Comments (20)
Btw, I also tried to get an answer from the community but no replies over there... https://community.ui.com/questions/VPN-L2TP-USG4-pro-wont-connect/c40c5341-6ef6-40bc-8823-9e17c2da723c
from usg-kpn-ftth.
I also ran into the same issue, after checking the log (/var/log/postprovisionvpn.log
) it just had one line in it:
Nothing to delete (the specified value does not exist)
Going into configure
and running show vpn
explains why: my dhcp-interface
is set to eth0.6
, and the script tries to delete eth0
. If you try to add the outside-address
without removing it, committing the config results in the following error:
L2TP VPN configuration error: Only one of dhcp-interface and outside-address can be defined..
Which isn't logged because the setvpn.sh
script does not pipe the output of configure. Simply replacing eth0
with eth0.6
in the script makes it delete the proper thing, and after running the script again my VPN works.
from usg-kpn-ftth.
Hello stefhof2, I use a USG, and after I saw: basmeerman/unifi-usg-kpn#7
I used the suggested command on mu USG:
configure
set vpn ipsec ipsec-interfaces interface pppoe2
delete vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access outside-address 0.0.0.0
commit
save
Then I could use VPN from my iPhone tom my home network.
I than added this in the startup script so after a reboot it would be set again..
Not sure this is the same for USG4, but you can always try right ?
from usg-kpn-ftth.
Not sure this is the same for USG4, but you can always try right ?
Hi Huub,
Thanks for thinking with me, I used/placed the setvpn.sh script indeed, in this script the same command are set. The only difference for me is that the wan interface is on eth2 where the wan interface on use3 is on eth0, so this is the only thing I edited in the code.
How does your L2TP config looks like?
from usg-kpn-ftth.
You mean L2TP on my iPhone?
See below
You also need to create a user on your UniFi software
from usg-kpn-ftth.
Ah ok, yea I've the same settings, did you do anything special on the Unifi controller when you configured the L2TP VPN? For example, did you made port forwarding or something?
from usg-kpn-ftth.
Have a look at this https://youtu.be/LGp8LBcg4fE
from usg-kpn-ftth.
Hmmm I did exactly the same thing as shown in the video.
Now I'm trying to troubleshoot what goes wrong, apparently the VPN connection request is reaching the radius server but won't connect in the end, when I command: "show vpn log tail" to see what happens when I connect my VPN, this is the output:
Nov 25 22:35:08 03[IKE] <6> 77.63.72.137 is initiating a Main Mode IKE_SA
Nov 25 22:35:09 06[IKE] <remote-access|6> IKE_SA remote-access[6] established between 86.X.X.X[86.X.X.X]...77.63.72.137[0.0.0.0]
Nov 25 22:35:10 08[IKE] <remote-access|6> CHILD_SA remote-access{6} established with SPIs cdb628c8_i 0fed2843_o and TS 86.X.X.X/32[udp/l2f] === 77.63.72.137/32[udp/63203]
Nov 25 22:35:30 02[IKE] <remote-access|6> deleting IKE_SA remote-access[6] between 86.X.X.X[86.X.X.X]...77.63.72.137[0.0.0.0]
Any thought what goes wrong?
from usg-kpn-ftth.
Did you check FW rules ?
Maybe recheck everything:
https://rowelldionicio.com/unifi-usg-configuring-remote-access-vpn/
from usg-kpn-ftth.
I checked it but I don't have any forward rule or firewall rule custom made, everything is default for now, I first want to get everything working before I start deny some connections in the firewall.
If I look at the instructions on the url, is the same thing I did so I really don't understand why it won't work...
from usg-kpn-ftth.
Any updates? I followed the instructions and everything is working except the VPN L2TP.
from usg-kpn-ftth.
Any updates? I followed the instructions and everything is working except the VPN L2TP.
Sadly not, nothing yet, for me the same issue... if I have some time I want to find a good guide how to troubleshoot the configuration to see on what part the connection fails
from usg-kpn-ftth.
I also ran into the same issue, after checking the log (
/var/log/postprovisionvpn.log
) it just had one line in it:Nothing to delete (the specified value does not exist)
Going into
configure
and runningshow vpn
explains why: mydhcp-interface
is set toeth0.6
, and the script tries to deleteeth0
. If you try to add theoutside-address
without removing it, committing the config results in the following error:L2TP VPN configuration error: Only one of dhcp-interface and outside-address can be defined..
Which isn't logged because the
setvpn.sh
script does not pipe the output of configure. Simply replacingeth0
witheth0.6
in the script makes it delete the proper thing, and after running the script again my VPN works.
Ah now you mentioned it, it makes sense indeed. I’m using a USG4 pro so my WAN is on eth2 so I had to change it to delete dhcp-interface from 2.6, after that’s changed and I rebooted it is finally working, thanks a lot.
Do you also know by change how to configure the USG so it will allow connecting to a web service that is behind a specific port?
For example, I’m using Openhab, the config page uses port 8080 and that’s working fine, but on the same IP the log viewer is behind 9001 and if I try to open it the page won’t load. Same thing for MotionEye, there default page is behind port 8765 so that one is also unavailable.
Do I’ve to great a Firewall rule to allow this or is there something else that will do the trick?
from usg-kpn-ftth.
I'm not sure, by default the VPN should have full access to the corporate network. There shouldn't be a reason that port 8080 works but the others don't.
I'm guessing you either have a firewall rule that is blocking those, in which case you'd need to remove that rule or add another that explicitly allows them, or there's something blocking it on your server, either a firewall or a configuration that only allows connections from the local subnet (i.e. your LAN is 192.168.0.x but the VPN clients get a 172.16.0.x IP)
from usg-kpn-ftth.
