EdgeMAX – Set up L2TP over IPsec VPN server

Feb 17, 2016 | EdgeMax

Interface and NAT Configuration

To configure the allowed networks and NAT traversal on an interface, use the following commands:

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-networks allowed-network 172.16.0.0/12
set vpn ipsec nat-networks allowed-network 192.168.0.0/16
set vpn ipsec nat-traversal enable

Choose Authentication Mode

You can use only one authentication mode, local or radius.

set vpn l2tp remote-access authentication mode (local or radius)

Local Authentication

To authenticate to a local user(s) on the EdgeRouter, use the following command:

set vpn l2tp remote-access authentication local-users username wizard password toto

RADIUS Authentication

To authenticate using an external RADIUS server, use the following command:

set vpn l2tp remote-access authentication radius-server 10.1.0.121 key testing123

Pool Address

To define an address pool to hand out to clients, use the following commands:

set vpn l2tp remote-access client-ip-pool start 172.16.44.111
set vpn l2tp remote-access client-ip-pool stop 172.16.44.120

IPSec Authentication

To configure the IPSec authentication settings, use the following commands:

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret testing123
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

MTU

You have the option to change the MTU:

set vpn l2tp remote-access mtu 1024

Outside Address and Next Hop

To configure the outside address and next hop, use the following commands:

set vpn l2tp remote-access outside-address 10.1.0.124
set vpn l2tp remote-access outside-nexthop 10.1.0.1

If a dynamic IP is received from ISP then the following command can be used:

set vpn l2tp remote-access dhcp-interface eth0

Show Command

Once connected, use the show vpn remote-access command to view the session:

ubnt@ubnt:~$ show vpn remote-access
Active remote access VPN sessions:
User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
wizard 00h56m38s L2TP l2tp0 172.16.44.112 301 29.2K 240 19.3K

Firewall Guidelines

The remote users will be trying to establish a L2TP session with the server running on the router, so for the local firewall rule, we must allow the following:

  • IKE – UDP port 500
  • L2TP – UDP port 1701
  • ESP – protocol 50
  • NAT-T – UDP port 4500 (if using NAT-T)

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Pin It on Pinterest

Share This