EdgeRouter X VPN Setup Cannot Get Working

danny996 · March 13, 2025, 2:06am

Hello all. About to start pulling my hair out. I am trying to setup a l2tp/ipsec on my home edgerouter x spf to access my NVR system but I am stuck and cannot get a connection from my phone. I am confused on a few things. I am using residential comcast xfinity. My home IP has not changed in over a year. Not sure if this means I have a static IP or not. Can someone give me any tips on my config? I tried to follow the link below from U support site.

https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

Should my interface be my external IP address or should my outside address be this?

Should my client-ip-pool have IP addresses outside of my router DHCP range?

Should I use an external DNS server or my local router DNS?

XXXXX@HomeEDGEMAX# show vpn ipsec

ipsec-interfaces {

interface 73.135.146.121

}

nat-networks {

allowed-network 0.0.0.0/0 {

}

nat-traversal enable

[edit]

XXXXXXX@HomeEDGEMAX# show vpn l2tp

remote-access {

authentication {

local-users {

username XXXXXXXXXX {

password XXXXXXXXX

}

mode local

}

client-ip-pool {

start 192.168.1.90

stop 192.168.1.95

}

dns-servers {

server-1 192.168.1.1

server-2 8.8.8.8

}

ipsec-settings {

authentication {

mode pre-shared-secret

pre-shared-secret XXXXXXXX

}

ike-lifetime 3600

}

outside-address 73.135.146.121

}

[edit]

XXXXXX@HomeEDGEMAX#

SickSadWound · March 13, 2025, 2:07am

Ipsec Interface should be eth0 or whatever you use on erx. Outside address is the public ip, you’re good. Have you open firewall ports as well ?

For dhcp you can use a different subnet like 192.168.2.20-30.

For dns use one that is accessible from inside.

For android access you need to require mschap-v2 in ipsec settings as well.

benpin · March 13, 2025, 2:07am

Hi there,

Can you provide us the sanitized configuration of the EdgeRouter? I recommend sanitizing the public IP addresses from your original post as well.

-Ben

danny996 · March 13, 2025, 2:07am

Update: I am now able to get VPN connected when I am on the same network (android phone is now connecting when wifi is on) Still not working with wifi off though.

danny996 · March 13, 2025, 2:07am

That public IP was changed to something random. Please see the config below.

firewall {

all-ping enable

broadcast-ping disable

ipv6-receive-redirects disable

ipv6-src-route disable

ip-src-route disable

log-martians enable

name WAN_IN {

default-action drop

description “WAN to internal”

rule 10 {

action accept

description “Allow established/related”

state {

established enable

related enable

}

rule 20 {

action drop

description “Drop invalid state”

state {

invalid enable

}

name WAN_LOCAL {

default-action drop

description “WAN to router”

rule 10 {

action accept

description “Allow established/related”

state {

established enable

related enable

}

rule 20 {

action drop

description “Drop invalid state”

state {

invalid enable

}

rule 30 {

action accept

description IKE

destination {

port 500

}

log disable

protocol udp

source {

}

state {

established enable

invalid disable

new disable

related enable

}

rule 40 {

action accept

description L2TP

destination {

port 1701

}

log disable

protocol udp

state {

established enable

invalid disable

new disable

related enable

}

rule 50 {

action accept

description NAT-T

destination {

port 4500

}

log disable

protocol udp

state {

established enable

invalid disable

new enable

related enable

}

rule 60 {

action accept

description ESP

log disable

protocol esp

state {

established enable

invalid disable

new enable

related enable

}

receive-redirects disable

send-redirects enable

source-validation disable

syn-cookies enable

}

benpin · March 13, 2025, 2:07am

Try removing the firewall states from WAN_LOCAL rule 30, 40, 50 and 60. Rule 30 for example, only allows established/related traffic.

It is possible that you have overwritten some existing firewall policies when adding the L2TP rules.

The L2TP outside-nexthop can also be removed as this option is deprecated.

-Ben

danny996 · March 13, 2025, 2:07am

interfaces {

ethernet eth0 {

address dhcp

description Internet

duplex auto

firewall {

in {

name WAN_IN

}

local {

name WAN_LOCAL

}

speed auto

}

ethernet eth1 {

description Local

duplex auto

speed auto

}

ethernet eth2 {

description Local

duplex auto

speed auto

}

ethernet eth3 {

description Local

duplex auto

speed auto

}

ethernet eth4 {

description Local

duplex auto

speed auto

}

ethernet eth5 {

duplex auto

speed auto

}

loopback lo {

}

switch switch0 {

address 192.168.1.1/24

description Local

mtu 1500

switch-port {

interface eth1 {

}

interface eth2 {

}

interface eth3 {

}

interface eth4 {

}

vlan-aware disable

}

port-forward {

auto-firewall enable

hairpin-nat disable

rule 1 {

description NVR2

forward-to {

address 192.168.1.40

port 8000

}

original-port 8000

protocol tcp

}

wan-interface eth0

}

service {

dhcp-server {

disabled false

hostfile-update disable

shared-network-name LAN {

authoritative enable

subnet 192.168.1.0/24 {

default-router 192.168.1.1

dns-server 192.168.1.1

lease 86400

start 192.168.1.38 {

stop 192.168.1.243

}

static-mapping NVRSERVER {

ip-address 192.168.1.40

mac-address XX:XX:XX:XX:XX:D8

}

static-mapping WifiCam {

ip-address 192.168.1.161

mac-address XX:XX:XX:XX:XX:CD

}

static-arp disable

use-dnsmasq disable

}

dns {

forwarding {

cache-size 150

listen-on switch0

options 192.168.1.1

}

gui {

http-port 80

https-port 443

older-ciphers enable

}

nat {

rule 5010 {

description “masquerade for WAN”

outbound-interface eth0

type masquerade

}

ssh {

port 22

protocol-version v2

}

unms {

disable

}

danny996 · March 13, 2025, 2:07am

I thought rule 30 (IKE) is needed to establish a l2tp connection.

danny996 · March 13, 2025, 2:07am

system {

host-name HomeEDGEMAX

login {

user XXXXXX {

authentication {

encrypted-password XXXXXXX

plaintext-password “”

}

full-name “XXXXXXX”

level admin

}

ntp {

server 0.ubnt.pool.ntp.org {

}

server 1.ubnt.pool.ntp.org {

}

server 2.ubnt.pool.ntp.org {

}

server 3.ubnt.pool.ntp.org {

}

syslog {

global {

facility all {

level notice

}

facility protocols {

level debug

}

time-zone UTC

traffic-analysis {

dpi disable

export disable

}

vpn {

ipsec {

auto-firewall-nat-exclude disable

ipsec-interfaces {

interface eth0

}

nat-networks {

allowed-network 0.0.0.0/0 {

}

nat-traversal enable

}

l2tp {

remote-access {

authentication {

local-users {

username XXXXXX {

password XXXXXXXXX

}

mode local

require mschap-v2

}

client-ip-pool {

start 192.168.1.20

stop 192.168.1.25

}

dns-servers {

server-1 192.168.1.1

server-2 8.8.8.8

}

idle 1800

ipsec-settings {

authentication {

mode pre-shared-secret

pre-shared-secret XXXXXX

}

ike-lifetime 3600

lifetime 3600

}

mtu 1492

outside-address XX.XX.143.187

outside-nexthop XX.XX.136.1

}

/* Warning: Do not remove the following line. */

/* === vyatta-config-version: “config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1” === */

/* Release version: v1.10.9.5166958.190213.1952 */

benpin · March 13, 2025, 2:07am

The rules themselves are needed, but your current state configuration is not allowing any new traffic.

-Ben