Just received a new update fix
eb2a76e2-4b5e-48bf-b0bf-f64df0c270ff-image.png

@Dashrender

firewall { all-ping enable broadcast-ping disable group { address-group trusted_IPs { address 1.2.3.4 address 5.6.7.8 address 9.10.11.12 description "for remote GUI access" } } ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "remote GUI" destination { port 443 } log disable protocol tcp source { group { address-group trusted_IPs } } } rule 20 { action accept description "Allow established/related" state { established enable related enable } } rule 30 { action accept description ike destination { port 500 } log disable protocol udp state { invalid enable } } rule 40 { action accept description esp log disable protocol esp } rule 50 { action accept description nat-t destination { port 4500 } log disable protocol udp } rule 60 { action accept description l2tp destination { port 1701 } ipsec { match-ipsec } log disable protocol udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.10.10.10/30 description Internet duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } speed auto } ethernet eth1 { address 10.15.20.254/24 description "LAN 1" duplex auto speed auto } ethernet eth2 { address 192.168.2.254/24 description "LAN 2" duplex auto speed auto } ethernet eth3 { duplex auto speed auto } loopback lo { } } port-forward { auto-firewall enable hairpin-nat disable wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.2.0/24 { default-router 192.168.2.254 dns-server 192.168.2.254 lease 86400 start 192.168.2.38 { stop 192.168.2.43 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 10000 listen-on eth1 listen-on eth2 name-server 1.1.1.1 name-server 9.9.9.9 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { connection wss:// } } system { domain-name ubnt gateway-address 10.10.10.1 host-name ER4 login { user ubnt { authentication { encrypted-password ubnt } level admin } } name-server 1.1.1.1 name-server 9.9.9.9 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipsec disable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } vpn { ipsec { allow-access-to-local-interface disable auto-firewall-nat-exclude disable ipsec-interfaces { interface eth0 } } l2tp { remote-access { authentication { local-users { username hello { password 1234 } } mode local } client-ip-pool { start 192.168.100.100 stop 192.168.100.110 } dns-servers { server-1 1.1.1.1 server-2 9.9.9.9 } idle 1800 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret 1234 } ike-lifetime 3600 lifetime 3600 } mtu 1492 outside-address 10.10.10.10 } } }

@Pete-S said in ZeroTier vs VPN:

@Kelly said in ZeroTier vs VPN:

In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.

I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.

With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.

I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.

You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.

@Pete-S said in Packet loss when connected to L2TP/IPsec VPn:

@Romo said in Packet loss when connected to L2TP/IPsec VPn:

This same issue is happening today once again, VPN is connecting properly but I can't properly reach anything properly on the local lan or the internet.

You should just buy a new edge router to exclude any hardware issues.

Valid option. The cost is minimal compared to the time you are spending.

@Romo said in Smb transfer through IPSec/L2TP VPN get's terminated.:

@wrx7m Probably a lot less since during that time nothing else would be running. While currently the whole office was working regularly.

Can you manually run the morning job to see what happens?

@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:

A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.

FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!

As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.

Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.

@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.:

jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,...

@JaredBusch @scottalanmiller
Can a cron be set to restart the ipsec every 24 hours?

Yes.

@bbigford said in Does any one have a EdgeRouter 4 online and can test L2TP:

Any insight on maybe why that worked? I've had issues with the default group on another manufacturer, but I wouldn't think 14 was default.

It worked prior to changing to DH 14 on my iPhone.

I had to add a proposal with DH 14 for Windows 10 to work.

@scottalanmiller posted here too
https://mangolassi.it/topic/16567/dell-machines-unable-to-vpn-due-to-smartbyte-bloatware

Did you use the Libreswan or Strongswan setting in your previous post?

No problem!

@coliver said:

Do VPN connections get created/torn down with every communication? Or are they persistent until the device disconnects?

Normally neither. They are normally persistent until a certain amount of time, then they tear down when idle. Might be hours or days. That way they don't remain absolutely forever, but normally a very long time.

@gjacobse said:

I was informed that he is about 20' from the router on Wireless, but that TWC is to be onsite today to setup / move the equipment and then he will be within 5' of it.

Just hope it's not to close and overloads the wireless radio's.

We recently had to set up an L2TP tunnel for our apple devices, since the last iOS 10 update took PPTP out of the picture. It was a huge PITA too, because I didn't figure out for a while that the secondary tunnel wouldn't let me reuse existing user accounts in our Watchguard.... that was some fun trial and error. And the WG how-tos never specified anything about needing different user accounts. It sucks to do all the steps right and then get login errors... makes ya feel like an amateur.