2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

U B N T   Su p p o r t

Search

  /  EdgeMAX  /  EdgeRouter Configura on Follow

EdgeRouter - L2TP IPsec VPN Server

Yesterday at 00:52

Overview

Readers will learn how to configure the EdgeRouter as an L2TP (Layer 2 Tunneling Protocol) server using local
authen ca on. Please see the L2TP IPsec VPN Server using RADIUS ar cle for informa on on how to setup
RADIUS authen ca on with L2TP. 

ATTENTION: The EdgeRouter L2TP server uses MS‑CHAP v2 authen ca on by default. Make sure
that this protocol is enabled in the L2TP adapter security se ngs on the clients. Some clients
(macOS) have MS‑CHAP v2 authen ca on enabled by default, whereas others (Windows) do not.

NOTES & REQUIREMENTS:

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command
Line Interface (CLI) and basic networking knowledge is required. Please see the Related Ar cles
below for more informa on and see the a achments for the configura on used in this ar cle.
 
Devices used in this ar cle:
EdgeRouter‑4
Test clients

Table of Contents

1. Network Diagram
2. Steps: L2TP IPsec VPN Server
3. Steps: Windows / macOS / Android Client
4. Steps: Tes ng & Verifica on
5. Related Ar cles

Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 1/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

Network Diagram
Back to Top

The network topology is shown below.

eth0 (WAN) ‑ 203.0.113.1
eth1 (LAN) ‑ 192.168.1.1/24

Steps: L2TP IPsec VPN Server

Back to Top

For the purpose of this ar cle, it is assumed that the rou ng and interface configura ons are already in place and

that reachability has been tested.

The ports and protocol that are relevant to L2TP are:

UDP 1701 (L2TP)
UDP 500 (IKE)
Protocol 50 (ESP)
UDP 4500 (NAT‑T) 

CLI: Access the command line interface (CLI). You can do this using the CLI bu on in the GUI or by
using a program such as PuTTY.

 1. Enter configura on mode.

configure

2. Add firewall rules for the L2TP traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept

set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 2/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

set firewall name WAN_LOCAL rule 30 log disable

set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept

set firewall name WAN_LOCAL rule 40 description ESP
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept

set firewall name WAN_LOCAL rule 50 description NAT-T
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept

set firewall name WAN_LOCAL rule 60 description L2TP
set firewall name WAN_LOCAL rule 60 destination port 1701
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol udp

NOTE: Make sure that these rules do not override any exis ng firewall policies!  

3. Configure the server authen ca on se ngs (replace <secret> with your desired passphrases).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

set vpn l2tp remote-access authentication mode local

set vpn l2tp remote-access authentication local-users username user1 password <secret>
set vpn l2tp remote-access authentication local-users username user2 password <secret>

NOTE: If you define a pre‑shared‑secret using 'quota on marks', make sure that the secret on the
client side does not include these same quotes.  

4. Define the IP address pool that will be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240

set vpn l2tp remote-access client-ip-pool stop 192.168.100.249

NOTE: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure
that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on
your network.  

5. Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 8.8.8.8

set vpn l2tp remote-access dns-servers server-2 8.8.4.4
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 3/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

(Op onal) You can also set the DNS server to be the internal IP of the router itself. In this case, you will also
need to enable DNS forwarding (if not already enabled) and set listen‑address to the same internal IP.

set vpn l2tp remote-access dns-servers server-1 192.168.1.1

set service dns forwarding options "listen-address=192.168.1.1"
set service dns forwarding cache-size 150
set service dns forwarding listen-on eth1

6. Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situa on using these
op ons:

(A) Your WAN interface receives an address through DHCP.

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is con gured with a static address.

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE.

set vpn l2tp remote-access outside-address 0.0.0.0

7. Define the IPsec interface which will receive L2TP requests from clients.

set vpn ipsec ipsec-interfaces interface eth0

8. (Op onal) Assign a specific IP address to an L2TP client.

set vpn l2tp remote-access authentication local-users username user1 static-ip 192.168.100.25

9. (Op onal) Lower the MTU for L2TP traffic.

