EdgeRouter 4: setting up L2TP server



  • I took a stock ER4 (fw 2.0.8), followed this guide, performed steps 1 to 7 & 9, Configured the L2TP Server

    When I try to connect from F31 VPN client, I get an error "Disconnected. VPN service failed to start"

    I've done this plenty of times with other ER-4's & they just work, the only difference being those ER-4's also have S2S VPN's.

    What step am I missing?



  • C'mon, where are all the ER experts?



  • @FATeknollogee said in EdgeRouter 4: setting up L2TP server:

    C'mon, where are all the ER experts?

    Super busy.

    This is a known (to me) issue on the ER line if there are no S2S

    I do not recall the solution off the top of my head. I have fixed it before.



  • @JaredBusch Thx for that heads up! Will try searching, maybe I'll get lucky!



  • When I was debugging this, I found that it was not getting a valid cipher or something I believe.



  • I just might have to put in some "fake" S2S config & move on?



  • It's strange that UBNT's docs/guides say nothing about this being an issue?





  • There as to be a line in the S2S config that "triggers" the VPN service ON?



  • Figured out the issue:

    Even though I copied/paste from here: https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

    Looks like rule 30 did not copy correctly & I end up with the check mark - State "Invalid".

    Once, I unchecked "Invalid", VPN connects fine.

    Tomorrow, I'll wipe out the config & re-copy the rules, just to make sure I didn't mess up.

    DeepinScreenshot_select-area_20200217214852.png



  • I reset the ER4 to factory default & started from scratch.

    Copy/paste (from UBNT site) of rule 30, does indeed set the "Invalid" check mark on the Advanced tab of Rule 30



  • @FATeknollogee said in EdgeRouter 4: setting up L2TP server:

    I reset the ER4 to factory default & started from scratch.

    Copy/paste (from UBNT site) of rule 30, does indeed set the "Invalid" check mark on the Advanced tab of Rule 30

    can you post the whole config?
    or is it already above?



