EdgeRouter L2TP IPSec Server Setup

Share
Embed
  • Published on Nov 22, 2016
  • ***** NO NEED TO CHANGE THE ADVANCED SETTINGS LIKE I SHOW HERE ON THE FIREWALL RULES ***** Since Apple removed PPTP in iOS 10 people have been asking about setting up the L2TP IPSec server on an EdgeRouter. See the comment below about adjusting your MTU if you can't connect after using my configuration!
    Enjoy!
    Here are the commands:
    configure
    set vpn ipsec ipsec-interfaces interface eth0
    set vpn ipsec nat-traversal enable
    set vpn l2tp remote-access authentication mode local
    set vpn l2tp remote-access authentication local-users username whowe password LETMEIN!
    set vpn l2tp remote-access client-ip-pool start 192.168.66.20
    set vpn l2tp remote-access client-ip-pool stop 192.168.66.22
    set vpn l2tp remote-access dns-servers server-1 8.8.8.8
    set vpn l2tp remote-access dns-servers server-2 4.2.2.2
    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret REALLYLETMEIN!
    set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
    set vpn ipsec auto-firewall-nat-exclude enable
    set vpn l2tp remote-access dhcp-interface eth0
    commit
    save
    You then need firewall rules in WAN_LOCAL for:
    IKE - UPD 500; L2TP - UDP 1701; ESP - Protocol 50; NAT-T UDP 4500
    Thank you again! Please subscribe, comment, share, and give a thumbs-up!
  • Science & TechnologyScience & Technology

Comments • 101

  • Moidurrahaman Moidurrahaman

    Nice video sir

  • Bryan Everett
    Bryan Everett Month ago +6

    "set vpn l2tp remote-access dhcp-interface eth0" - What is the proper command if I'm using static ip?

  • Aubrey Peacock
    Aubrey Peacock 2 months ago

    Hi Willie Howe, thanks for the great video! However, when I try to connect from Windows 10 using the built-in VPN client, I get "The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password does not match...".

    However, I followed your instructions down to a T for both the server and client. The client is setup as L2TP/IPSec PSK. Are you aware of this error and what's causing it?

  • Networking Tutorials
    Networking Tutorials 2 months ago

    giving me error ''''
    L2TP VPN configuration error: "vpn ipsec nat-networks" must be specified.

  • jonathan velazquez
    jonathan velazquez 2 months ago

    sorry about my ignorance but what´s IKE? i am amateur

  • Devan Munn
    Devan Munn 3 months ago

    This is a solid tutorial. I've tried several other L2TP/IpSec guides for edgerouter, with no success. You checked all the boxes and it worked right away. TY.

  • Emilios A.T
    Emilios A.T 4 months ago

    I did exactly the same thing in my router (er 3-lite) , it works for a day and then it stops. I thought maybe it was my router so i configured the same on a er4 and an edgerouter x. All routers have static public ip on the pppoe0 interface and all routers l2tp-vpn works fine for a day and then stops (until i reboot the router).

  • luis fernando chikito g.

    Hello I'm from Mexico, an apology for the language I'm using Google translator I have a question about the connection, I have an edgemax router where 3 ports are being used for three LANs, when the router is configured to send the packets to the ether 2 , 3, or 4 can I specify the port of entry to the vpn and the port of the LAN NETWORK that I want them to be?

  • Curtis Gregory
    Curtis Gregory 8 months ago +2

    i am sorry but did you mean to click Invalid in the Advanced tab in IKE?

  • Michal Fira
    Michal Fira 8 months ago

    and another one which I can't find in UBNT support L2TP guide - set vpn ipsec auto-firewall-nat-exclude enable - what it does?

  • Michal Fira
    Michal Fira 8 months ago

    silly question - what does this command do? "set vpn ipsec nat-traversal enable"? I don't see that commend line in UBNT support L2TP guide

  • DiscountCell
    DiscountCell 9 months ago

    Hi Willie. Thanks for the video. A couple of questions. What is your starting config (basic setup or something else)? Also, if we have a DHCP server on the LAN network we are connecting to already, do you disable the DHCP server on the edge router and use eth1 to connect to the current DHCP network?

