Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save nahall/6b23603ce9df2500a4053b280071d1ad to your computer and use it in GitHub Desktop.
Save nahall/6b23603ce9df2500a4053b280071d1ad to your computer and use it in GitHub Desktop.
Connecting to a Ubiquiti Unifi VPN with a Linux machine
This guide assumes that you have already set up a Ubiquiti Unifi VPN following the guide:
https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
To configure a Linux machine to be able to connect remotely I followed these steps. This guide was written for Debian 8.
- In Debian install the "xl2tpd" and "strongswan" packages.
- Edit /etc/ipsec.conf to add the connection:
conn YOURVPNCONNECTIONNAME
authby=secret
pfs=no
auto=start
keyexchange=ikev1
keyingtries=3
dpddelay=15
dpdtimeout=45
dpdaction=clear
rekey=no
ikelifetime=3600
keylife=3600
type=transport
left=%defaultroute
leftprotoport=17/1701
# Replace IP address with your VPN server's IP
right=IPADDRESSOFVPNSERVER
rightprotoport=17/%any
ike=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp2048,aes256-sha1-modp4096,aes128-sha1-modp1536,aes256-sha1-modp2048,aes128-sha1-modp1024,aes256-sha1-modp1536,aes256-sha1-modp1024!
- Edit /etc/ipsec.secrets to add the secret key for this connection:
  IPADDRESSOFVPNSERVER : PSK "SECRETPRESHAREDKEY"
- Edit /etc/xl2tpd/xl2tpd.conf to add this connection:
[lac YOURVPNCONNECTIONNAME]
lns = IPADDRESSOFVPNSERVER
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME
length bit = yes
- Create the file /etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME:
ipcp-accept-local
ipcp-accept-remote
noccp
refuse-eap
refuse-chap
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
# Uncomment if you want to use the DNS servers of the VPN host:
#usepeerdns
debug
logfile /var/log/xl2tpd.log
connect-delay 5000
proxyarp
name VPNUSERNAME
password "VPNPASSWORD"
- Now to connect to the VPN create a script:
#!/bin/bash
echo "Connecting to VPN..."
echo "c YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control
sleep 10
# To have all internet traffic routed through the VPN uncomment:
#ip route add default dev ppp0
# To only have a remote subnet routed through the VPN uncomment
# (this line assumes the remote subnet you want routed is 192.168.0.0/24 and the remote VPN end is 10.11.0.1:
ip route add 192.168.0.0/24 via 10.11.0.1 dev ppp0
- And to disconnect to the VPN create a script:
#!/bin/bash
ip route del default dev ppp0
ip route del 192.168.0.0/24 dev ppp0
echo "d YOURVPNCONNECTIONNAME" > /var/run/xl2tpd/l2tp-control
service xl2tpd restart
- Note that for these scripts I am assuming that the remote subnet we are interested in is 192.168.0.0/24
and the remote VPN gateway address is 10.11.0.1.
- You can also decide which line to uncomment based on if you want all traffic to be routed through the VPN
or to just route connections to the 192.168.0.0/24 subnet.
- If you want all traffic routed through the VPN you may want to uncomment the "usepeerdns" line in
/etc/ppp/options.l2tpd.client-YOURVPNCONNECTIONNAME so that DNS traffic flows through the VPN rather
than going to the local DNS server.
@nahall
Copy link
Author

nahall commented Oct 26, 2022

Hmm, that's strange, I haven't seen that. Have you tried increasing ikelifetime and keylife in /etc/ipsec.conf to see if that stops the drop? In my example they are set to 3600 seconds which corresponds to 1 hour so you could increase them and see if it goes longer without dropping. But it's not actually supposed to drop when that lifetime expires.

@maximede
Copy link

I think I won't be able to go higher than this since 3600s is also what's configured on UDM side ( in /run/strongswan/ipsec.d/tunnels/lns-l2tp-server.ipsec.l2tp.config) but I can try :)
This is the sequence of events I see in my logs if that helps :