  • @Dashrender

    firewall {
        all-ping enable
        broadcast-ping disable
        group {
            address-group trusted_IPs {
                address 1.2.3.4
                address 5.6.7.8
                address 9.10.11.12
                description "for remote GUI access"
            }
        }
        ipv6-name WANv6_IN {
            default-action drop
            description "WAN inbound traffic forwarded to LAN"
            enable-default-log
            rule 10 {
                action accept
                description "Allow established/related sessions"
                state {
                    established enable
                    related enable
                }
            }
            rule 20 {
                action drop
                description "Drop invalid state"
                state {
                    invalid enable
                }
            }
        }
        ipv6-name WANv6_LOCAL {
            default-action drop
            description "WAN inbound traffic to the router"
            enable-default-log
            rule 10 {
                action accept
                description "Allow established/related sessions"
                state {
                    established enable
                    related enable
                }
            }
            rule 20 {
                action drop
                description "Drop invalid state"
                state {
                    invalid enable
                }
            }
            rule 30 {
                action accept
                description "Allow IPv6 icmp"
                protocol ipv6-icmp
            }
            rule 40 {
                action accept
                description "allow dhcpv6"
                destination {
                    port 546
                }
                protocol udp
                source {
                    port 547
                }
            }
        }
        ipv6-receive-redirects disable
        ipv6-src-route disable
        ip-src-route disable
        log-martians enable
        name WAN_IN {
            default-action drop
            description "WAN to internal"
            rule 10 {
                action accept
                description "Allow established/related"
                state {
                    established enable
                    related enable
                }
            }
            rule 20 {
                action drop
                description "Drop invalid state"
                state {
                    invalid enable
                }
            }
        }
        name WAN_LOCAL {
            default-action drop
            description "WAN to router"
            rule 10 {
                action accept
                description "remote GUI"
                destination {
                    port 443
                }
                log disable
                protocol tcp
                source {
                    group {
                        address-group trusted_IPs
                    }
                }
            }
            rule 20 {
                action accept
                description "Allow established/related"
                state {
                    established enable
                    related enable
                }
            }
            rule 30 {
                action accept
                description ike
                destination {
                    port 500
                }
                log disable
                protocol udp
                state {
                    invalid enable
                }
            }
            rule 40 {
                action accept
                description esp
                log disable
                protocol esp
            }
            rule 50 {
                action accept
                description nat-t
                destination {
                    port 4500
                }
                log disable
                protocol udp
            }
            rule 60 {
                action accept
                description l2tp
                destination {
                    port 1701
                }
                ipsec {
                    match-ipsec
                }
                log disable
                protocol udp
            }
        }
        receive-redirects disable
        send-redirects enable
        source-validation disable
        syn-cookies enable
    }
    interfaces {
        ethernet eth0 {
            address 10.10.10.10/30
            description Internet
            duplex auto
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
            }
            speed auto
        }
        ethernet eth1 {
            address 10.15.20.254/24
            description "LAN 1"
            duplex auto
            speed auto
        }
        ethernet eth2 {
            address 192.168.2.254/24
            description "LAN 2"
            duplex auto
            speed auto
        }
        ethernet eth3 {
            duplex auto
            speed auto
        }
        loopback lo {
        }
    }
    port-forward {
        auto-firewall enable
        hairpin-nat disable
        wan-interface eth0
    }
    service {
        dhcp-server {
            disabled false
            hostfile-update disable
            shared-network-name LAN2 {
                authoritative enable
                subnet 192.168.2.0/24 {
                    default-router 192.168.2.254
                    dns-server 192.168.2.254
                    lease 86400
                    start 192.168.2.38 {
                        stop 192.168.2.43
                    }
                }
            }
            static-arp disable
            use-dnsmasq disable
        }
        dns {
            forwarding {
                cache-size 10000
                listen-on eth1
                listen-on eth2
                name-server 1.1.1.1
                name-server 9.9.9.9
            }
        }
        gui {
            http-port 80
            https-port 443
            older-ciphers enable
        }
        nat {
            rule 5010 {
                description "masquerade for WAN"
                outbound-interface eth0
                type masquerade
            }
        }
        ssh {
            port 22
            protocol-version v2
        }
        unms {
            connection wss://
        }
    }
    system {
        domain-name ubnt
        gateway-address 10.10.10.1
        host-name ER4
        login {
            user ubnt {
                authentication {
                    encrypted-password ubnt
                }
                level admin
            }
        }
        name-server 1.1.1.1
        name-server 9.9.9.9
        ntp {
            server 0.ubnt.pool.ntp.org {
            }
            server 1.ubnt.pool.ntp.org {
            }
            server 2.ubnt.pool.ntp.org {
            }
            server 3.ubnt.pool.ntp.org {
            }
        }
        offload {
            hwnat disable
            ipsec disable
        }
        syslog {
            global {
                facility all {
                    level notice
                }
                facility protocols {
                    level debug
                }
            }
        }
        time-zone UTC
    }
    vpn {
        ipsec {
            allow-access-to-local-interface disable
            auto-firewall-nat-exclude disable
            ipsec-interfaces {
                interface eth0
            }
        }
        l2tp {
            remote-access {
                authentication {
                    local-users {
                        username hello {
                            password 1234
                        }
                    }
                    mode local
                }
                client-ip-pool {
                    start 192.168.100.100
                    stop 192.168.100.110
                }
                dns-servers {
                    server-1 1.1.1.1
                    server-2 9.9.9.9
                }
                idle 1800
                ipsec-settings {
                    authentication {
                        mode pre-shared-secret
                        pre-shared-secret 1234
                    }
                    ike-lifetime 3600
                    lifetime 3600
                }
                mtu 1492
                outside-address 10.10.10.10
            }
        }
    }
    

Log in to reply