claykin
join:2003-08-22
Fort Lauderdale, FL
3 edits | USG50 with V3.0 L2TP settings lockup Zywall. I have IPSEC and SSL VPN working just fine. Trying to use L2TP. Followed instructions in new user guide but 75% of the time I save settings the USG just hangs saying "loading" on screen. After about 2 minutes a small ERROR box shows up in the GUI but I cannot read it because its because its behind the "Loading" message. Tried, IE, Firefox and Chrome, same issue.
I confirmed my IPSEC and SSL VPN configs work ok after V3 upgrade.
Something is borked with the L2TP integration in the USG50.
Even after about 6 reboots once I got L2TP configured using essentially same config in user guide, I still cannot connect using Win 7. Just sits on trying to connect then times out with error 789.
I suppose I should enable logging in Windows and see what it tells me. On the other hand with this lockup issue I suspect there's firmware issues.
Suggestions? |
|
|
|
| I don't think this is limited to L2TP.
I experienced the same thing when it was migrating the config from the previous version to v3.0. I also experienced it with L2TP.
When I tried to go back to a previous version (no L2TP) it'd lock up.
I think they have a bug in the saving/loading of the config.
Oh, after it locked up when during migration I went back to the new v3.0 default settings and reconfigured it. So the L2TP lockups weren't from that. |
|
| reply to claykin
I also have a USG 50 with IPSEC (remote access) and SSL VPN connectivity working properly before and after upgrading to 3.0, but I haven't had the GUI hanging problem using Firefox 8.0.1 on Windows7 x64 (I did not reset the USG to default settings before/after upgrade either).
I can't get L2TP working either using the example in section 4.6.1 of the User's Guide as well as this iOS doc. The Windows L2TP client gives me error 788: "The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer.".
I'll be happy to post screenshots/logs so we can compare notes if that'll be of use, but I don't want to hijack your thread.  |
|
claykin
join:2003-08-22
Fort Lauderdale, FL | Feel free to post your L2TP data/screenshots. If I could get this working, I'll be much happier.
said by polarisdb:I also have a USG 50 with IPSEC (remote access) and SSL VPN connectivity working properly before and after upgrading to 3.0, but I haven't had the GUI hanging problem using Firefox 8.0.1 on Windows7 x64 (I did not reset the USG to default settings before/after upgrade either).
I can't get L2TP working either using the example in section 4.6.1 of the User's Guide as well as this iOS doc. The Windows L2TP client gives me error 788: "The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer.".
I'll be happy to post screenshots/logs so we can compare notes if that'll be of use, but I don't want to hijack your thread.
|
|
| Here's the logging from a failed L2TP connection from a Windows client. Line #1 is particularly interesting because it references IPSEC_VPN_WAN1, which is the name of my working plain vanilla IPSEC VPN configuration and not my L2TP connection Default_L2TP_VPN*:
1 2012-03-03 17:17:59 [USG50 WAN IP]:4500
[PC WAN IP]:4500
info ike IKE_LOG
ISAKMP SA [IPSEC_VPN_WAN1] is disconnected
2 2012-03-03 17:17:59 [USG50 WAN IP]:4500
[PC WAN IP]:4500
info ike IKE_LOG
The cookie pair is : 0x6947500c4c2716d8 / 0x97d9e41362c6f76b
3 2012-03-03 17:17:59 [PC WAN IP]:4500
[USG50 WAN IP]:4500
info ike IKE_LOG
Received delete notification
4 2012-03-03 17:17:59 [PC WAN IP]:4500
[USG50 WAN IP]:4500
info ike IKE_LOG
Recv:[HASH][DEL]
5 2012-03-03 17:17:59 [PC WAN IP]:4500
[USG50 WAN IP]:4500
info ike IKE_LOG
The cookie pair is : 0x97d9e41362c6f76b / 0x6947500c4c2716d8 [count=2]
6 2012-03-03 17:17:37 [USG50 WAN IP]:500
[PC WAN IP]:4500
info ike IKE_LOG
[SA] : No proposal chosen
7 2012-03-03 17:17:37 [USG50 WAN IP]:500
[PC WAN IP]:4500
info ike IKE_LOG
[SA] : Tunnel [Default_L2TP_VPN_Connection] compatible IKE rule mismatch
8 2012-03-03 17:17:37 [PC WAN IP]:4500
[USG50 WAN IP]:4500
info ike IKE_LOG
Recv:[HASH][SA][NONCE][ID][ID][PRV]
9 2012-03-03 17:17:37 [PC WAN IP]:4500
[USG50 WAN IP]:4500