Oct 26 12:33:02 servername pppd[312446]: sent [LCP EchoReq id=0x78 magic=0xf47f4c94]
Oct 26 12:33:02 servername charon: 16[IKE] sending DPD request
Oct 26 12:33:02 servername charon: 16[ENC] generating INFORMATIONAL_V1 request 3876004764 [ HASH N(DPD) ]
Oct 26 12:33:02 servername charon: 16[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (92 bytes)
Oct 26 12:33:10 servername charon: 05[NET] received packet: from {udmIP}[500] to {serverIP}[500] (540 bytes)
Oct 26 12:33:10 servername charon: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Oct 26 12:33:10 servername charon: 05[IKE] received XAuth vendor ID
Oct 26 12:33:10 servername charon: 05[IKE] received DPD vendor ID
Oct 26 12:33:10 servername charon: 05[IKE] received FRAGMENTATION vendor ID
Oct 26 12:33:10 servername charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Oct 26 12:33:10 servername charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 26 12:33:10 servername charon: 05[IKE] {udmIP} is initiating a Main Mode IKE_SA
Oct 26 12:33:10 servername charon: 05[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Oct 26 12:33:10 servername charon: 05[ENC] generating ID_PROT response 0 [ SA V V V V ]
Oct 26 12:33:10 servername charon: 05[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (160 bytes)
Oct 26 12:33:10 servername charon: 12[NET] received packet: from {udmIP}[500] to {serverIP}[500] (372 bytes)
Oct 26 12:33:10 servername charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 26 12:33:10 servername charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 26 12:33:10 servername charon: 12[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (372 bytes)
Oct 26 12:33:10 servername charon: 09[NET] received packet: from {udmIP}[500] to {serverIP}[500] (76 bytes)
Oct 26 12:33:10 servername charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Oct 26 12:33:10 servername charon: 09[CFG] looking for pre-shared key peer configs matching {serverIP}...{udmIP}[{udmIP}]
Oct 26 12:33:10 servername charon: 09[CFG] selected peer config "UDM"
Oct 26 12:33:10 servername charon: 09[IKE] detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs
Oct 26 12:33:10 servername charon: 09[IKE] schedule delete of duplicate IKE_SA for peer '{udmIP}' due to uniqueness policy and suspected reauthentication
Oct 26 12:33:10 servername charon: 09[IKE] IKE_SA UDM[24] established between {serverIP}[{serverIP}]...{udmIP}[{udmIP}]
Oct 26 12:33:10 servername charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Oct 26 12:33:10 servername charon: 09[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (76 bytes)
Oct 26 12:33:10 servername charon: 11[NET] received packet: from {udmIP}[500] to {serverIP}[500] (572 bytes)
Oct 26 12:33:10 servername charon: 11[ENC] parsed QUICK_MODE request 3923868918 [ HASH SA No KE ID ID ]
Oct 26 12:33:10 servername charon: 11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Oct 26 12:33:10 servername charon: 11[IKE] received 3600s lifetime, configured 0s
Oct 26 12:33:10 servername charon: 11[ENC] generating QUICK_MODE response 3923868918 [ HASH SA No KE ID ID ]
Oct 26 12:33:10 servername charon: 11[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (444 bytes)
Oct 26 12:33:10 servername charon: 08[NET] received packet: from {udmIP}[500] to {serverIP}[500] (60 bytes)
Oct 26 12:33:10 servername charon: 08[ENC] parsed QUICK_MODE request 3923868918 [ HASH ]
Oct 26 12:33:10 servername charon: 08[IKE] CHILD_SA UDM{3} established with SPIs c0c1d95b_i cf703f9a_o and TS {serverIP}/32[udp/l2f] === {udmIP}/32[udp]
Oct 26 12:33:11 servername xl2tpd[845]: check_control: Received out of order control packet on tunnel 41163 (got 62, expected 61)
Oct 26 12:33:11 servername xl2tpd[845]: handle_packet: bad control packet!
Oct 26 12:33:17 servername charon: 13[IKE] sending DPD request
Oct 26 12:33:17 servername charon: 13[ENC] generating INFORMATIONAL_V1 request 1354316911 [ HASH N(DPD) ]
Oct 26 12:33:17 servername charon: 13[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (92 bytes)
Oct 26 12:33:20 servername charon: 10[IKE] deleting IKE_SA UDM[23] between {serverIP}[{serverIP}]...{udmIP}[{udmIP}]
Oct 26 12:33:20 servername charon: 10[IKE] sending DELETE for IKE_SA UDM[23]
Oct 26 12:33:20 servername charon: 10[ENC] generating INFORMATIONAL_V1 request 705273687 [ HASH D ]
Oct 26 12:33:20 servername charon: 10[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (92 bytes)
Oct 26 12:33:26 servername charon: 16[NET] received packet: from {udmIP}[500] to {serverIP}[500] (92 bytes)
Oct 26 12:33:26 servername charon: 16[ENC] parsed INFORMATIONAL_V1 request 3966655131 [ HASH N(DPD) ]
Oct 26 12:33:26 servername charon: 16[ENC] generating INFORMATIONAL_V1 request 2641383276 [ HASH N(DPD_ACK) ]
Oct 26 12:33:26 servername charon: 16[NET] sending packet: from {serverIP}[500] to {udmIP}[500] (92 bytes)
Oct 26 12:33:27 servername xl2tpd[845]: Maximum retries exceeded for tunnel 62873.  Closing.
Oct 26 12:33:27 servername xl2tpd[845]: Terminating pppd: sending TERM signal to pid 312446

@nahall
Copy link
Author

nahall commented Oct 26, 2022

Sorry, I don't really know what's going on. I haven't tried doing this kind of VPN in a few months so I'm not sure if Ubiquiti has changed something or not. Is there anyone else following this gist who has seen this, or has a VPN that continues to work fine for more than 1 hour?

@pjbisset
Copy link

pjbisset commented Oct 26, 2022 via email

@emiller233
Copy link

will this work on the Unifi UDM as well?

@nahall
Copy link
Author

nahall commented Feb 4, 2023

will this work on the Unifi UDM as well?

I would think so but I haven't tried that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment