When you need secure remote access for developers, administrators, or branch offices, configuring L2TP over IPsec on a Ubiquiti EdgeOS (EdgeRouter) is a proven, interoperable choice. This guide provides a detailed, step-by-step configuration using both the EdgeOS GUI and CLI, covers best practices for authentication and firewalling, and includes practical troubleshooting tips. The instructions target system administrators, site operators, and developers who manage EdgeRouter environments in production.

Overview and design decisions

L2TP by itself is not encrypted, so it is normally deployed as L2TP over IPsec (also called L2TP/IPsec). The design presented here uses a pre-shared key (PSK) for IPsec and local username/passwords (PAP or CHAP) for PPP authentication. This approach offers broad client compatibility (Windows, macOS, Linux, Android, iOS) and straightforward management for small-to-medium deployments.

Before starting, consider these choices:

  • Authentication: PSK for IPsec and local user database for PPP. For larger deployments, integrate RADIUS.
  • IP addressing: Use a dedicated private subnet for VPN clients (e.g., 10.10.10.0/24) to avoid routing conflicts with LANs.
  • Firewalling: Explicitly allow UDP ports 500 and 4500 and protocol 50 if using ESP; when NAT is present, UDP 4500 is essential.
  • NAT: If the EdgeRouter is behind another NAT device, additional NAT traversal considerations apply. Prefer public IP on the EdgeRouter WAN for simplicity.

Pre-configuration checklist

Confirm the following before applying configuration:

  • Your EdgeRouter firmware is up to date. EdgeOS versions differ in CLI syntax—this guide assumes a modern EdgeOS 1.10+ environment.
  • You have administrative access (SSH or GUI) to the EdgeRouter.
  • WAN interface name (for examples we use eth0) and LAN interface (eth1) are known. Replace these values with your actual interface names.
  • A dedicated subnet for VPN clients (we use 10.10.10.0/24) is available and does not overlap existing networks.
  • Decide PSK (strong string) and at least one VPN account with a username and password.

Step 1 — Create PPP (L2TP) profile and local user(s)

Using the GUI: navigate to Services > VPN > L2TP Server (if present) and add the user(s) and IP pool.

Using the CLI, create a PPP profile and local user entries. Replace the username and password values accordingly.

Example CLI steps (apply line-by-line):

set service pptp l2tp remote-access authentication mode local

set service pptp l2tp remote-access client-ip-pool 10.10.10.0/24

set service pptp l2tp remote-access dns-servers server-1 8.8.8.8

set system login user vpnuser authentication plaintext-password strongVPNpassword

Note: On older EdgeOS versions the service path may be ‘set vpn l2tp remote-access …’. Check ‘show service’ or documentation if commands differ.

Step 2 — Configure IPsec for L2TP

L2TP uses IPsec for encryption. Configure a policy and pre-shared key. Choose robust transforms: AES-GCM or AES-CBC with SHA256 and DH group 14 or better.

CLI example (replace yourpsk and geolocation values):

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec nat-networks allowed 10.10.10.0/24

set vpn ipsec esp-group L2TP-ESP proposal 1 encryption aes256

set vpn ipsec esp-group L2TP-ESP proposal 1 hash sha256

set vpn ipsec ike-group L2TP-IKE proposal 1 encryption aes256

set vpn ipsec ike-group L2TP-IKE proposal 1 hash sha256

set vpn ipsec ike-group L2TP-IKE lifetime 3600

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec site-to-site peer 0.0.0.0 authentication mode pre-shared-secret

set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret yourpsk

Note: Many EdgeRouter examples use a peer address; for dynamic L2TP clients the peer is typically 0.0.0.0 to accept any peer. Validate with your firmware docs.

Important IPsec settings and rationale

  • ESP group: AES-256 with SHA-256 provides a good balance of security and performance.
  • IKE group: Symmetric to ESP; DH group 14+ recommended.
  • NAT traversal: UDP 4500 support is necessary when clients are behind NAT. EdgeOS handles NAT-T automatically when ESP is negotiated.

Step 3 — Firewall rules and NAT

Open the required ports on the WAN firewall: UDP 500 (IKE), UDP 4500 (NAT-T), and allow IPsec ESP traffic (protocol 50) where applicable. Then allow L2TP user traffic into the LAN resources they need.