Experiment with lowering the MTU value if the performance of the L2TP tunnel is poor. Example use cases
when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).

set vpn l2tp remote-access mtu <mtu-value>

10. (Op onal) Require the VPN clients to use a specific authen ca on protocol when connec ng.

set vpn l2tp remote-access authentication require [ pap | chap | mschap | mschap-v2 ]

PAP ‑ Require Password Authen ca on Protocol 
CHAP ‑ Require Challenge Handshake Authen ca on Protocol 
MS-CHAP ‑ Require Microso  Challenge Handshake Authen ca on Protocol
MS-CHAP-V2 ‑ Require Microso  Challenge Handshake Authen ca on Protocol Version 2 (default)

11. Commit the changes and save the configura on.

commit ; save
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 4/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

Steps - Windows / macOS / Android Client

Back to Top

There are different ways to connect to an L2TP server using a mul tude of applica ons and opera ng systems.

In this ar cle, we are focusing on the built‑in Windows 10, macOS and Android VPN clients.  

1. Navigate to the Windows 10 VPN se ngs and add a new connec on.

Settings > Network & Internet > VPN > Add a VPN connection

VPN Provider: Windows (built-in)

Connection name: L2TP
Server name: 203.0.113.1
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: <secret>
Type of sign-in info: User name and password
User name: user1
Password: <secret>

2. Navigate to the Windows 10 Network connec ons.

Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties

Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)

ATTENTION: Newer versions of Windows prevent clients from connec ng to an L2TP server
behind NAT. If your EdgeRouter is located behind NAT, then apply the hotfix in step 3.

3. Open the Windows registry.

Run > regedit

Locate the registry subtree below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

Create a new DWORD (32‑bit) value in this subtree.

AssumeUDPEncapsulationContextOnSendRule

Modify the newly created DWORD and give it a value of 2 (default is 0) and restart your computer.

Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 5/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

1. Navigate to the macOS network se ngs and add a new service (+).

System Preferences > Network > + 

Interface: VPN
VPN Type: L2TP over IPSec
Service Name: L2TP

2. Add the IP address informa on and creden als to the L2TP adapter.

System Preferences > Network > L2TP

Configuration: Default
Server Address: 203.0.113.1
Account name: user1

System Preferences > Network > L2TP > Authentication Settings

User Authentication: Password <secret>

Machine Authentication: Shared Secret <secret>

3. (Op onal) Route all traffic over the VPN.

System Preferences > Network > L2TP > Advanced

Send all traffic over VPN connection

1. Navigate to the Android VPN se ngs and add a new VPN (+).

Settings > ...More > VPN > + Add VPN 

Name: L2TP
Type: L2TP/IPsec PSK
Server address: 203.0.113.1
L2TP secret: (not used)
IPsec identifier: (not used)
IPsec pre-shared key: <secret>

2. Connect to the L2TP server and add the creden als.

Username: user1
Password: <secret>

Steps - Testing & Veri cation

Back to Top

Can't find what you're looking for?
1. Verify that the traffic is increasing the counters on the L2TP firewall rules.
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 6/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

show firewall name WAN_LOCAL statistics

--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description

----  -------     -----       ------  -----------
10    164         23837       ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    1           436         ACCEPT  IKE
40    2           368         ACCEPT  ESP
50    0           0           ACCEPT  NAT-T
60    1           131         ACCEPT  L2TP
10000 0           0           DROP    DEFAULT ACTION

2. Capture the L2TP traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others R oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x1), length 164
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x2), length 164
IP 203.0.113.1 > 192.0.2.1: ESP(spi=0x216ec4ce,seq=0x1), length 148
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x3), length 68

NOTE: This is a live capture. If there is no output the traffic is either not being generated or there is
something blocking the traffic upstream.  

3. Capture and analyze the IPsec VPN log messages.

sudo swanctl --log

[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (408 bytes)
[IKE] 192.0.2.1 is initiating a Main Mode IKE_SA
[IKE] remote host is behind NAT
[ENC] parsed ID_PROT request 0 [ ID HASH ]
[CFG] looking for pre-shared key peer configs matching 203.0.113.1...192.0.2.1[172.16.1.10]
[IKE] IKE_SA remote-access[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[172.16
[IKE] CHILD_SA remote-access{1} established with SPIs and TS 203.0.113.1/32[udp/l2f] === 192.
[KNL] 10.255.255.0 appeared on ppp0
[KNL] 10.255.255.0 disappeared from ppp0
[KNL] 10.255.255.0 appeared on ppp0
[KNL] interface l2tp0 activated Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 7/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

NOTE: This is also a live capture. Alterna vely, you can use the show vpn log | no-more command

to view the en re IPsec log history.