info ike IKE_LOG
The cookie pair is : 0x97d9e41362c6f76b / 0x6947500c4c2716d8
10 2012-03-03 17:17:37 [USG50 WAN IP]:500
[PC WAN IP]:4500
info ike IKE_LOG
Send:[HASH][ATTR]
11 2012-03-03 17:17:37 [USG50 WAN IP]:500
[PC WAN IP]:4500
info ike IKE_LOG
Phase 1 IKE SA process done
12 2012-03-03 17:17:37 [USG50 WAN IP]:500
[PC WAN IP]:4500
info ike IKE_LOG
The cookie pair is : 0x6947500c4c2716d8 / 0x97d9e41362c6f76b [count=4]
13 2012-03-03 17:17:37 [USG50 WAN IP]:4500
[PC WAN IP]:4500
info ike IKE_LOG
Send:[ID][HASH]
14 2012-03-03 17:17:37 [USG50 WAN IP]:4500
[PC WAN IP]:4500
info ike IKE_LOG
The cookie pair is : 0x6947500c4c2716d8 / 0x97d9e41362c6f76b
15 2012-03-03 17:17:37 [PC WAN IP]:500
[USG50 WAN IP]:500
info ike IKE_LOG
Recv:[ID][HASH]
16 2012-03-03 17:17:37 [USG50 WAN IP]:500
[PC WAN IP]:500
info ike IKE_LOG
Send:[KE][NONCE][PRV][PRV]
17 2012-03-03 17:17:37 [PC WAN IP]:500
[USG50 WAN IP]:500
info ike IKE_LOG
Recv:[KE][NONCE][PRV][PRV]
18 2012-03-03 17:17:36 [USG50 WAN IP]:500
[PC WAN IP]:500
info ike IKE_LOG
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]
19 2012-03-03 17:17:36 [USG50 WAN IP]:500
[PC WAN IP]:500
info ike IKE_LOG
The cookie pair is : 0x6947500c4c2716d8 / 0x97d9e41362c6f76b [count=2]
20 2012-03-03 17:17:36 [PC WAN IP]:500
[USG50 WAN IP]:500
info ike IKE_LOG
Recv:[SA][VID][VID][VID][VID]
21 2012-03-03 17:17:36 [PC WAN IP]:500
[USG50 WAN IP]:500
info ike IKE_LOG
The cookie pair is : 0x97d9e41362c6f76b / 0x6947500c4c2716d8 [count=3]
22 2012-03-03 17:17:36 [PC WAN IP]:500
[USG50 WAN IP]:500
info ike IKE_LOG
Recv Main Mode request from [[PC WAN IP]]
23 2012-03-03 17:17:36 [PC WAN IP]:500
[USG50 WAN IP]:500
info ike IKE_LOG
The cookie pair is : 0x6947500c4c2716d8 / 0x0000000000000000
|
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to claykin
In another thread meow meow noted that you should deleted the L2TP password and re-enter it. (not the shared secret one, the other one?) |
|
| reply to polarisdb
VPN Gateway 1 of 2 | 
VPN Gateway 2 of 2 |
|
|
| 
VPN Connection 1 of 2 | 
VPN Connection 2 of 2 |
|
|
| 
L2TP VPN Configuration |
|
|
| reply to Anav
said by Anav:In another thread meow meow noted that you should deleted the L2TP password and re-enter it. (not the shared secret one, the other one?)
I did try resetting the password on the USG for the VPN user from Configuration->Object->User/Group->User, is that what you mean? The same user does work fine with a plain IPSEC connection.
It looks like meowBB has a USG that supported L2TP before 3.0 (link), so we may be looking at a different animal here since the USG 50 and 20's did not. |
|
claykin
join:2003-08-22
Fort Lauderdale, FL | I also tried to reset the user password. No luck. This same user account works fine with my IPSec connection. |
|
| reply to claykin
Looks like the 3.0 Support Notes are out: link.
Scenario 4 details setting up a L2TP connection but it looks like the text and gui screen captures are pretty inconsistent (like the text correctly specifying a Phase 2 Encapsulation Mode of "Transport" and the gui incorrectly showing "Tunnel".  |
|
claykin
join:2003-08-22
Fort Lauderdale, FL | I have a few USG100 and 200's I manage and so far I've stuck with IPSec since I already own GreenbowVPN (users use SSLVPN). I'll try to setup an L2TP connection and see how that goes. They are all still running V2.20 and I don't plan to upgrade them to V3.x until I see some proven stability.
I was hoping V3.x EPS would support x64 OS, but looks like that's a buzzkill. At least for now. Thx Zyxel! IPV6 I don't need quite yet. |
|
 mozerdLight Will Pierce The DarknessPremium,MVM
join:2004-04-23
Nepean, ON | said by claykin:I was hoping V3.x EPS would support x64 OS, but looks like that's a buzzkill. At least for now. Thx Zyxel! Yep that is a real dissapointment .. Me thinks that ZyXEL needs to hire American Engineers .... It's ridiculous that in today's world x64 OS EPS is not supported. |
|
claykin
join:2003-08-22
Fort Lauderdale, FL
2 edits | And that's coming from a Canadian. I'm sure there are plenty of talented software engineers in Taiwan. I think its more about budget and development management.
