Hi All,
I am needing to setup a L2TP VPN as my iphone and mac no longer have pptp support built in. (apple took it away)
I am trying to setup a L2TP VPN and I am unable to get it to work.
I am unsure what I am missing or if its a network setup issue?
I am also trying to setup site to site ipsec vpn over the internet to another ERL with the same setup as below, apart from the Eth2.
my setup is
Dish to WISP (no access) in DMZ.
ERL Eth0 (internet) Eth1 (LAN) Eth2 (community wan)
My config is below.
all-ping enable
broadcast-ping disable
group {
network-group Cameras {
description Cameras
network 10.1.1.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name AS_IN {
default-action accept
description ""
enable-default-log
}
name AS_Local {
default-action accept
description ""
enable-default-log
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action accept
description IP-Sec
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 10.121.133.22
}
}
rule 3 {
action accept
description IP-Sec
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 163.47.71.82
}
state {
established disable
invalid disable
new disable
related enable
}
}
rule 4 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow PPTP Port 1723"
destination {
port 1723
}
log disable
protocol tcp
}
rule 30 {
action accept
description "Allot L2TP Port 1701"
destination {
port 1701
}
log disable
protocol tcp_udp
}
rule 40 {
action accept
description "Allow PPTP GRE"
log disable
protocol gre
}
rule 50 {
action accept
description IP-Sec
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 10.121.133.22
}
}
rule 60 {
action accept
description IP-Sec
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 163.47.71.82
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 70 {
action accept
description "Allow IKE-UDP-500"
log disable
protocol udp
source {
port 500
}
}
rule 80 {
action accept
description "Allow ESP-50"
log disable
protocol esp
}
rule 90 {
action accept
description "Allow NAT-T-UDP-4500"
log disable
protocol udp
source {
port 4500
}
}
rule 100 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name vlan10 {
default-action accept
description getflix
rule 1 {
action drop
description ipblock
destination {
address 8.8.8.8/32
}
log disable
protocol all
}
rule 2 {
action drop
description 8.8.4.4
destination {
address 8.8.8.8/32
}
log disable
protocol all
}
rule 3 {
action drop
description 108.175.32.0
destination {
address 108.175.32.0/20
}
log disable
protocol all
}
rule 4 {
action drop
description 198.38.96.0
destination {
address 198.38.96.0/19
}
log disable
protocol all
}
rule 5 {
action drop
description 198.45.48.0
destination {
address 198.45.48.0/20
}
log disable
protocol all
}
rule 6 {
action drop
description 185.2.220.0
destination {
address 185.2.220.0/22
}
log disable
protocol all
}
rule 7 {
action drop
description 23.246.0.0
destination {
address 23.246.0.0/18
}
log disable
protocol all
}
rule 8 {
action drop
description 37.77.184.0
destination {
address 37.77.184.0/21
}
log disable
protocol all
}
rule 9 {
action drop
description 45.57.0.0
destination {
address 45.57.0.0/17
}
log disable
protocol all
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.197/24
description Nuskope
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.0.1/24
address 10.1.1.1/24
description Local
duplex auto
speed auto
vif 10 {
address 192.168.10.1/24
description VLAN10
firewall {
in {
name vlan10
}
out {
name vlan10
}
}
mtu 1500
}
vif 50 {
address 192.168.50.1/24
description Servers
mtu 1500
}
vif 51 {
address 192.168.51.1/24
description Getflix_DNS
mtu 1500
}
vif 100 {
address 192.168.100.1/24
description Cameras
mtu 1500
}
}
ethernet eth2 {
address 10.121.133.20/27
address 192.168.2.1/24
description Air-Stream
duplex auto
firewall {
in {
name AS_IN
}
local {
name AS_Local
}
}
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description IAX2
forward-to {
address 192.168.0.11
port 4569
}
original-port 4569
protocol udp
}
rule 2 {
description PLEX
forward-to {
address 192.168.0.13
port 32400
}
original-port 32400
protocol tcp_udp
}
rule 3 {
description "webserver https"
forward-to {
address 192.168.0.10
port 443
}
original-port 443
protocol tcp_udp
}
rule 4 {
description speedtest
forward-to {
address 192.168.0.13
port 8888
}
original-port 8888
protocol tcp_udp
}
rule 5 {
description unifi
forward-to {
address 192.168.0.9
port 8443
}
original-port 8443
protocol tcp_udp
}
rule 6 {
description unifi
forward-to {
address 192.168.0.9
port 8080
}
original-port 8081
protocol tcp_udp
}
rule 7 {
description "webserver http"
forward-to {
address 192.168.0.18
port 80
}
original-port 80
protocol tcp_udp
}
rule 8 {
description VOIP
forward-to {
address 192.168.0.11
port 5004-5082
}
original-port 5004-5082
protocol tcp_udp
}
rule 9 {
description voip
forward-to {
address 192.168.0.11
port 10000-20000
}
original-port 10000-20000
protocol tcp_udp
}
rule 10 {
description voip
forward-to {
address 192.168.0.11
port 5060-5061
}
original-port 5060-5061
protocol tcp_udp
}
rule 11 {
description VMW
forward-to {
address 192.168.0.10
port 902-903
}
original-port 902-903
protocol tcp_udp
}
rule 12 {
description speedtest
forward-to {
address 192.168.0.13
port 80
}
original-port 81
protocol tcp_udp
}