Essential rule examples:

  • Allow UDP 500 and UDP 4500 from any to WAN interface.
  • Allow ESP (IP protocol 50) if using ESP (not required when NAT-T is used but still recommended for non-NAT paths).
  • Create rules to permit traffic from the VPN client subnet to the internal networks (e.g., allow 10.10.10.0/24 to 192.168.1.0/24).

Also enable masquerade/NAT for outgoing traffic from the VPN subnet if the EdgeRouter routes those packets out to the internet:

set nat source rule 100 outbound-interface eth0

set nat source rule 100 source address 10.10.10.0/24

set nat source rule 100 translation address masquerade

Step 4 — Verify routing and DNS

Ensure the EdgeRouter has routes to the networks VPN clients should access. If you want all client traffic to go through the VPN (full tunnel), push a default route via the PPP profile or configure client-side default gateway assignment. To push DNS to clients, specify DNS servers in the PPP configuration.

Verify with these checks:

  • EdgeRouter routing table contains routes to internal subnets reachable by VPN clients.
  • EdgeRouter’s DHCP/DNS settings are correct for VPN clients (e.g., 8.8.8.8 or internal DNS server IP).

Step 5 — Test connectivity from a client

On a test client (Windows/macOS/iOS/Android), create an L2TP/IPsec VPN profile with the following parameters:

  • Server: public IP or FQDN of the EdgeRouter.
  • Account: vpnuser (or the username you configured).
  • Password: the user password you set up.
  • IPsec pre-shared key: yourpsk.
  • Encryption: Enabled/match server algorithms.

Attempt to connect and validate:

  • IP address assignment in the 10.10.10.0/24 range.
  • Ability to ping internal resources (e.g., 192.168.1.1).
  • Correct DNS resolution if DNS was pushed.

Troubleshooting checklist

If the connection fails, apply the following systematic checks:

  • IPsec negotiation: On the EdgeRouter, run show vpn ipsec sa (or check the GUI’s VPN status) to see IKE/ESP SA pairs. If there are no SAs, the IPsec negotiation failed—check PSK and IKE policy symmetry.
  • Ports and NAT: Verify UDP 500 and 4500 are not blocked by upstream NAT/firewall. Use packet capture on the WAN interface to confirm incoming packets.
  • PPP authentication: Confirm the username/password exist and authentication mode matches (local vs RADIUS). Look at system logs for PPP authentication failures.
  • IP addresses and routing: Ensure no overlapping networks and that the EdgeRouter has routes for client-destined networks. Use traceroute from client and router to trace path.
  • MTU issues: L2TP/IPsec introduces overhead; if connections are unstable, lower PPP MTU (e.g., set ppp mtu 1400) or adjust MSS clamping in NAT rules.

Hardening and operational tips

Operationally secure and maintain your L2TP/IPsec deployment with these practices:

  • Use a strong, randomly generated PSK and rotate it periodically.
  • Prefer per-user certificates or RADIUS with EAP for scale and improved security if feasible.
  • Limit user access by firewall rules (least privilege) and log VPN activity for auditing.
  • Monitor VPN session counts and resource utilization on the EdgeRouter to avoid overloads.
  • Apply firmware updates during maintenance windows to get security and stability fixes.

Sample minimal verification commands (CLI)

After configuration, these show-basic-status commands help verify the service quickly:

show vpn ipsec sa

show vpn ipsec status

show interfaces

show log | match ppp or show log | match ipsec (adjust based on EdgeOS logging facilities)

Use packet capture on the WAN interface for UDP/ESP traffic for deeper debugging.

Wrap-up

Deploying L2TP over IPsec on Ubiquiti EdgeOS gives administrators a widely compatible VPN solution suitable for remote workers and site-to-site tunnels with endpoint devices that support L2TP/IPsec. Follow the configuration sequence—PPP profile and users, IPsec policies and PSK, firewall and NAT rules, and finally careful testing and monitoring—to achieve a robust and secure deployment. For production environments or large user bases, consider adding RADIUS authentication and certificate-based IPsec to improve manageability and security.

For more practical VPN guides, tools, and tips tailored to site owners and network administrators, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.