology.gif

The EdgeRouter L2TP server provides VPN access to the LAN (192.168.1.0/24) for authenticated L2TP clients.

Follow the steps below to configure the L2TP VPN server on the EdgeRouter:

CLI: Access the Command Line Interface. You can do this using the CLI button in the Web UI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add firewall rules for the L2TP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description l2tp
set firewall name WAN_LOCAL rule 60 destination port 1701
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp
NOTE:Make sure to not overwrite any existing firewall rules.

3. Configure the server authentication settings, in this example we are using local authentication.

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <username> password <secret>

 Use RADIUS instead of local authentication.

set vpn l2tp remote-access authentication mode radius
set vpn l2tp remote-access authentication radius-server <address> key <secret>

4. Define the IP address pool that will be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
NOTE: You can also issue addresses in the local subnet, but make sure that they do not overlap with those issued by the DHCP server.

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 <address>
set vpn l2tp remote-access dns-servers server-2 <address>

6. Define the WAN interface which will receive L2TP requests from clients. Configure only one of the following statements:

Your WAN interface receives an address through DHCP.

set vpn l2tp remote-access dhcp-interface eth0

Your WAN interface is configured with a static address.

set vpn l2tp remote-access outside-address <wan-address>

Your WAN interface receives an address through PPPoE.

set vpn l2tp remote-access outside-address 0.0.0.0

7. Define the IPsec interface which will receive L2TP requests from clients (eth0 in this example).

set vpn ipsec ipsec-interfaces interface eth0

8.  Lower the MTU for L2TP traffic.

set vpn l2tp remote-access mtu <value>

9. Commit the changes and save the configuration.

commit ; save
NOTE:The show vpn remote-access and show vpn ipsec sa commands can be used to verify the VPN client sessions. 

Full CLI configuration below:

configure

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description l2tp
set firewall name WAN_LOCAL rule 60 destination port 1701
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp

set vpn ipsec ipsec-interfaces interface <id>

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <username> password <secret>
set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
set vpn l2tp remote-access dns-servers server-1 <address>
set vpn l2tp remote-access dns-servers server-2 <address>
set vpn l2tp remote-access outside-address <address>
set vpn l2tp remote-access mtu <value>

commit ; save

Setting up the L2TP Client

Back to Top

The next step is to configure the L2TP VPN settings on the client(s). Make sure to match the credentials on the client and server (EdgeRouter).

 Windows L2TP VPN Client

In this section, we are using a Windows 10 machine as the L2TP client. 

1. Add a new VPN connection.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)
Connection name: L2TP
Server name: 203.0.113.1
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: <secret>
Type of sign-in info: User name and password
User name: <username>
Password: <secret>

2. Navigate to the Windows 10 Network connections to change the allowed security protocols.

Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)

 macOS L2TP VPN Client

In this section, we are using an Apple macOS computer as the L2TP client.

1. Add a VPN connection in the network settings.

System Preferences > Network > "+"

Interface: VPN
VPN Type: L2TP over IPSec
Service name: VPN (L2TP)

2. Adjust the newly created L2TP over IPsec interface.

System Preferences > Network > VPN L2TP 

Configuration: Default
Server Address: 203.0.113.1
Account Name <username>

3. Add the authentication settings.

System Preferences > Network > VPN L2TP > Authentication Settings

User Authentication: <password>
Machine Authentication: <secret>

4.  Send all traffic through the VPN connection.

System Preferences > Network > VPN L2TP > Advanced

Session Options: Send all traffic over VPN connection (checked)

Related Articles

Back to Top

EdgeRouter - PPTP VPN Server

EdgeRouter - OpenVPN Server

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
51 out of 73 found this helpful
Can't find what you're looking for?
Visit our worldwide community of Ubiquiti experts for more answers
Visit the Ubiquiti Community