Académique Documents
Professionnel Documents
Culture Documents
U B N T Su p p o r t
Search
Overview
Readers will learn how to configure the EdgeRouter as an L2TP (Layer 2 Tunneling Protocol) server using local
authen ca on. Please see the L2TP IPsec VPN Server using RADIUS ar cle for informa on on how to setup
RADIUS authen ca on with L2TP.
ATTENTION: The EdgeRouter L2TP server uses MS‑CHAP v2 authen ca on by default. Make sure
that this protocol is enabled in the L2TP adapter security se ngs on the clients. Some clients
(macOS) have MS‑CHAP v2 authen ca on enabled by default, whereas others (Windows) do not.
Table of Contents
1. Network Diagram
2. Steps: L2TP IPsec VPN Server
3. Steps: Windows / macOS / Android Client
4. Steps: Tes ng & Verifica on
5. Related Ar cles
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 1/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center
Network Diagram
Back to Top
The network topology is shown below.
eth0 (WAN) ‑ 203.0.113.1
eth1 (LAN) ‑ 192.168.1.1/24
The ports and protocol that are relevant to L2TP are:
UDP 1701 (L2TP)
UDP 500 (IKE)
Protocol 50 (ESP)
UDP 4500 (NAT‑T)
CLI: Access the command line interface (CLI). You can do this using the CLI bu on in the GUI or by
using a program such as PuTTY.
1. Enter configura on mode.
configure
2. Add firewall rules for the L2TP traffic to the local firewall policy.
NOTE: Make sure that these rules do not override any exis ng firewall policies!
NOTE: If you define a pre‑shared‑secret using 'quota on marks', make sure that the secret on the
client side does not include these same quotes.
4. Define the IP address pool that will be used by the VPN clients.
NOTE: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case), but make sure
that they do not overlap with IP addresses issued by your DHCP Server or used by other devices on
your network.
5. Define the DNS server(s) that will be used by the VPN clients.
(Op onal) You can also set the DNS server to be the internal IP of the router itself. In this case, you will also
need to enable DNS forwarding (if not already enabled) and set listen‑address to the same internal IP.
6. Define the WAN interface which will receive L2TP requests from clients.
Configure only one of the following statements. Decide on which command is best for your situa on using these
op ons:
7. Define the IPsec interface which will receive L2TP requests from clients.
8. (Op onal) Assign a specific IP address to an L2TP client.
set vpn l2tp remote-access authentication local-users username user1 static-ip 192.168.100.25
9. (Op onal) Lower the MTU for L2TP traffic.
Experiment with lowering the MTU value if the performance of the L2TP tunnel is poor. Example use cases
when this can happen is when the external WAN interface uses PPPoE (1492 byte MTU).
set vpn l2tp remote-access authentication require [ pap | chap | mschap | mschap-v2 ]
PAP ‑ Require Password Authen ca on Protocol
CHAP ‑ Require Challenge Handshake Authen ca on Protocol
MS-CHAP ‑ Require Microso Challenge Handshake Authen ca on Protocol
MS-CHAP-V2 ‑ Require Microso Challenge Handshake Authen ca on Protocol Version 2 (default)
11. Commit the changes and save the configura on.
commit ; save
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 4/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center
Settings > Network & Internet > VPN > Add a VPN connection
2. Navigate to the Windows 10 Network connec ons.
Settings > Network & Internet > Status > Change Adapter Options > L2TP Adapter properties
Security > Allow these protocols > Microsoft CHAP Version 2 (MS-CHAP v2)
ATTENTION: Newer versions of Windows prevent clients from connec ng to an L2TP server
behind NAT. If your EdgeRouter is located behind NAT, then apply the hotfix in step 3.
3. Open the Windows registry.
Locate the registry subtree below.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Create a new DWORD (32‑bit) value in this subtree.
AssumeUDPEncapsulationContextOnSendRule
Modify the newly created DWORD and give it a value of 2 (default is 0) and restart your computer.
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 5/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center
1. Navigate to the macOS network se ngs and add a new service (+).
Interface: VPN
VPN Type: L2TP over IPSec
Service Name: L2TP
Configuration: Default
Server Address: 203.0.113.1
Account name: user1
3. (Op onal) Route all traffic over the VPN.
1. Navigate to the Android VPN se ngs and add a new VPN (+).
Name: L2TP
Type: L2TP/IPsec PSK
Server address: 203.0.113.1
L2TP secret: (not used)
IPsec identifier: (not used)
IPsec pre-shared key: <secret>
2. Connect to the L2TP server and add the creden als.
Username: user1
Password: <secret>
Can't find what you're looking for?
1. Verify that the traffic is increasing the counters on the L2TP firewall rules.
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 6/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center
Active on (eth0,LOCAL)
2. Capture the L2TP traffic on the WAN interface.
sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others R oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x1), length 164
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x2), length 164
IP 203.0.113.1 > 192.0.2.1: ESP(spi=0x216ec4ce,seq=0x1), length 148
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x3), length 68
NOTE: This is a live capture. If there is no output the traffic is either not being generated or there is
something blocking the traffic upstream.
3. Capture and analyze the IPsec VPN log messages.
4. Verify the IPsec Security Associa ons (SAs) and tunnel status.
5. Verify the status of the remote access users and interfaces.
show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
l2tp0 10.255.255.0 u/u User: user1
(192.168.100.240)
l2tp1 10.255.255.0 u/u User: user2
(192.168.100.241)
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 8/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center
6. Analyze the L2TP log messages.
7. (Advanced users) Verify the x2tpd configura on files.
[lns default]
ip range = 192.168.100.240-192.168.100.249
local ip = 10.255.255.0
refuse pap = yes
require authentication = yes
name = VyattaL2TPServer
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
;### Vyatta L2TP VPN End ###
name xl2tpd
linkname l2tp
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
noccp
auth
nodefaultroute
debug
proxyarp
connect-delay 5000
idle 1800
### Vyatta L2TP VPN End ###
Related Articles
Back to Top
EdgeRouter ‑ L2TP IPsec VPN Server using RADIUS
EdgeRouter ‑ PPTP VPN Server
EdgeRouter ‑ PPTP VPN Server using RADIUS
Intro to Networking ‑ How to Establish a Connec on Using SSH
er config.txt (4 KB)
Give Feedback
Don’t see what you are looking for? Get advice from our Community or Submit a Help Ticket.
EDGEMAX COMMUNITY
SUBMIT A REQUEST
Privacy Policy
© 2018 Ubiqui Networks, Inc. All rights reserved.
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 10/11
2/13/2018 EdgeRouter - L2TP IPsec VPN Server – Ubiquiti Networks Support and Help Center
Can't find what you're looking for?
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server 11/11