  • Drew Orf
    Drew Orf 10 months ago

    Dude you saved my ass with this, you are awesome thanks

  • Brendan M
    Brendan M Year ago

    Can I use this for client-to-site vpn while also running site-to-site?

    • Brendan M
      Brendan M Year ago

      I'm struggling to get this working. If I sent you my vpn config would take a look at it?

    • Willie Howe
      Willie Howe  Year ago

      Yup!

  • Justin Farley
    Justin Farley Year ago

    Another EXCELLENT video. Thanks again.

  • Sindre Halbjørhus

    Hi Willie.
    I follow your great channel and videos. Very good work. Can you maybe make a tutorial on how to connect an Ubuntu server as an client to an Edgerouter IPSec Server? e.g from an DigitalOcean droplet? i think this would be a great video for many others aswell :) Regards.

  • Westy's How To Guides

    Hi There, thanks for the Vid - I like the no muck around speedy method you are using here (taking it for granted that people are smart enough to pause and rewind if necessary) - Like it!
    I have not been able to get the to work at all. as someone mentions below there is an error in your description line syntax.
    set vpn l2tp remote-access ipsesc-settings ike-lifetime 3600
    should be:
    set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 => you might want to edit your description for all the copy and pasters out there Lol
    I am trying it on another client but to date cannot get it to work on an android mobile client. thanks anyway Westy

  • Bryan St. Clair
    Bryan St. Clair Year ago

    My eth0 is not DHCP but static. I get an error for dhcp-interface. Any ideas?

  • vidsbytsg
    vidsbytsg Year ago

    Loved the video, and followed all of your steps. I have an EdgeRouter Pro with v1.10.0. I cannot get any VPN connections established. I have a No-IP account and used that in the DNS settings. With no VPN or L2TP configurations set I am able to connect via RDP so I know I can get in from outside the router. Does the L2TP user name need to match the No-IP Account User Name?
    I get an error "Could Not Establish connection to the PPP Server".
    Does the VPN client information need to match the IPSEC information? And the only reference to anything on NO-IP is the host-name?

  • Mr Nvr
    Mr Nvr Year ago

    One more minor correction:
    "set vpn l2tp remote-access ipsesc-settings ike-lifetime 3600"
    - there's an extra "s" in "ipsesc" - it should be:
    "set vpn l2tp remote-access ipsec-settings ike-lifetime 3600"

  • Lord Baboon
    Lord Baboon Year ago

    Thanks for the guide, worked perfect !
    Just one question,if i would like to access the local network, for example download/upload a file to or from my server, what rule do i add ?
    (I cant see any devices on my network, but i can use internet and reach the router for example.)

  • Paul Francis
    Paul Francis Year ago

    Great video. Really enjoying my new Edge Router X but my setup is slightly different in that I have a modem that gets internet via ADSL using RJ11. That device then connects to the Edge Router eth0 with a static IP address. The Edge Router X gateway is the IP address of the modem and the Name Server of the Edge Router X is the IP address of the modem. I have forwarded the ports from the modem to the Edge Router X but I still can't get it to work. Any idea's ?

  • Nathan van den Berg

    Great how-to video! I was unable to get my iPhone to connect until I added 'set vpn l2tp remoute-access mtu 1492'.
    Works like a charm now.

  • Kevin Bundy
    Kevin Bundy Year ago +1

    Hi, I setup this up, everything worked fine, but then my phone died a few months later. I cannot remember the username, password or secret. Is there any way to find out those details in a config file? Thanks

  • HB noip
    HB noip Year ago

    hi! thanks for great video... Q: i cant connect to my VPN over 4G but if the iphone is on my edgerouter network and i try to connect to the VPN then it works.... please help

  • Harry Smith
    Harry Smith Year ago

    I followed your steps. The connection worked only once. Most of the time, I get "The L2TP-VPN server did not respond". Am I missing something? Any tips highly appreciated.

