Hi all, new to ubiquiti equipment, here is what I have I have a edgerouter lite at one office and another edgerouter x at another site. I have a site to site tunnel working between them nicely. However I cannot get an l2tp connection to work at all with my android phone or windows 7. Anybody have any ideas, been through tons of tutorials, videos, and knowledge bases. Here is my config.
ubnt@HAI-Office-ERL# show vpn l2tp
remote-access {
authentication {
local-users {
username username {
password ***********
}
}
mode local
}
client-ip-pool {
start 192.168.10.100
stop 192.168.10.110
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret **********
}
ike-lifetime 3600
}
mtu 1492
outside-address 70.8x.xxx.xxx
outside-nexthop 70.8x.xxx.xxx
}
ubnt@HAI-Office-ERL# show vpn ipsec
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
esp-group FOO1 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
ike-group FOO1 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 0.0.0.0 {
authentication {
mode pre-shared-secret
pre-shared-secret ***********
}
connection-type respond
description "From remote site to HAI Office"
ike-group FOO0
ikev2-reauth inherit
local-address 70.8x.xxx.xxx
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.10.0/24
}
remote {
prefix 192.168.11.0/24
}
}
}
peer rsxx.dxxxxxxxxxxx.com {
authentication {
mode pre-shared-secret
pre-shared-secret *********
}
connection-type initiate
description "to rsp"
ike-group FOO1
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO1
local {
prefix 192.168.10.0/24
}
remote {
prefix 192.168.11.0/24
}
}
}
}
ubnt@HAI-Office-ERL# show firewall
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow L2TP"
destination {
port 500,1701,4500
}
log disable
protocol udp
}
rule 30 {
action accept
description "Allow ESP"
log disable
protocol 50
}
rule 40 {
action accept
description "Allow SSH"
destination {
port 22
}
ipsec {
match-ipsec
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 70 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 80 {
action accept
description "Allow ping"
destination {
group {
address-group ADDRv4_eth0
}
}
log disable
protocol icmp
}
rule 90 {
action accept
description "Allow GUI"
destination {
port 80,443
}
log disable
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
[edit]