# change eth1 to whatever is the external interface port of the Edgemax
set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication mode local
#Add local users for L2TP
set vpn l2tp remote-access authentication local-users username WhateverUserName password WhatEverUserPassword
# Set a range of IP addresses that are not being used by your LAN DHCP
set vpn l2tp remote-access client-ip-pool start 192.168.x.x
set vpn l2tp remote-access client-ip-pool stop 192.168.x.x
# Set the DNS servers to give out over DHCP for VPN Name Resolution
set vpn l2tp remote-access dns-servers server-1 192.168.x.x
set vpn l2tp remote-access dns-servers server-2 192.168.x.x
# Set the authentication mode for L2TP
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ThisIsYourLongPassword
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
# Set the l2tp listening address to the WAN IP and WAN Gateway
(Ich habe das WAN Interface auf 0.0.0.0 gesetzt und WAN-GW-IP nicht konfiguriert.) (set vpn l2tp remote-access outside-address 0.0.0.0)
set vpn l2tp remote-access outside-address ThisIsYourWANIP
set vpn l2tp remote-access outside-nexthop ThisIsYourWAN-GW-IP
# Optional to set the MTU but I do this just in case they end up on DSL or T1
set vpn l2tp remote-access mtu 1492
commit
save
exit
Firewalleinstellungen
Open the web browser of choice and enter the LAN IP of the edgemax to login to the portal.
Go to the Security Tab and then find WAN_Local in the Firewall Rules.
Click Actions on the right and drop down choosing Edit Ruleset
Add a new rule with the following settings:
Basic Tab:
Description = L2TP
Enable = Checked (true)
Action = Accept
Protocol = UDP
Choose the Destination Tab
Ports = 500,1701,4500 (no spaces)
Save
Add another rule in the ruleset
Description = ESP
Enable = Checked (true)
Action = Accept
Protocol = choose by name then choose ESP
Save
Save again to exit the firewall settings
Windows VPN hinzufügen
On your windows box that needs to VPN into the Ubiquiti you will create a new VPN connect using the wizard and then go to ncpa.cpl and set the properties on the VPN connect. Specifically three settings:
1 – On the security tab of the VPN connection properties change the type of VPN to Layer 2 Tunneling Protocol
Choose Advanced Settings right below that option and set the shared secret you used above when configuring the L2TP server.
Under allow these protocols choose Challenge Handshake and Microsoft CHAP Version 2
Under the Networking tab choose IPV4 then advanced and turn off the option for Use Default Gateway On Remote Network so you can browse the internet locally while connected to the VPN.
WICHTIG! Unter Windows folgen Reg Patch hinzufügen:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
Windows Ereignisanzeige „VPN Error 809“ dann fehlt der Reg Eintrag
Mögliche Probleme
Fehler beim binden der externen IP
I use VRRP to provide failover and the VPN outside address is configured with the VRRP virtual address.
When the router is not VRRP master which is the case here, the L2TP can’t bind to a non local IP and fails to start.
To make it persistent to a reboot, we need to add the following line to /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind = 1
Befehle für den VPN-Trace
show vpn log
systemctl status xl2tpd.service