  • Nick W
    Nick W Year ago

    Hi Willie, Wanted to say thanks for the video. With your instruction, I was able to get 3 ER-X configured for external VPN access. The three sites are also connected via site-to-site VPNs. The site-to-site VPNs are being used to carry the building's HVAC control network and the LT2P allows us to remotely connect to monitor, troubleshoot and adjust the control network as necessary. Kudos to you and keep doing what you're doing.

  • Jerry Gulla
    Jerry Gulla Year ago

    I watched this (great!) vid and performed the steps. I was able to establish a connection locally (i.e. within my home network) but not from the outside. I assume I have a Firewall rule that's block that. Are there suggested FW rules to make sure this gets through from the outside?

  • James Simmons
    James Simmons 2 years ago +1

    Awesome video. I followed all of the instructions and I am able to connect to the VPN, but I have no internet access when connected and I'm not able to see any of my office network resources. I have double checked the firewall rules and looked at every Forum I could find, without any success. I am running edgemax version 1.9.7 with hotfix 1.

  • Brian Ng
    Brian Ng 2 years ago

    Did i need to set the client default gateway? Because when i connect success but the detail show default gateway is empty in windows vpn network interface?

  • Klementoso
    Klementoso 2 years ago +1

    Hey Willie,

    I just bought a ER-X to play around with it a little. I followed every step including the MTU(from the comment). I'm currently on a DSL connection from a provider which doesn't offer support for bridging. Therefore I tried to connect from an iPhone on the Wi-Fi through the WAN-port of the ER-X.

    I found out that I needed to tick the "New" box in the IKE firewall rule instead of the "invalid" box. Was this a little mistake in the video? On all the other rules you tick New instead of Invalid so it seems logical to me.
    Cheers!

    • Klementoso
      Klementoso Year ago

      You're welcome!

    • Harry Smith
      Harry Smith Year ago +1

      Klementoso: OMG, I sent hours trying to figure out why my MacOS High Sierra wouldn't connect and your comment about making the IKE firewall rule set to "New" and uncheck "Invalid" box did it! I think the video is wrong and you're right. Thank you!!!!

  • vjoenito5
    vjoenito5 2 years ago +2

    I didn't see the static command for those with Static WAN's...if you need it here you go -----> set vpn l2tp remote-access outside-address xxx.xxx.xxx.xxx other than that your video IS FREAKING AWESOME!!!!

    • Ronald Bruna
      Ronald Bruna 7 months ago

      Hello vjoenito5. I've been trying to set up the VPN server without any luck... I've a Cable modem connection with a modem that has been flashed with a very limited interface... I can't do NAT bridge or anything other than port forwarding. I've set up another vpn server with this same configuration successfully but with a ADSL modem in Bridge mode... so I use the static public address... but with the cable modem, what do I have to do? in vpn l2tp remote-access outside address do I enter the public IP address? or the WAN-LAN IP the modem/router is giving the Edgerouter?

  • Cristian Zamora
    Cristian Zamora 2 years ago

    Hey Willie, once again a great video.
    I would like to ask for possibly an updated video for v1.9.1.1 since some of the commands have been deprecated and then maybe go through the client side setup of a Windows 10 computer.

  • David Dennis
    David Dennis 2 years ago

    Well darn, upon doing the commit it fails with the error message L2TP VPN configuration error: "vpn ipsec nat-networks" must be specified What did I miss? Where was this done?
    Thanks!

  • BJ2019
    BJ2019 2 years ago

    Hi Wllie is there any chance you could help me with configuring my router to use PIA, my router is a TP-Link TL-ER604W

  • hjulien
    hjulien 2 years ago

    Hey Willie, do you happen to have a solution for name resolution for VPN clients? Everything works great excpet that I need to access resources using the IP addresses.
    Thanks!
    H

  • Gus Evening
    Gus Evening 2 years ago +2

    worked like a charm. However i can't access my site to site vpns when connected from the ios client. I can only access the local network on the edge router. Any suggestions?

  • Dustan Korte
    Dustan Korte 2 years ago

    what are the allow established/related and drop invalid state rules? do I need them?

