OpenWrt L2TP PSK VPN to Ubiquiti USG

So first time on this forum, I hope I don't break some kind of rule by asking the question directly.
This is my scenario, in the main offices we have as a gateway/firewall a Ubiquiti USG-4PRO device configured with 2 VPN interfaces.
The first one an OpenVPN site-to-site interface with another Ubiquiti USG-3P device on a remote office.
The second, an L2TP interface for users from outside to connect to the internal network.
Due to this configuration, I do not want to enter custom configurations in the USG, more than configurations made through its UI because I don't want to break any of the services and provoke a commit error on the USG that ends on a complete config clean and restart of the device.
I investigated with SSH on all types of configuration regarding the OpenVPN or L2TP interfaces within the USG to get its configuration methods.
On OpenVPN I couldn't find any config file, besides, I think the service could be started without it because it could be started with all the parameters on the command that starts the service itself (it is difficult but it can be done).
So next, Ive proceeded with the config files for the L2TP PSK VPN and I was able to find them, because of Ubiquiti uses StrongSwan for the LT2P service it makes OpenWrt the number one candidate because its also able to do so.
So far, what has been obtained by those files, these are the lines they use:

ipsec.conf:
conn $default
        keyexchange=ikev1
conn remote-access
        authby=secret
        type=transport
        keyexchange=ikev1
        left=<VPN SERVER IP>
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        auto=add
        ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1,3des-sha1-modp1024,3des-sha1!
        dpddelay=15
        dpdtimeout=45
        dpdaction=clear
        esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,aes128-sha1,aes256-sha1,3des-sha1!
        rekey=no
        ikelifetime=3600
        keylife=3600

ipsec.secrets:
<VPN SERVER IP> %any : PSK "<PreShared Key>"

xl2tpd.conf:
[global]
listen-add = <VPN SERVER IP>
[lns default]
ip range = <VPN IP POOL SET>
local ip = <LOCAL LAN BRODCAST IP>
refuse pap = yes
require authentication = yes
name = (for security reasons I hide this)
ppp debug = yes
pppoptfile = ../options.xl2tpd
length bit = yes

options.xl2tpd:
name (for security reasons I hide this)
linkname (for security reasons I hide this)
ipcp-accept-local
ipcp-accept-remote
ms-dns <VPN SET DNS IP 1 SERVER>
ms-dns <VPN SET DNS IP 2 SERVER>
ms-wins <VPN SET WINS IP SERVER>
auth
nodefaultroute
debug
proxyarp
connect-delay 5000
require-mschap-v2
idle 1800
plugin radius.so
radius-config-file .../radiusclient-l2tp.conf
plugin radar.so

After this, Ive created on the OpenWrt device this config:

opkg update
opkg install strongswan-default xl2tpd

ipsec.conf:
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug=all
conn %default
        ikelifetime=3600
        keylife=3600
        keyexchange=ikev1
conn <NAME OF VPN>
        authby=secret
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024
        auto=add
        dpddelay=15
        dpdtimeout=45
        dpdaction=clear
        ikelifetime=3600
        keylife=3600
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        right=<VPN SERVER IP>
        rightprotoport=17/1701
        auto=start

ipsec.secrets:
: PSK "<PreShared Key>"

xl2tpd.conf:
[global]
port = 1701
auth file = /etc/xl2tpd/xl2tpd-secrets
acces control = no
[lac <NAME OF VPN>]
lns = <VPN SERVER IP>
;ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client:
ipcp-accept-local
ipcp-accpet-remote
require-mschap-v2
noauth
defaultroute
replacedefaultroute
usepeerdns
#debug
connect-delay 5000
idle 1800
name <VPN USER>
password <VPN USER PASS>

/etc/init.d/ipsec enable
/etc/init.d/xl2tpd enable
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
ipsec restart
ipsec up <NAME OF VPN>

So far connection is established, ok, lets continue. First time I did this I thought that ppp0 interfaces would show up but it was missing on ifconfig, then it hit me:

echo "c <NAME OF VPN>" > /var/run/xl2tpd/l2tp-control

After that it showed up the ppp0 interface with an VPN IP, the connection only lasts for some minutes and then its gone and ppp0 its no longer on ifconfig.
During the ppp0 when its up Ive tried to ping an IP on the local network that its behind the USG but there isn't a response. Also I know that there are more steps to be done but ppp0 doesn't lasts that long to establish that config, and even if I proceed with them, then there is no more internet connection (not even for bringing up the VPN up again).

The next command should be something like this:

route add <VPN SERVER IP> gw <OPENWRT LOCAL IP>
route add default dev ppp0

What Im doing wrong? Whats missing?

Ok, without any response yet but I was able to figure it out my way, connection is stable and fast.

I have redone the config like this:

Commands like this:

opkg update
opkg install strongswan-default xl2tpd

/etc/ipsec.conf

config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug=all

conn %default
        keyexchange=ikev1

conn <NAME OF VPN>
        authby=secret
        type=transport
        keyexchange=ikev1
        left=%defaultroute
        leftprotoport=17/1701
        right=<VPN SERVER IP>
        rightprotoport=17/1701
        auto=add
        ike=3des-sha1-modp1024
        dpddelay=15
        dpdtimeout=45
        dpdaction=clear
        esp=3des-sha1
        rekey=no
        ikelifetime=3600
        keylife=3600
        auto=start

/etc/ipsec.secrets

: PSK "<PreShared Key>"

/etc/xl2tpd/xl2tpd.conf

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tpd-secrets
acces control = no

[lac <NAME OF VPN>]
lns = <VPN SERVER IP>
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes

/etc/ppp/options.xl2tpd.client

ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
usepeerdns
noauth
defaultroute
debug
proxyarp
connect-delay 5000
idle 1800
name <VPN USER>
password <VPN USER PASS>

Then this commands:

/etc/init.d/ipsec enable
/etc/init.d/xl2tpd enable
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
ipsec restart
ipsec up <NAME OF VPN>
echo "c <NAME OF VPN>" > /var/run/xl2tpd/l2tp-control

Next on the web config go to: Network > Interface
Create new interface with this config:

Name: VPN
Protocol of the interfaces: Unmanaged
Cover the following interface: ppp0
Firewall settings: Unespecified

Edit the br-lan interface:

DNS Server: <VPN DNS SERVER IP>,<LOCAL DNS SERVER IP>

Now: Network > Firewall
Create new:

Name: vpn
Input: accept
Output: accept
Forward: reject
Masquerading: checked
Covered networks: VPN (created on Interface)
Allow forwarding from source: LAN,WAN

Back to SSH, this commands are next:

echo "d <NAME OF VPN>" > /var/run/xl2tpd/l2tp-control
echo "c <NAME OF VPN>" > /var/run/xl2tpd/l2tp-control
ifconfig (check assigned VPN IP to the interfaces ppp0)
ip route add <LOCAL NET OF THE VPN SITE, SOMETHING LIKE 10.0.0.0/16> dev ppp0 scope link src <IP OF ppp0 INTERFACE>
iptables -t nat -A POSTROUTING -o br-lan -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT

Done! You're now like if you were on the network of the other side!

4 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.