4. Verify the IPsec Security Associa ons (SAs) and tunnel status.

show vpn ipsec sa

remote-access: #2, ESTABLISHED, IKEv1, 6c5e6bc5f68ca8c1:6529f3d96c5f8264
  local  '203.0.113.1' @ 203.0.113.1
  remote '10.0.1.10' @ 198.51.100.1
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 56s ago
  remote-access: #2, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 56 ago
    in  cf5622bf,  15763 bytes,   158 packets,     1s ago
    out cd1b3e08,   3373 bytes,    49 packets,    53s ago
    local  203.0.113.1/32[udp/l2f]
    remote 198.51.100.1/32[udp/l2f]

remote-access: #1, ESTABLISHED, IKEv1, 42df1e888432f98f:9b553c0804da6f1d

  local  '203.0.113.1' @ 203.0.113.1
  remote '172.16.1.10' @ 192.0.2.1
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 113s ago
  remote-access: #1, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 113 ago
    in  cb5471df,  16488 bytes,   188 packets,     0s ago
    out 1e7fabb4,   4833 bytes,    70 packets,    52s ago
    local  203.0.113.1/32[udp/l2f]
    remote 192.0.2.1/32[udp/l2f]

5. Verify the status of the remote access users and interfaces.

show vpn remote-access

Active remote access VPN sessions:

User       Time      Proto Iface   Remote IP       TX pkt/byte   RX pkt/byte 

---------- --------- ----- -----   --------------- ------ ------ ------ ------
user2      00h02m11s L2TP  l2tp1   192.168.100.241    76   4.7K    403  56.2K
user1      00h04m17s L2TP  l2tp0   192.168.100.240    17    888    125  12.2K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                              
l2tp0        10.255.255.0                      u/u  User: user1                
                                                    (192.168.100.240)          
l2tp1        10.255.255.0                      u/u  User: user2                
                                                    (192.168.100.241)  

Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 8/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

6. Analyze the L2TP log messages.

show log | match 'xl2tpd|pppd'

ubnt xl2tpd[2267]: Connection established to 192.0.2.1, 1701.  Local: 7337, Remote: 9 (ref=0/
ubnt xl2tpd[2267]: Call established with 192.0.2.1, PID: 18921, Local: 8145, Remote: 1, Seria

ubnt pppd[18921]: pppd 2.4.4 started by root, uid 0

ubnt pppd[18921]: Connect: ppp0 <-->
ubnt pppd[18921]: Overriding mtu 1500 to 1400
ubnt pppd[18921]: Overriding mru 1500 to mtu value 1400
ubnt pppd[18921]: local  IP address 10.255.255.0
ubnt pppd[18921]: remote IP address 192.168.100.240

7. (Advanced users) Verify the x2tpd configura on files.

sudo cat /etc/ipsec.d/tunnels/remote-access

### Vyatta L2TP VPN Begin ###
conn remote-access
  authby=secret
  type=transport
  keyexchange=ikev1
  left=203.0.113.1
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  rekey=no
  ikelifetime=3600
  keylife=3600
### Vyatta L2TP VPN End ###

sudo cat /etc/xl2tpd/xl2tpd.conf

;### Vyatta L2TP VPN Begin ###
[global]
listen-addr = 203.0.113.1

[lns default]
ip range = 192.168.100.240-192.168.100.249
local ip = 10.255.255.0
refuse pap = yes
require authentication = yes
name = VyattaL2TPServer
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
;### Vyatta L2TP VPN End ###

sudo cat /etc/ppp/options.xl2tpd

### Vyatta L2TP VPN Begin ###
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 9/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

name xl2tpd
linkname l2tp
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
noccp
auth
nodefaultroute
debug
proxyarp
connect-delay 5000
idle 1800
### Vyatta L2TP VPN End ###

Related Articles
Back to Top

EdgeRouter ‑ L2TP IPsec VPN Server using RADIUS
EdgeRouter ‑ PPTP VPN Server
EdgeRouter ‑ PPTP VPN Server using RADIUS
Intro to Networking ‑ How to Establish a Connec on Using SSH

er config.txt (4 KB)

Was this ar cle helpful?     14 out of 15 found this helpful

Give Feedback          

Don’t see what you are looking for? Get advice from our Community or Submit a Help Ticket.

EDGEMAX COMMUNITY

SUBMIT A REQUEST

Ubiqui  Home  Compliance Info Warranty & RMA  Terms Of Service

Privacy Policy

© 2018 Ubiqui  Networks, Inc. All rights reserved.
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 10/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center

Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 11/11