EdgeMAX EdgeRouter – L2TP IPSec VPN Server

Source EdgeRouter – L2TP IPsec VPN Server

Applicable to the latest EdgeOS firmware on all EdgeRouter models using CLI mode. L2TP setup is not configurable on web interface.

Enter configuration mode

configure

Configure the server authentication settings (replace with your desired passphrases).

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>

set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <username> password <secret>

Define the IP address pool that will be used by the VPN clients.

set vpn l2tp remote-access client-ip-pool start 192.168.100.240
set vpn l2tp remote-access client-ip-pool stop 192.168.100.249

Define the DNS server(s) that will be used by the VPN clients.

set vpn l2tp remote-access dns-servers server-1 <ip-address>
set vpn l2tp remote-access dns-servers server-2 <ip-address>

Define the WAN interface which will receive L2TP requests from clients.

Configure only one of the following statements. Decide on which command is best for your situation using these options:

(A) Your WAN interface receives an address through DHCP

set vpn l2tp remote-access dhcp-interface eth0

(B) Your WAN interface is configured with a static address

set vpn l2tp remote-access outside-address 203.0.113.1

(C) Your WAN interface receives an address through PPPoE

set vpn l2tp remote-access outside-address 0.0.0.0

Define the IPsec interface which will receive L2TP requests from clients.

set vpn ipsec ipsec-interfaces interface eth0

(Optional) Lower the MTU for L2TP traffic.

set vpn l2tp remote-access mtu <mtu-value>

Commit the changes and save the configuration.

commit ; save

You can verify the VPN settings using the following commands from operational mode:

show firewall name WAN_LOCAL statistics
show vpn remote-access
show vpn ipsec sa
show interfaces
show log | match 'xl2tpd|pppd'