rule 13 {
description "Minecraft Server"
forward-to {
address 192.168.0.21
port 25565
}
original-port 25565
protocol tcp_udp
}
rule 14 {
description Ark_server
forward-to {
address 192.168.0.22
port 7777
}
original-port 7777
protocol tcp_udp
}
rule 15 {
description Ark_server
forward-to {
address 192.168.0.22
port 27015
}
original-port 27015
protocol tcp_udp
}
rule 16 {
description Ark_server
forward-to {
address 192.168.0.22
port 7778
}
original-port 7778
protocol tcp_udp
}
rule 17 {
description Crea_Server
forward-to {
address 192.168.0.22
port 5555
}
original-port 5555
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
interface-route 192.168.0.0/24 {
next-hop-interface eth0 {
distance 1
}
}
route 10.0.0.0/8 {
next-hop 10.121.133.1 {
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update enable
shared-network-name Getflix {
authoritative disable
subnet 192.168.51.0/24 {
default-router 192.168.51.1
dns-server 168.1.79.229
dns-server 54.252.183.4
lease 86400
start 192.168.51.2 {
stop 192.168.51.200
}
unifi-controller 192.168.0.9
}
}
shared-network-name LAN1 {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
dns-server 119.40.106.35
domain-name home.network
lease 86400
start 192.168.0.40 {
stop 192.168.0.200
}
static-mapping ARK_Server {
ip-address 192.168.0.22
mac-address 00:0c:29:96:24:75
}
static-mapping LAMP {
ip-address 192.168.0.18
mac-address 00:0c:29:3b:53:99
}
static-mapping win7 {
ip-address 192.168.0.12
mac-address 00:0c:29:d5:da:39
}
tftp-server-name 192.168.0.12
unifi-controller 192.168.0.9
}
}
shared-network-name Servers {
authoritative disable
subnet 192.168.50.0/24 {
default-router 192.168.50.1
dns-server 192.168.0.24
dns-server 192.168.0.1
lease 86400
start 192.168.50.100 {
stop 192.168.50.200
}
unifi-controller 192.168.0.9
}
}
shared-network-name Vlan10 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 168.1.79.229
dns-server 202.59.96.140
domain-name home.network
lease 86400
start 192.168.10.10 {
stop 192.168.10.199
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 1000
listen-on eth1
listen-on eth2
listen-on eth0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 2 {
destination {
port 81
}
inbound-interface eth+
inside-address {
address 192.168.0.13
port 80
}
log disable
protocol tcp_udp
source {
}
type destination
}
rule 3 {
destination {
port 82
}
inbound-interface eth+
inside-address {
address 192.168.0.13
port 5000
}
log disable
protocol tcp_udp
type destination
}
rule 5010 {
outbound-interface eth0
type masquerade
}
rule 5011 {
description "air-stream NAT"
log disable
outbound-interface eth2
protocol all
type masquerade
}
}
snmp {
community public {
authorization ro
}
}
ssh {
port 22
protocol-version v2
}
}
system {
domain-name home.network
gateway-address 192.168.1.20
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $6$NhKix.5QZjPDQsCK$N5jQCiuCf58N2KLAmCy5ygOzckKj4GTngov9muL5EKY7vMbEpAUEmfSaaHZIwS1wRq89fKLZMrMCihYneeycV0
plaintext-password ""
}
full-name ""
level admin
}
}
name-server 192.168.0.1
name-server 10.96.0.10
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
static-host-mapping {
host-name esxi30.domain.com.au {
alias /ui
inet 192.168.0.30
}
host-name esxi.domain.com.au {
alias /ui
inet 192.168.0.10
}
host-name plex.domain.com.au {
alias :32400/web/index.html
inet 192.168.0.13
}
host-name sip.domain.com.au {
inet 192.168.0.11
}
host-name synology.domain.com.au {
alias :5000/webman/index.cgi
inet 192.168.0.6
}
host-name unifi.domain.com.au {
alias :8443
inet 192.168.0.9
}
host-name xpenology.domain.com.au {
alias :5000/webman/index.cgi
inet 192.168.0.13
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
custom-category VOD {
name Netflix
name Youtube
}
custom-category cameras {
name RTSP
}
dpi enable
export enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
esp-group FOO1 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 16
encryption aes256
hash sha1
}
}
ike-group FOO1 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes256
hash sha1
}
}
site-to-site {
peer 10.121.133.22 {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
connection-type initiate
description AS1
ike-group FOO0
ikev2-reauth inherit
local-address 10.121.133.20
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.3.0/24
}
}
}
peer 163.47.71.82 {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
connection-type initiate
description mums
ike-group FOO1
ikev2-reauth inherit
local-address 0.0.0.0
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO1
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.4.0/24
}
}
}
}
}
l2tp {
remote-access {
authentication {
local-users {
username user1 {
password password
}
}
mode local
}
client-ip-pool {
start 192.168.0.240
stop 192.168.0.250
}
dns-servers {
server-1 192.168.0.1
server-2 8.8.8.8
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret password
}
ike-lifetime 3600
}
outside-address wanip
outside-nexthop 192.168.1.20
}
}
pptp {
remote-access {
authentication {
local-users {
username user1 {
password password
}
username user2 {
password password
}
}
mode local
}
client-ip-pool {
start 192.168.0.200
stop 192.168.0.210
}
dns-servers {
server-1 10.96.0.10
server-2 192.168.1.20
}
mtu 1492
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */