Edgerouter Configure Remote Access VPN

Assumptions:

  • Local network is eth1-eth4, using DHCP 10.0.1.0/24
  • WAN/Internet connectivity is on eth0, used DHCP

Commands:
Enter config mode using:

#> configure

Type these commands to configure VPN:

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 10.0.0.0/8
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication local-users username your-remote-user password your-unique-password-here
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 10.10.10.100
set vpn l2tp remote-access client-ip-pool stop 10.10.10.150
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 10.0.1.1
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret your-pre-shared-key-here
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1420
set vpn ipsec auto-firewall-nat-exclude enable

Type these commands to configure firewall to allow VPN connections:

set firewall name WAN_LOCAL rule 3 action accept
set firewall name WAN_LOCAL rule 3 description "Allow NAT-T"
set firewall name WAN_LOCAL rule 3 destination port 4500
set firewall name WAN_LOCAL rule 3 log enable
set firewall name WAN_LOCAL rule 3 protocol udp
set firewall name WAN_LOCAL rule 4 action accept
set firewall name WAN_LOCAL rule 4 description "Allow ESP"
set firewall name WAN_LOCAL rule 4 log enable
set firewall name WAN_LOCAL rule 4 protocol 50
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description "Allow L2TP"
set firewall name WAN_LOCAL rule 5 destination port 1701
set firewall name WAN_LOCAL rule 5 log enable
set firewall name WAN_LOCAL rule 5 protocol udp
set firewall name WAN_LOCAL rule 6 action accept
set firewall name WAN_LOCAL rule 6 description "Allow IKE"
set firewall name WAN_LOCAL rule 6 destination port 500
set firewall name WAN_LOCAL rule 6 log enable
set firewall name WAN_LOCAL rule 6 protocol udp
set firewall name WAN_LOCAL rule 7 action accept
set firewall name WAN_LOCAL rule 7 description "Allow Established"
set firewall name WAN_LOCAL rule 7 log disable
set firewall name WAN_LOCAL rule 7 protocol all
set firewall name WAN_LOCAL rule 7 state established enable
set firewall name WAN_LOCAL rule 7 state related enable

Now, commit and save:

commit
save

Leave a Reply

Your email address will not be published. Required fields are marked *