Still no luck..
my dhcp-interface is set to eth0 so the setvpn.sh script is oke.
When i try to connect the following happens:
show vpn log tail
Jan 1 13:16:58 03[IKE] <remote-access|14> IKE_SA remote-access[14] established between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:16:59 07[IKE] <remote-access|14> CHILD_SA remote-access{12} established with SPIs c199dc2c_i 0cefe46a_o and TS XX.XX.XX.XX/32[udp/l2f] === 31.161.221.135/32[udp/51965]
Jan 1 13:17:31 15[IKE] <remote-access|14> deleting IKE_SA remote-access[14] between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:17:37 16[KNL] interface ppp1 deleted
from usg-kpn-ftth.
I'm not sure, by default the VPN should have full access to the corporate network. There shouldn't be a reason that port 8080 works but the others don't.
I'm guessing you either have a firewall rule that is blocking those, in which case you'd need to remove that rule or add another that explicitly allows them, or there's something blocking it on your server, either a firewall or a configuration that only allows connections from the local subnet (i.e. your LAN is 192.168.0.x but the VPN clients get a 172.16.0.x IP)
Thanks, I found the issue, problem was that the devices with a different port had the old gateway fixed setup, by coincidence all the devices with 8080 already had the new gateway setup :)
from usg-kpn-ftth.
Still no luck..
my dhcp-interface is set to eth0 so the setvpn.sh script is oke.
When i try to connect the following happens:
show vpn log tail
Jan 1 13:16:58 03[IKE] <remote-access|14> IKE_SA remote-access[14] established between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:16:59 07[IKE] <remote-access|14> CHILD_SA remote-access{12} established with SPIs c199dc2c_i 0cefe46a_o and TS XX.XX.XX.XX/32[udp/l2f] === 31.161.221.135/32[udp/51965]
Jan 1 13:17:31 15[IKE] <remote-access|14> deleting IKE_SA remote-access[14] between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:17:37 16[KNL] interface ppp1 deleted
Can you SSH into your USG, then type:
configure and press enter, then type show vpn and hit enter.
Can you paste the output here?
from usg-kpn-ftth.
Can you SSH into your USG, then type:
configure and press enter, then type show vpn and hit enter.
Can you paste the output here?
Sure here is the configuration.
wpalm@USG# show vpn
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
interface pppoe2
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
mode radius
radius-server 192.168.1.1 {
key XXXX
port 1812
}
}
client-ip-pool {
start 192.168.3.1
stop 192.168.3.254
}
dns-servers {
server-1 192.168.1.1
}
idle 1800
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret XXXX
}
ike-lifetime 3600
lifetime 3600
}
outside-address 0.0.0.0
}
}
[edit]
from usg-kpn-ftth.
Okay the problem is solved!
wpalm@USG# sudo cat /var/log/freeradius/radius.log
Fri Jan 1 17:29:28 2021 : Info: Loaded virtual server
Fri Jan 1 17:29:28 2021 : Info: Loaded virtual server inner-tunnel
Fri Jan 1 17:29:28 2021 : Info: ... adding new socket proxy address * port 46155
Fri Jan 1 17:29:28 2021 : Info: Ready to process requests.
Fri Jan 1 17:29:54 2021 : Info: Signalled to terminate
Fri Jan 1 17:29:54 2021 : Info: Exiting normally.
Fri Jan 1 17:29:56 2021 : Info: Loaded virtual server
Fri Jan 1 17:29:56 2021 : Info: Loaded virtual server inner-tunnel
Fri Jan 1 17:29:56 2021 : Info: ... adding new socket proxy address * port 52538
Fri Jan 1 17:29:56 2021 : Info: Ready to process requests.
Fri Jan 1 18:37:37 2021 : Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.1.1 port 49315
Fri Jan 1 18:37:47 2021 : Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.1.1 port 49315
Fri Jan 1 18:37:57 2021 : Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.1.1 port 49315
The VPN connection was not established due to the following issue:
https://community.ui.com/questions/USG-L2TP-issue-Authentication-Failed/17ecd602-5c95-4b35-8dd6-7fcacbfd892c#answer/88d832b6-3a68-490c-a3bb-d70b5fdbf29c
Run the following script on the controller:
mongo localhost:27117/ace
db.setting.remove({"key":"radius"})
exit
Then RADIUS server turned on again and VPN could be started.
Issue can be closed.
from usg-kpn-ftth.
Awesome work everyone, thanks!
from usg-kpn-ftth.
Related Issues (20)
- Make all DNS queries redirect to local pi-hole HOT 2
- No connection HOT 7
- Question: USG provisioning failing with error "MTU must be least than or equal to parent interface" HOT 10
- Current config to config.gateway.json as backup HOT 1
- Internet connectivity is lost during provisioning HOT 8
- Using WAN2 instead of WAN1
- USG restarts or connections drops when using XS4ALL zip HOT 4
- Can not change LAN IP after provisioning with kpn.sh and config.gateway.json HOT 3
- Firstime excute issue with KPN.sh HOT 3
- IPS/IDS not working HOT 6
- Traffic overview stops working when enabling IDS/IPS HOT 1
- vlan HOT 2
- igmpproxy script somehow does not do the trick HOT 4
- No activity after kpn.sh creating lock file HOT 2
- No itv. HOT 2
- IPv6 address public HOT 4
- No public WAN IPv4 in controller HOT 1
- Weird 'runs' of kpn.sh script after migration to Cloud Key HOT 1
- Firewall rules not applied
- Support for new Cloud Gateway Ultra HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from usg-kpn-ftth.