  • luvencl
    luvencl 2 years ago

    Thanks for the video. Like others, I am running IOS 10. I am brand new to edge routers and cli. Couple of questions. Why are you using CLI? Just because it is easier or is it required for some hidden functions?
    I followed along but when I got to set vpn IPSec..... I get "Set Failed" the specified configuration mode is not valid.
    Keep in mind this is a new factory defaulted unit. Running on 1.91. And help is appreciated.
    And are these supposed to run a little hot? Mine is very warm.

    • Willie Howe
      Willie Howe  2 years ago

      You can't do this in the gui unless you use the config tree. Yes they run warm.

  • Dean Murphy
    Dean Murphy 2 years ago +2

    Having followed your instructions to the letter, I could not establish an l2tp connection from my iphone. The support article on the uniquity site (help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-Server) mentioned setting the mtu (set vpn l2tp remote-access mtu 1492) which I tried as a last resort. As soon as I did that, I was able to connect.
    No idea what the default mtu is on the EdgeMax but whatever it was, the iPhone vpn client doesn't seem to like it.

    • Willie Howe
      Willie Howe  2 years ago +1

      Thanks for the tip! Will follow up in a video on Wed/Thursday with this!

  • MrThomaspilk
    MrThomaspilk 2 years ago

    Just subscribed and starting watching your videos. Like what I have watched so far. Can you please do a video on creating a Remte User VPN on a USG Pro and connecting to it with an iPad?

  • Russell Gunn
    Russell Gunn 2 years ago

    Hey Buddy. On the subject of vpn have you seen a way on an edgerouter to enable or disable a vpn profile without deleting it?

  • Baxter Oswald
    Baxter Oswald 2 years ago

    the last command
    "set vpn l2tp remote-access dhcp-interface eth0" eht0 is where your WAN came in?

  • Damien LeVeck
    Damien LeVeck 2 years ago

    Have you ever configured the EdgeRouter to force all clients to use a VPN service like PIA?

    • Doobry W
      Doobry W 2 years ago

      Ignore me, just tried again and discovered the firewall rules had disappeared and were back to PPTP settings, works fine now :-) Thanks for this video!!

    • Doobry W
      Doobry W 2 years ago

      Any idea when that might be coming? I still can't get mine working! Thanks..!

    • Willie Howe
      Willie Howe  2 years ago

      Damien LeVeck Yes, I am redoing my video because some suggested I make a few tweaks. Should be out in the next couple weeks.

  • NOK JR
    NOK JR 2 years ago

    i'm try to configuration L2TP on my router i follow you , it can help me. Thank you for your suggestion.

  • Mac M
    Mac M 2 years ago

    Great Videos! I set this up on 3 Edgerouter Lite V1.9.1's and on 2 of them after about a day I can't connect to the l2tp vpn anymore. Only 1 person uses it regularly so I only setup the client pool with 2 IP addresses and have static IP on the WAN. Let me know if you have any suggestions. Thanks!

  • Ma Fu
    Ma Fu 2 years ago

    Is it possible to configure the vpn if the edgerouter in in a local network and eth0 gets its ip not from the isp but instead from a local dhcp server?

  • Shea P
    Shea P 2 years ago

    When I went through these steps I received an error on commit. ":error: "vpn IPsec nat-networks" must be specified"Do you know what I may have done wrong? I do use a Static IP from my ISP so I replaced the last line from you procedure with the one that you have shown in your comments.What else am I missing?

  • KY Mobile Media
    KY Mobile Media 2 years ago +2

    I set this up, and everything connects just fine. I am able to bring up the router interface just fine after connecting, but I cannot access anything beyond the router on the internal network. It is like the router is blocking my traffic. Do I need to create any kind of NAT entries for the VPN users?

    • RickSk
      RickSk Year ago +1

      I had the same issue, it was basically the load-balancing feature messing with the l2tp connections. I set up the l2tp pool in a separate subnet, then added this subnet in the LAN to LAN load-balancing exclusion firewall rule, it worked flawlessly afterwards.

  • DonChamon
    DonChamon 2 years ago +1

    Hi Willie, is it possible to set a firewall rule, which vpn clients don’t aloud to connect to my locale devices?
    Thanks for the video :)
    Sorry, my English isn't the best.

