EdgeRouter 4: setting up L2TP server
-
I took a stock ER4 (fw 2.0.8), followed this guide, performed steps 1 to 7 & 9, Configured the L2TP Server
When I try to connect from F31 VPN client, I get an error "Disconnected. VPN service failed to start"
I've done this plenty of times with other ER-4's & they just work, the only difference being those ER-4's also have S2S VPN's.
What step am I missing?
-
C'mon, where are all the ER experts?
-
@FATeknollogee said in EdgeRouter 4: setting up L2TP server:
C'mon, where are all the ER experts?
Super busy.
This is a known (to me) issue on the ER line if there are no S2S
I do not recall the solution off the top of my head. I have fixed it before.
-
@JaredBusch Thx for that heads up! Will try searching, maybe I'll get lucky!
-
When I was debugging this, I found that it was not getting a valid cipher or something I believe.
-
I just might have to put in some "fake" S2S config & move on?
-
It's strange that UBNT's docs/guides say nothing about this being an issue?
-
-
There as to be a line in the S2S config that "triggers" the VPN service ON?
-
Figured out the issue:
Even though I copied/paste from here: https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
Looks like rule 30 did not copy correctly & I end up with the check mark - State "Invalid".
Once, I unchecked "Invalid", VPN connects fine.
Tomorrow, I'll wipe out the config & re-copy the rules, just to make sure I didn't mess up.
-
I reset the ER4 to factory default & started from scratch.
Copy/paste (from UBNT site) of rule 30, does indeed set the "Invalid" check mark on the Advanced tab of Rule 30
-
@FATeknollogee said in EdgeRouter 4: setting up L2TP server:
I reset the ER4 to factory default & started from scratch.
Copy/paste (from UBNT site) of rule 30, does indeed set the "Invalid" check mark on the Advanced tab of Rule 30
can you post the whole config?
or is it already above? -
firewall { all-ping enable broadcast-ping disable group { address-group trusted_IPs { address 1.2.3.4 address 5.6.7.8 address 9.10.11.12 description "for remote GUI access" } } ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "remote GUI" destination { port 443 } log disable protocol tcp source { group { address-group trusted_IPs } } } rule 20 { action accept description "Allow established/related" state { established enable related enable } } rule 30 { action accept description ike destination { port 500 } log disable protocol udp state { invalid enable } } rule 40 { action accept description esp log disable protocol esp } rule 50 { action accept description nat-t destination { port 4500 } log disable protocol udp } rule 60 { action accept description l2tp destination { port 1701 } ipsec { match-ipsec } log disable protocol udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.10.10.10/30 description Internet duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } speed auto } ethernet eth1 { address 10.15.20.254/24 description "LAN 1" duplex auto speed auto } ethernet eth2 { address 192.168.2.254/24 description "LAN 2" duplex auto speed auto } ethernet eth3 { duplex auto speed auto } loopback lo { } } port-forward { auto-firewall enable hairpin-nat disable wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.2.0/24 { default-router 192.168.2.254 dns-server 192.168.2.254 lease 86400 start 192.168.2.38 { stop 192.168.2.43 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 10000 listen-on eth1 listen-on eth2 name-server 1.1.1.1 name-server 9.9.9.9 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { connection wss:// } } system { domain-name ubnt gateway-address 10.10.10.1 host-name ER4 login { user ubnt { authentication { encrypted-password ubnt } level admin } } name-server 1.1.1.1 name-server 9.9.9.9 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipsec disable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } vpn { ipsec { allow-access-to-local-interface disable auto-firewall-nat-exclude disable ipsec-interfaces { interface eth0 } } l2tp { remote-access { authentication { local-users { username hello { password 1234 } } mode local } client-ip-pool { start 192.168.100.100 stop 192.168.100.110 } dns-servers { server-1 1.1.1.1 server-2 9.9.9.9 } idle 1800 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret 1234 } ike-lifetime 3600 lifetime 3600 } mtu 1492 outside-address 10.10.10.10 } } }
