VPN L2TP not connecting about usg-kpn-ftth HOT 20 CLOSED

Btw, I also tried to get an answer from the community but no replies over there... https://community.ui.com/questions/VPN-L2TP-USG4-pro-wont-connect/c40c5341-6ef6-40bc-8823-9e17c2da723c

from usg-kpn-ftth.

I also ran into the same issue, after checking the log (/var/log/postprovisionvpn.log) it just had one line in it:

Nothing to delete (the specified value does not exist)

Going into configure and running show vpn explains why: my dhcp-interface is set to eth0.6, and the script tries to delete eth0. If you try to add the outside-address without removing it, committing the config results in the following error:

L2TP VPN configuration error: Only one of dhcp-interface and outside-address can be defined..

Which isn't logged because the setvpn.sh script does not pipe the output of configure. Simply replacing eth0 with eth0.6 in the script makes it delete the proper thing, and after running the script again my VPN works.

from usg-kpn-ftth.

Hello stefhof2, I use a USG, and after I saw: basmeerman/unifi-usg-kpn#7

I used the suggested command on mu USG:

configure
set vpn ipsec ipsec-interfaces interface pppoe2
delete vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access outside-address 0.0.0.0
commit
save

Then I could use VPN from my iPhone tom my home network.
I than added this in the startup script so after a reboot it would be set again..
Not sure this is the same for USG4, but you can always try right ?

from usg-kpn-ftth.

Not sure this is the same for USG4, but you can always try right ?

Hi Huub,
Thanks for thinking with me, I used/placed the setvpn.sh script indeed, in this script the same command are set. The only difference for me is that the wan interface is on eth2 where the wan interface on use3 is on eth0, so this is the only thing I edited in the code.
How does your L2TP config looks like?

from usg-kpn-ftth.

You mean L2TP on my iPhone?
See below

You also need to create a user on your UniFi software

from usg-kpn-ftth.

Ah ok, yea I've the same settings, did you do anything special on the Unifi controller when you configured the L2TP VPN? For example, did you made port forwarding or something?

from usg-kpn-ftth.

Have a look at this https://youtu.be/LGp8LBcg4fE

from usg-kpn-ftth.

Hmmm I did exactly the same thing as shown in the video.
Now I'm trying to troubleshoot what goes wrong, apparently the VPN connection request is reaching the radius server but won't connect in the end, when I command: "show vpn log tail" to see what happens when I connect my VPN, this is the output:

Nov 25 22:35:08 03[IKE] <6> 77.63.72.137 is initiating a Main Mode IKE_SA
Nov 25 22:35:09 06[IKE] <remote-access|6> IKE_SA remote-access[6] established between 86.X.X.X[86.X.X.X]...77.63.72.137[0.0.0.0]
Nov 25 22:35:10 08[IKE] <remote-access|6> CHILD_SA remote-access{6} established with SPIs cdb628c8_i 0fed2843_o and TS 86.X.X.X/32[udp/l2f] === 77.63.72.137/32[udp/63203] 
Nov 25 22:35:30 02[IKE] <remote-access|6> deleting IKE_SA remote-access[6] between 86.X.X.X[86.X.X.X]...77.63.72.137[0.0.0.0]

Any thought what goes wrong?

from usg-kpn-ftth.

Did you check FW rules ?
Maybe recheck everything:
https://rowelldionicio.com/unifi-usg-configuring-remote-access-vpn/

from usg-kpn-ftth.

I checked it but I don't have any forward rule or firewall rule custom made, everything is default for now, I first want to get everything working before I start deny some connections in the firewall.

If I look at the instructions on the url, is the same thing I did so I really don't understand why it won't work...

from usg-kpn-ftth.

Any updates? I followed the instructions and everything is working except the VPN L2TP.

from usg-kpn-ftth.

Any updates? I followed the instructions and everything is working except the VPN L2TP.

Sadly not, nothing yet, for me the same issue... if I have some time I want to find a good guide how to troubleshoot the configuration to see on what part the connection fails

from usg-kpn-ftth.

I also ran into the same issue, after checking the log (/var/log/postprovisionvpn.log) it just had one line in it:

Nothing to delete (the specified value does not exist)

Going into configure and running show vpn explains why: my dhcp-interface is set to eth0.6, and the script tries to delete eth0. If you try to add the outside-address without removing it, committing the config results in the following error:

L2TP VPN configuration error: Only one of dhcp-interface and outside-address can be defined..

Which isn't logged because the setvpn.sh script does not pipe the output of configure. Simply replacing eth0 with eth0.6 in the script makes it delete the proper thing, and after running the script again my VPN works.

Ah now you mentioned it, it makes sense indeed. I’m using a USG4 pro so my WAN is on eth2 so I had to change it to delete dhcp-interface from 2.6, after that’s changed and I rebooted it is finally working, thanks a lot.

Do you also know by change how to configure the USG so it will allow connecting to a web service that is behind a specific port?

For example, I’m using Openhab, the config page uses port 8080 and that’s working fine, but on the same IP the log viewer is behind 9001 and if I try to open it the page won’t load. Same thing for MotionEye, there default page is behind port 8765 so that one is also unavailable.