  • Florian Preuß
    Florian Preuß 2 years ago

    Thanks Willie for the great video. Unfortunately it does not work for me and my EdgeRouter X on 1.9.0. I can´t connect via iPhone or macbook pro retina. The CLI saved the configuration but gave me a warning "sudo unable to resolve host". Anyone an idea whats wrong with this or how I can get this to work? Any help is highly appreciated!!!

  • Allen Menard
    Allen Menard 2 years ago

    Thank you Willie for the awesome tutorial, I was able to do everything and I can connect to the VPN user my ddns name such as whatever.ddns.net when using WiFi on my iPhone but as soon as I turn off WiFi and try to use LTE to simulate a remote connection it fails with "L2TP-VPN server did not respond..blah blah" . I suspect this is probably because at 4:10 in the video you mention this is for local users only?
    What commands do I need to run to add the same user so it works with my LTE or is their more than just a couple commands to accomplish this? Thanks again!

    • Allen Menard
      Allen Menard 2 years ago

      I now have this working 100%, I tried everything and it didn't work and a user on the Ubiquiti forums suggested to delete the rules that were added, I did and the problem remained. Tonight I re-added the rules and everything is working 100% and I can use my ddns name with L2TP-IPSec from an iPhone or my laptop tethered to the phone and its working, thanks again for the great video Willie!

    • Allen Menard
      Allen Menard 2 years ago

      Thanks for the info Willie, I just had noticed while trying to figure out why I couldn't connect over LTE that another video showed the "50" being chosen but if it works either way that's good to know.

    • Willie Howe
      Willie Howe  2 years ago

      No and I don't think it is a mistake.. ESP can be done by name or number I do believe... try it out.

    • Allen Menard
      Allen Menard 2 years ago

      Would that mistake cause the problem that I can't connect to the VPN from an iPhone while on LTE but I can on Wi-Fi?

    • Allen Menard
      Allen Menard 2 years ago

      Also Willi, no disrespect but was a possible error made when at 8:14 in the video when you are configuring ESP you "Choose a protocol by name" when I think you meant to choose "Enter a protocol number" and then you would enter "50" as you mention in the video notes at the bottom of the commands? Eg; IKE - UPD 500; L2TP - UDP 1701; ESP - Protocol 50; NAT-T UDP 4500

  • HB
    HB 2 years ago

    how to install noip to the EdgeRouter Lite?

    • Allen Menard
      Allen Menard 2 years ago

      These commands work on a ERPRO8 so I imagine they work on your model?
      Use the CLI in the router and this should work, replace the XXXXXX with your info and your ddns name, this is assuming your WAN interface is eth0, if not change to whatever your WAN interface is
      configure
      set service dns dynamic interface eth0 service noip host-name XXXXXXXX.ddns.net
      set service dns dynamic interface eth0 service noip login XXXXXXXX
      set service dns dynamic interface eth0 service noip password XXXXXXXX
      set service dns dynamic interface eth0 service noip protocol noip
      set service dns dynamic interface eth0 service noip server dynupdate.no-ip.com
      commit
      save
      exit

  • Bob Koss
    Bob Koss 2 years ago

    I get the error "server did not respond" when trying to connect from my iPhone. Yet I have this in /var/log/messages:
    Dec 14 05:22:34 ubnt xl2tpd[1756]: Connection established to 10.0.0.102, 61657. Local: 57606, Remote: 1 (ref=0/0). LNS session is 'default'
    Dec 14 05:22:34 ubnt xl2tpd[1756]: Call established with 10.0.0.102, Local: 24748, Remote: 372, Serial: 1
    admin@ubnt:/var/log$

    • Willie Howe
      Willie Howe  2 years ago

      Bob Koss I will have to set it up again this weekend and see if I can replicate your error.

  • Bob Koss
    Bob Koss 2 years ago

    Of course it doesn't work for me. Is there a file I can show someone to see what might be wrong?

