Ubiquiti Edgemax L2TP VPN Setup From CLI

GregoryHall

I just spent the better part of 3 hours tracking down the CLI commands necessary to clear out any old VPN settings and set just the L2TP VPN server on an Ubiquiti Edgemax device running firmware 1.4.1. I gathered all that in one place here for reference.
1.
Connect via SSH
Open either the webportal and click the CLI option (does not allow you to paste) or better yet just download Putty and connect over SSH that way.
Dglogo_85x95_big
2.
Show Running VPN Configuations
configure
#show l2tp config
show vpn l2tp
#show pptp config
show vpn pptp
3.
Delete VPN Configurations
configure
delete vpn pptp
delete vpn l2tp
delete vpn ipsec
commit
save
4.
L2TP Server Configuration

change eth1 to whatever is the external interface port of the Edgemax

set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication mode local
#Add local users for L2TP
set vpn l2tp remote-access authentication local-users username WhateverUserName password WhatEverUserPassword

Set a range of IP addresses that are not being used by your LAN DHCP

set vpn l2tp remote-access client-ip-pool start 192.168.x.x
set vpn l2tp remote-access client-ip-pool stop 192.168.x.x

Set the DNS servers to give out over DHCP for VPN Name Resolution

set vpn l2tp remote-access dns-servers server-1 192.168.x.x
set vpn l2tp remote-access dns-servers server-2 192.168.x.x

Set the authentication mode for L2TP

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ThisIsYourLongPassword
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

Set the l2tp listening address to the WAN IP and WAN Gateway

set vpn l2tp remote-access outside-address ThisIsYourWANIP
set vpn l2tp remote-access outside-nexthop ThisIsYourWAN-GW-IP

Optional to set the MTU but I do this just in case they end up on DSL or T1

set vpn l2tp remote-access mtu 1492
commit
save
exit
5.
Add The Firewall Rules For L2TP Traffic
Open the web browser of choice and enter the LAN IP of the edgemax to login to the portal.
Go to the Security Tab and then find WAN_Local in the Firewall Rules.
Click Actions on the right and drop down choosing Edit Ruleset
Add a new rule with the following settings:
Basic Tab:
Description = L2TP
Enable = Checked (true)
Action = Accept
Protocol = UDP
Choose the Destination Tab
Ports = 500,1701,4500 (no spaces)
Save
Add another rule in the ruleset
Description = ESP
Enable = Checked (true)
Action = Accept
Protocol = choose by name then choose ESP
Save
Save again to exit the firewall settings
6.
Configure Windows L2TP VPN
On your windows box that needs to VPN into the Ubiquiti you will create a new VPN connect using the wizard and then go to ncpa.cpl and set the properties on the VPN connect. Specifically three settings:
1 – On the security tab of the VPN connection properties change the type of VPN to Layer 2 Tunneling Protocol
Choose Advanced Settings right below that option and set the shared secret you used above when configuring the L2TP server.
Under allow these protocols choose Challenge Handshake and Microsoft CHAP Version 2
Under the Networking tab choose IPV4 then advanced and turn off the option for Use Default Gateway On Remote Network so you can browse the internet locally while connected to the VPN.
7.
Test the connection
Enable the VPN connect and enter the username and password you created when setting up the local users on the Ubiquiti Edgemax box and hit connect. You should now be connected but the tunnel will not come live until you ping across it or try and access resources on the LAN.
Conclusion
In conclusion I found all the information was in bits and pieces scattered throughout the internet and the docs on the Ubiquiti Wiki were incomplete.
Hopefully if someone else needs to configure VPN for your Ubiquiti device this will help.

scottalanmiller

Thanks!

Dashrender

Keep it up, awesome!

scottalanmiller

@Dashrender said:

Keep it up, awesome!

With that comma rather than a semi-colon it sounds like you are flirting with Greg, calling him "awesome" like you might say "keep it up, cute stuff."

Dashrender

@scottalanmiller said:

@Dashrender said:

Keep it up, awesome!

With that comma rather than a semi-colon it sounds like you are flirting with Greg, calling him "awesome" like you might say "keep it up, cute stuff."

OK thanks. I guess. lol

JaredBusch

Can someone go back and drop in a tab or 4 spaces in front of the lines to get the auto code detection to format those.

On a related note, there must be a plugin for code inserts because I noticed some nice inline code formatting over on the nodebb forum.