Source EdgeRouter – L2TP IPsec VPN Server
Applicable to the latest EdgeOS firmware on all EdgeRouter models using CLI mode. L2TP setup is not configurable on web interface.
Enter configuration mode
Configure the server authentication settings (replace with your desired passphrases).
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username <username> password <secret>
Define the IP address pool that will be used by the VPN clients.
set vpn l2tp remote-access client-ip-pool start 192.168.100.240 set vpn l2tp remote-access client-ip-pool stop 192.168.100.249
Define the DNS server(s) that will be used by the VPN clients.
set vpn l2tp remote-access dns-servers server-1 <ip-address> set vpn l2tp remote-access dns-servers server-2 <ip-address>
Define the WAN interface which will receive L2TP requests from clients.
Configure only one of the following statements. Decide on which command is best for your situation using these options:
(A) Your WAN interface receives an address through DHCP
set vpn l2tp remote-access dhcp-interface eth0
(B) Your WAN interface is configured with a static address
set vpn l2tp remote-access outside-address 203.0.113.1
(C) Your WAN interface receives an address through PPPoE
set vpn l2tp remote-access outside-address 0.0.0.0
Define the IPsec interface which will receive L2TP requests from clients.
set vpn ipsec ipsec-interfaces interface eth0
(Optional) Lower the MTU for L2TP traffic.
set vpn l2tp remote-access mtu <mtu-value>
Commit the changes and save the configuration.
commit ; save
You can verify the VPN settings using the following commands from operational mode:
show firewall name WAN_LOCAL statistics show vpn remote-access show vpn ipsec sa show interfaces show log | match 'xl2tpd|pppd'