Hi all,
I recently upgraded a number of OS X and iOS 9 devices on my network to macOS and iOS 10, which removed the support for PPTP. This was fine as I'd intended to move away from PPTP shortly anyway.
Unfortunately I haven't been able to get L2TP over IPSec to connect from any device since I configured the new service. I've confirmed that BTMM is disabled on all devices.
Here's the test config (on 1.6.0 firmware) I've deployed by following the tutorial at https://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-L2TP-Server:
andrew@core# show vpn l2tp remote-access
authentication {
local-users {
username andrew {
password nope
}
}
mode local
}
client-ip-pool {
start 192.168.0.101
stop 192.168.0.110
}
dns-servers {
server-1 192.231.203.132
server-2 192.231.203.3
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret doublenope
}
ike-lifetime 3600
} The ports for IKE, L2TP, NAT-T and the ESP protocol are allowed through the firewall:
andrew@core# show firewall
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description ""
rule 1 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 3 {
action drop
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description ""
rule 1 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
description "VPN GRE"
destination {
port 47
}
log disable
protocol tcp
}
rule 3 {
action accept
description PPTP
destination {
port 1723
}
log disable
protocol tcp
}
rule 4 {
action accept
description ESP
log disable
protocol esp
}
rule 5 {
action accept
description L2TP
destination {
port 1701,4500
}
log disable
protocol udp
}
rule 6 {
action accept
description "IKE IPSec"
destination {
port 500
}
log enable
protocol udp
}
rule 7 {
action accept
destination {
address 192.168.0.0/24
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 192.168.1.0/24
}
}
rule 8 {
action accept
log disable
protocol 50
}
rule 9 {
action drop
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
options {
mss-clamp {
interface-type pppoe
interface-type pptp
interface-type tun
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
Are there any obvious snafu's in my config that are leaping out at anyone? Really struggling with this one...
P.S. I have a working IPSec Site-to-Site tunnel operating between two sites. Could this be causing an issue?