Do I’ve to great a Firewall rule to allow this or is there something else that will do the trick?

from usg-kpn-ftth.

I'm not sure, by default the VPN should have full access to the corporate network. There shouldn't be a reason that port 8080 works but the others don't.

I'm guessing you either have a firewall rule that is blocking those, in which case you'd need to remove that rule or add another that explicitly allows them, or there's something blocking it on your server, either a firewall or a configuration that only allows connections from the local subnet (i.e. your LAN is 192.168.0.x but the VPN clients get a 172.16.0.x IP)

from usg-kpn-ftth.

Still no luck..

my dhcp-interface is set to eth0 so the setvpn.sh script is oke.

When i try to connect the following happens:

show vpn log tail
Jan 1 13:16:58 03[IKE] <remote-access|14> IKE_SA remote-access[14] established between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:16:59 07[IKE] <remote-access|14> CHILD_SA remote-access{12} established with SPIs c199dc2c_i 0cefe46a_o and TS XX.XX.XX.XX/32[udp/l2f] === 31.161.221.135/32[udp/51965]
Jan 1 13:17:31 15[IKE] <remote-access|14> deleting IKE_SA remote-access[14] between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:17:37 16[KNL] interface ppp1 deleted

from usg-kpn-ftth.

I'm not sure, by default the VPN should have full access to the corporate network. There shouldn't be a reason that port 8080 works but the others don't.

I'm guessing you either have a firewall rule that is blocking those, in which case you'd need to remove that rule or add another that explicitly allows them, or there's something blocking it on your server, either a firewall or a configuration that only allows connections from the local subnet (i.e. your LAN is 192.168.0.x but the VPN clients get a 172.16.0.x IP)

Thanks, I found the issue, problem was that the devices with a different port had the old gateway fixed setup, by coincidence all the devices with 8080 already had the new gateway setup :)

from usg-kpn-ftth.

Still no luck..

my dhcp-interface is set to eth0 so the setvpn.sh script is oke.

When i try to connect the following happens:

show vpn log tail
Jan 1 13:16:58 03[IKE] <remote-access|14> IKE_SA remote-access[14] established between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:16:59 07[IKE] <remote-access|14> CHILD_SA remote-access{12} established with SPIs c199dc2c_i 0cefe46a_o and TS XX.XX.XX.XX/32[udp/l2f] === 31.161.221.135/32[udp/51965]
Jan 1 13:17:31 15[IKE] <remote-access|14> deleting IKE_SA remote-access[14] between XX.XX.XX.XX[XX.XX.XX.XX]...31.161.221.135[0.0.0.0]
Jan 1 13:17:37 16[KNL] interface ppp1 deleted

Can you SSH into your USG, then type:
configure and press enter, then type show vpn and hit enter.
Can you paste the output here?

from usg-kpn-ftth.

Can you SSH into your USG, then type:
configure and press enter, then type show vpn and hit enter.
Can you paste the output here?

Sure here is the configuration.

wpalm@USG# show vpn
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
interface pppoe2
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
mode radius
radius-server 192.168.1.1 {
key XXXX
port 1812
}
}
client-ip-pool {
start 192.168.3.1
stop 192.168.3.254
}
dns-servers {
server-1 192.168.1.1
}
idle 1800
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret XXXX
}
ike-lifetime 3600
lifetime 3600
}
outside-address 0.0.0.0
}
}
[edit]

from usg-kpn-ftth.

Okay the problem is solved!

wpalm@USG# sudo cat /var/log/freeradius/radius.log
Fri Jan 1 17:29:28 2021 : Info: Loaded virtual server
Fri Jan 1 17:29:28 2021 : Info: Loaded virtual server inner-tunnel
Fri Jan 1 17:29:28 2021 : Info: ... adding new socket proxy address * port 46155
Fri Jan 1 17:29:28 2021 : Info: Ready to process requests.
Fri Jan 1 17:29:54 2021 : Info: Signalled to terminate
Fri Jan 1 17:29:54 2021 : Info: Exiting normally.
Fri Jan 1 17:29:56 2021 : Info: Loaded virtual server
Fri Jan 1 17:29:56 2021 : Info: Loaded virtual server inner-tunnel
Fri Jan 1 17:29:56 2021 : Info: ... adding new socket proxy address * port 52538
Fri Jan 1 17:29:56 2021 : Info: Ready to process requests.
Fri Jan 1 18:37:37 2021 : Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.1.1 port 49315
Fri Jan 1 18:37:47 2021 : Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.1.1 port 49315
Fri Jan 1 18:37:57 2021 : Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.1.1 port 49315

The VPN connection was not established due to the following issue:
https://community.ui.com/questions/USG-L2TP-issue-Authentication-Failed/17ecd602-5c95-4b35-8dd6-7fcacbfd892c#answer/88d832b6-3a68-490c-a3bb-d70b5fdbf29c

Run the following script on the controller:
mongo localhost:27117/ace
db.setting.remove({"key":"radius"})
exit

Then RADIUS server turned on again and VPN could be started.

Issue can be closed.

from usg-kpn-ftth.

Awesome work everyone, thanks!

from usg-kpn-ftth.