  • Andrzej Szkarapat
    Andrzej Szkarapat 2 years ago

    would you mind to explain why I dont get the default gatway
    and cant ping any local devices
    thank you

  • Stephen Hamilton
    Stephen Hamilton 2 years ago

    What video capturing software do you use?

    • Willie Howe
      Willie Howe  2 years ago

      Good stuff! Get the demo. Thanks for being a subscriber!

    • Stephen Hamilton
      Stephen Hamilton 2 years ago

      Very quick response! Bought Snagit from TechSmith yesterday, but I am after the cursor highlights which unfortunately snagit lacks. Don't know if I can justify Camtasia's price tag. Thanks though!

    • Willie Howe
      Willie Howe  2 years ago

      Stephen Hamilton Check out Camtasia by TechSmith.

  • Samuel Chan
    Samuel Chan 2 years ago

    Hi Willie, I love your videos! Will you be doing an OpenVPN server video for the Edgerouter?

  • Warwick Jaensch
    Warwick Jaensch 2 years ago

    Great video Willie, very helpful. Thanks!!

    • Warwick Jaensch
      Warwick Jaensch 2 years ago +1

      Im using pppoe so I had to set outside-address to 0.0.0.0, worked well.

  • Regent Lemay
    Regent Lemay 2 years ago

    Thank's for your vid, i did my search all time to get working, i will keep you video for referrence. But now i would like to know what the speed you can reach before and after vpn active? i Have Edge Router Lite, does your's as more speed?

    • Willie Howe
      Willie Howe  2 years ago

      Regent Lemay Speed should be decent as you can offload ipsec.

  • Dmitriy
    Dmitriy 2 years ago +10

    great vid. would love to see the client version.
    BTW, your ike-lifetime in the description says "ipsesc"

  • Shah Rewl
    Shah Rewl 2 years ago

    it would be great if u post a vid for setting up for the client side. on the router that is. maybe setup normal lan on eth1, then l2tp client on eth2? assuming eth0 is wan.

  • sviesis
    sviesis 2 years ago

    is it possible to add a static IP for VPN user, to be able to limit user access to local resources using firewall rules?

  • Adam Livingston
    Adam Livingston 2 years ago

    Another great video, thanks Willie. The only problem is that those lights are a little too bright so if you could just turn them down a little... JK, it really looks great.

  • Adam Livingston
    Adam Livingston 2 years ago

    Another great video, thanks Willie. The only problem is that those lights are a little too bright so if you could just turn them down a little... JK, it really looks great.

  • InfinityRC
    InfinityRC 2 years ago

    Nice Video, i have done the same a few days ago, now i'm trying to build a Site to Site VPN from my USG(Home) to the ER(CoLocation in Datacenter) but can't get it to connect, all other Clients eg. iPhone, MacBooks and my Synology NAS have no Problems with it

    • InfinityRC
      InfinityRC 2 years ago

      Willie Howe haha thanks i have a spare ERX i could use but i like the USG and want to get that up and running, or i'll just throw an smal usg in the zero space of my rack

    • Willie Howe
      Willie Howe  2 years ago

      I'll trade you that USG Pro for an EdgeRouter X.. :)

    • InfinityRC
      InfinityRC 2 years ago

      Willie Howe thought the same but it's an USG pro and i don't t want the cable mess with an erx in my rack i have to find out how to set it up via CLI then :) hoped you tried something like that too

    • Willie Howe
      Willie Howe  2 years ago

      Swap the USG out for an ERX (for now)...

  • Matt Theman
    Matt Theman 2 years ago

    👍👍👍👍

  • jhippl
    jhippl 2 years ago

    nice ... ive been needing this to get my vpn server off of my AD server
    i do have static addresses, so if you would add the command that would be great

    • Willie Howe
      Willie Howe  2 years ago +3

      set vpn l2tp remote-access outside-address yourwanaddress
      set vpn l2tp remote-access outside-nexthop yourwangateway

  • lilbo876
    lilbo876 2 years ago

    Lighting looks good Willie. Now I can see you eat all the jelly beans!

  • Robbie Bott
    Robbie Bott 2 years ago +2

    How about some USG L2TP love?