Setup an L2TP/IPSEC VPN On Your Ubitquiti EdgeRouter

The planned follow up to the Ubiquiti UniFi AP deployment/RaspberryPi controller post about running an ELK stack on the controller is on hold; there are no preexisting binaries for the ARM platform and a successful compile from source has eluded me so far.  So instead we’re going to walk through setting up an L2TP/IPSEC VPN up on Ubiquiti’s EdgeRouter line of routers.  Ubiquiti has a good guide here that will get you 90% of the way there, but is missing a few key pieces of info.

In my case I’m using the EdgeRouter X-SFP paired up with a 1GbE copper SFP from 10Gtek with eth5 (the SFP) for WAN connectivity and local authentication.

  1. SSH to your router
  2. Configure the IPSEC tunnel
    1. set vpn ipsec ipsec-interfaces interface eth5
    2. set vpn ipsec nat-networks allowed-network 0.0.0.0/0
    3. set vpn ipsec nat-traversal enable
  3. Setup authentication
    1. set vpn l2tp remote-access authentication mode local
    2. set vpn l2tp remote-access authentication local-users username <USERNAME> password <PASSWORD>
  4. Set the VPN client IP pool
    1. set vpn l2tp remote-access client-ip-pool start 192.168.X.X
    2. set vpn l2tp remote-access client-ip-pool stop 192.168.X.X
  5. Gotta have DNS
    1. set vpn l2tp remote-access dns-servers server-1 192.168.X.X
  6. By default the DNS forwarding service only listens on ethX (switch0 in my case), for VPN clients to utilize forwarding it must also listen on the router’s IP
    1. set service dns forwarding options “listen-address=192.168.X.X”
  7. Now we need to configure the L2TP authentication
    1. set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    2. set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <REALLYLONGPASSWORD>
    3. set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
  8. Optionally you can set the MTU
    1. set vpn l2tp remote-access mtu 1400
  9. Configure the external IP
    1. set vpn l2tp remote-access dhcp-interface eth5

That covers the L2TP/IPSEC VPN setup, but it won’t do much good without putting some firewall rules in place.  The rules below need to be placed under WAN_LOCAL.

  1. Allow IKE traffic
    1. set firewall name WAN_LOCAL rule 3 action accept
    2. set firewall name WAN_LOCAL rule 3 description ‘Allow IKE for Remote VPN Server’
    3. set firewall name WAN_LOCAL rule 3 destination port 500
    4. set firewall name WAN_LOCAL rule 3 log enable
    5. set firewall name WAN_LOCAL rule 3 protocol udp
  2. Allow L2TP traffic
    1. set firewall name WAN_LOCAL rule 4 action accept
    2. set firewall name WAN_LOCAL rule 4 description ‘Allow L2TP for Remote VPN Server’
    3. set firewall name WAN_LOCAL rule 4 destination port 1701
    4. set firewall name WAN_LOCAL rule 4 log enable
    5. set firewall name WAN_LOCAL rule 4 protocol udp
  3. Allow ESP traffic
    1. set firewall name WAN_LOCAL rule 5 action accept
    2. set firewall name WAN_LOCAL rule 5 description ‘Allow ESP for Remote VPN Server’
    3. set firewall name WAN_LOCAL rule 5 log enable
    4. set firewall name WAN_LOCAL rule 5 protocol esp
  4. Allow NAT traversal traffic
    1. set firewall name WAN_LOCAL rule 6 action accept
    2. set firewall name WAN_LOCAL rule 6 description ‘Allow Nat-T for Remote VPN Server’
    3. set firewall name WAN_LOCAL rule 6 destination port 4500
    4. set firewall name WAN_LOCAL rule 6 log enable
    5. set firewall name WAN_LOCAL rule 6 protocol udp

Now be sure to commit changes and save them so they’ll persist reboots.  We’ll make use of commit-confirm for this just in case things blow up; if the commit isn’t confirmed my issuing a second commit command within 10 minutes the system will rollback to the previous active configuration.  A very handy feature, especially when making configuration changes remotely.

  1. commit-confirm
  2. commit
  3. save
  4. exit

You should now be able to initiate L2TP/IPSEC VPN connections from inside and outside your LAN utilizing your WAN IP address.  To check active sessions run this command at the CLI – show vpn remote-access.

  • Captain

    How would I set up an EdgeRouter-X to be an L2TP/IPsec client, for a site-to-site VPN? Any hints?