I just spent the better part of 3 hours tracking down the CLI commands necessary to clear out any old VPN settings and set just the L2TP VPN server on an Ubiquiti Edgemax device running firmware 1.7.1. I gathered all that in one place here for reference.
1. |
Connect via SSHOpen either the webportal and click the CLI option (does not allow you to paste) or better yet just download Putty and connect over SSH that way. |
|
---|---|---|
2. |
Show Running VPN Configuationsconfigure |
|
3. |
Delete VPN Configurationsconfigure |
|
4. |
L2TP Server Configuration# change eth1 to whatever is the external interface port of the Edgemax #Add local users for L2TP # Set a range of IP addresses that are not being used by your LAN DHCP # Set the DNS servers to give out over DHCP for VPN Name Resolution # Set the authentication mode for L2TP # Set the l2tp listening address to the WAN IP and WAN Gateway # Optional to set the MTU but I do this just in case they end up on DSL or T1 commit |
|
5. |
Add The Firewall Rules For L2TP TrafficOpen the web browser of choice and enter the LAN IP of the edgemax to login to the portal. |
|
6. |
Configure Windows L2TP VPNOn your windows box that needs to VPN into the Ubiquiti you will create a new VPN connect using the wizard and then go to ncpa.cpl and set the properties on the VPN connect. Specifically three settings: |
|
7. |
Test the connectionEnable the VPN connect and enter the username and password you created when setting up the local users on the Ubiquiti Edgemax box and hit connect. You should now be connected but the tunnel will not come live until you ping across it or try and access resources on the LAN. |
Conclusion
In conclusion I found all the information was in bits and pieces scattered throughout the internet and the docs on the Ubiquiti Wiki were incomplete.
Hopefully if someone else needs to configure VPN for your Ubiquiti device this will help.
Here is the actual script i used:
configure
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication mode local
#Add local users for L2TP
set vpn l2tp remote-access authentication local-users username Remote password f@stsigns613
# Set a range of IP addresses that are not being used by your LAN DHCP
set vpn l2tp remote-access client-ip-pool start 192.168.2.200
set vpn l2tp remote-access client-ip-pool stop 192.168.2.220
# Set the DNS servers to give out over DHCP for VPN Name Resolution
set vpn l2tp remote-access dns-servers server-1 192.168.1.1
set vpn l2tp remote-access dns-servers server-2 1.1.1.1
# Set the authentication mode for L2TP
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret f@stsigns613
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
# Set the l2tp listening address to the WAN IP and WAN Gateway
set vpn l2tp remote-access outside-address 66.76.177.176
set vpn l2tp remote-access outside-nexthop 66.76.177.1
# Optional to set the MTU but I do this just in case they end up on DSL or T1
set vpn l2tp remote-access mtu 1492
commit
save