Aren't some of you on the Zyxel beta channel? I say lets start being a squeaky wheel.
said by mozerd:said by claykin:I was hoping V3.x EPS would support x64 OS, but looks like that's a buzzkill. At least for now. Thx Zyxel! Yep that is a real dissapointment .. Me thinks that ZyXEL needs to hire American Engineers .... It's ridiculous that in today's world x64 OS EPS is not supported. |
|
 BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6
 ·Bell Fibe
2 edits | reply to claykin
So far I'm having same issues as above. Can't get L2TP work with neither Android nor Win7.
In the logs I can see that the underlying IPSEC transport connects, but the L2TP not.
EDIT: OK, I've figured it out and L2TP is connected. ...update below. |
|
claykin
join:2003-08-22
Fort Lauderdale, FL | said by Brano:So far I'm having same issues as above. Can't get L2TP work with neither Android nor Win7.
In the logs I can see that the underlying IPSEC transport connects, but the L2TP not.
OK, when Brano cannot get this to work I know Zyxel screwed it up. Sigh!
So how long will it now take them to fix it? |
|
BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6 Reviews:
·Bell Fibe
3 edits | reply to Brano
I've successfully connected my android phone via IPSec/L2TP.
Here was the issue:
Initially I had Service object called VPN_IPSEC_L2TP with these member services: ESP, IKE, NATT, L2TP. Then I had one firewall rule to allow WAN-to-ZYWALL for VPN_IPSEC_L2TP.
I did not have full firewall logging enabled and thus missing this. Once enabled full firewall logging I could see:
usg200 src="65.92.13.135:500" dst="74.198.9.16:57779" msg="Dynamic Tunnel [Brano_android:android_phone:0x0e24f645] built successfully" note="IKE_LOG" user="unknown" devID="0019cb7273a4" cat="IKE"
usg200 src="74.198.9.16:65316" dst="65.92.13.135:1701" msg="priority:12, from ANY to ZyWALL, UDP, service others, DROP" note="ACCESS BLOCK" user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ZyWALL" protoID=17 proto="others"
As you can see 1st line above shows IPSEC tunnels is UP, however L2TP attempt on UDP 1701 is blocked.
Then I removed L2TP service from my VPN_IPSEC_L2TP service object and created a separate firewall rule for L2TP only as next rule. And viola
usg200 src="65.92.13.135:500" dst="74.198.9.16:51139" msg="Dynamic Tunnel [Brano_android:android_phone:0x09351ffb] built successfully" note="IKE_LOG" user="unknown" devID="0019cb7273a4" cat="IKE"
usg200 src="74.198.9.16:46307" dst="65.92.13.135:1701" msg="priority:11, from ANY to ZyWALL, UDP, service L2TP, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ZyWALL" protoID=17 proto="L2TP"
usg200 src="65.92.13.135:1701" dst="74.198.9.16:46307" msg="User user has been granted an L2TP over IPSec session." note="L2TP_LOG" user="unknown" devID="0019cb7273a4" cat="L2TP"
usg200 src="74.198.9.16:53702" dst="65.92.13.135:1701" msg="priority:11, from ANY to ZyWALL, UDP, service L2TP, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ZyWALL" protoID=17 proto="L2TP"
usg200 src="74.198.9.16:56850" dst="65.92.13.135:4500" msg="priority:10, from WAN to ZyWALL, UDP, service VPN_IPSEC_L2TP, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="0019cb7273a4" cat="Firewall" class="Access Control" ob="0" ob_mac="000000000000" dir="WAN:ZyWALL" protoID=17 proto="VPN_IPSEC_L2TP"
and my Android phone VPN shows connected.
Is this a firewall bug or me missing something in FW rule evaluation logic I don't know. Will dig into later (much later I guess).
On second thought, I don't believe this is FW bug, this actually makes perfect sense.
First the IPSEC connection hits the first firewall rule for IKE/IPSEC/NATT. The rule is evaluated and executed and IPSEC VPN is established. Only then L2TP "exits" the IPSEC tunnel and is decrypted and next firewall rule kicks in that needs to allow it.
Here are working FW rules. Note, my android_IPSEC is member of zone TUNNEL.
|
|
 meowBB
join:2002-01-21
Hayward, CA | said by Brano:Then I removed L2TP service from my VPN_IPSEC_L2TP service object and created a separate firewall rule for L2TP only as next rule. And viola
What you did is right. I think the UDP 1701 is coming from the tunnel instead of the WAN once the IPSEC is connected, right? UDP 1701 is rejected in your firewall rule13 (any to zywall - deny) |
|
BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6 | reply to claykin
Indeed.
L2TP from Android established and tested. It works peachy  |
|
