dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
47286
share rss forum feed


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

4 edits

5 recommendations

L2TP VPN on USG - quick how-to

Here are few screen shots from working L2TP VPN between USG 3.0 and Android 2.3.7.

1) Create some required objects


L2TP Port UDP 1701


IPSEC VPN ports in one group


Your public IP



2) Create IPSEC VPN configuration

VPN Gateway


VPN Connection

3) Assign VPN to appropriate zone ..in case of this example TUNNEL (you can do this in step 2) too)
Comment: TUNNEL is just a zone name, you can use any zone name or create new one.

Zone

4) Create L2TP configuration


5) Create required routing rules


6) Create required firewall rules
To access your LAN
(If you want to allow your L2TP to access LAN and internet change LAN1 in below to ANY)


(Optional) To access your ZyWALL


To allow tunnel to build

Firewall


That's about it. Makes sure you have some user and password setup that you can test it with.
If you get negotiation issues read manual of your connecting device what kind of encryption and hashes it supports and adjust IPSEC Phase 1 and Phase 2 accordingly.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit

Brano, could you expand on two things.

a. the route rule, what does it do...

b. expand on our use of tunnel in the firewall rule. I only noticed a tunnel in my interface when updating to 3.0. I assumed this was only for ipv6?
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


polarisdb

join:2004-07-12
USA
reply to Brano

I was also wondering why creating an address object for the WAN interface is required? The ZyXEL documentation did the same thing with a static IP and I wasn't sure why...



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Anav

said by Anav:

a. the route rule, what does it do...

Ensuring your return traffic from local LAN is routed back to your L2TP VPN and not elsewhere (i.e. by default to internet)

said by Anav:

b. expand on our use of tunnel in the firewall rule. I only noticed a tunnel in my interface when updating to 3.0. I assumed this was only for ipv6?

TUNNEL is just a zone name. You can use any zone name that fits your needs or create new one i.e. L2TP_ZONE. I choose TUNNEL because it was there and empty. You can use your IPSEC_VPN zone instead too.
Alternatively you can choose ANY as source in this FW rule. But I like to keep things restricted wherever possible.

said by polarisdb:

I was also wondering why creating an address object for the WAN interface is required? The ZyXEL documentation did the same thing with a static IP and I wasn't sure why...

If you have static WAN IP then you're fine with static IP. However I have dynamic WAN IP and creating object of Interface type will ensure the object's value (IP) will change as my WAN IP changes.

polarisdb

join:2004-07-12
USA

said by Brano:

said by polarisdb:

I was also wondering why creating an address object for the WAN interface is required? The ZyXEL documentation did the same thing with a static IP and I wasn't sure why...

If you have static WAN IP then you're fine with static IP. However I have dynamic WAN IP and creating object of Interface type will ensure the object's value (IP) will change as my WAN IP changes.

Bear with me, but I am still confused. I have a dynamic IP, but what I don't understand is why creating an address object pointing to the interface instead of using the interface itself (WAN1_IP in my case) is done?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

said by polarisdb:

said by Brano:

said by polarisdb:

I was also wondering why creating an address object for the WAN interface is required? The ZyXEL documentation did the same thing with a static IP and I wasn't sure why...

If you have static WAN IP then you're fine with static IP. However I have dynamic WAN IP and creating object of Interface type will ensure the object's value (IP) will change as my WAN IP changes.

Bear with me, but I am still confused. I have a dynamic IP, but what I don't understand is why creating an address object pointing to the interface instead of using the interface itself (WAN1_IP in my case) is done?

I have a theory. Its a very good theory. Well tis a theory by Anne Elk (thats two nn's and an e), if your visually impaired and hearing this text!!

Brano's real namee is Bran Ojectoriented. And there you have it.
A theory by Anne Elk
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

polarisdb

join:2004-07-12
USA
reply to Brano

Right or wrong, in my mind this seems like creating a symbolic link to a file and referencing the link instead of the file itself, which doesn't seem to accomplish much other than adding an additional layer of complexity. I'm just trying to understand the reason behind it.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

The drop-down Local policy in VPN settings does not allow you to select WAN interfaces, only address objects.

To your other remark, feel free to do what you want and modify as you want


logman

join:2012-02-22
reply to Brano

Okay, i can now ping lan pc / router BUT can't access em or my gateway what should be 192.168.0.1 is not in vpn connection

Can someone give help


polarisdb

join:2004-07-12
USA
reply to Brano

said by Brano:

The drop-down Local policy in VPN settings does not allow you to select WAN interfaces, only address objects.

To your other remark, feel free to do what you want and modify as you want

Thanks. I checked my notes and I had apparently created the WAN1_IP address object a while back myself and didn't realize it was an address object. *sigh*


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Brano

Hey polaris, how did you get both feet to fit in there??



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
reply to logman

said by logman:

Okay, i can now ping lan pc / router BUT can't access em or my gateway what should be 192.168.0.1 is not in vpn connection

Can someone give help

You need to add another firewall rule to allow it (see pic)



EDIT: I've added this to how-to

logman

join:2012-02-22

Cool i got it now working.

I did also add routing rule.

Thanks for helping. !!



bad

@verizon.net
reply to Brano

Great howto! Thanks. I'm still having a problem from both Android and iOS devices. The logs indicate that the dynamic tunnel was built successfully, but the I get:

User xxxx has been denied from L2TP service. (Inforrect Username or Password)

I'm using a local user that I've been successfully using for ipsec authentication. I've deleted the user, recreated the user, changed the password... everything I can think of. Any ideas?

Thanks!



Gork
Ou812ic

join:2001-10-06
Bountiful, UT
reply to Brano

If I were smarter I could figure out the answer to this question by just reading through the initial post the 10 times that I have so far. But since I'm not...

Does this allow access to the USG's WAN Internet connection from the Android through the tunnel? Or just to LAN network resources?


polarisdb

join:2004-07-12
USA
reply to Anav

said by Anav:

Hey polaris, how did you get both feet to fit in there??

Not one of my better moments. The worst part is that I still can't get this thing to work.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

1 recommendation

reply to Gork

said by Gork:

Does this allow access to the USG's WAN Internet connection from the Android through the tunnel? Or just to LAN network resources?

The above example allows access to LAN only. Hower, this will effectively kill your internet access on Android phone since (I've just realized) split tunneling is disabled on Androdid VPN client thus all traffic is pushed throught VPN once the tunnel is up including traffic destined for internet. There seems to be no option to enable split tunneling on native Andorid VPN client.

To allow internet access through the VPN you have to
a) modify the example route #7 with Source: any
b) modify the example firewall rule #7 with To: any

This will allow access to LAN and internet.

EDIT: I've modified the screenshots to fix the route rule and added desctiption for the firewall rule.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

So your saying is that if you use VPN on the android, the only traffic will be through the tunnel (no direct android to internet) but you can still access the interenet through the USG connection out the USG WAN port to the internet.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

Yes

On Android split tunneling seems to be disabled by default with no option to enable it.

iOS, Windows or OS-X msy behave differently by default, I have not tested those nor have any plans in near future.



Gork
Ou812ic

join:2001-10-06
Bountiful, UT

1 edit
reply to Brano

Thanks Brano See Profile. I'm currently using OpenVPN on a computer behind my router. Before I replaced my 2WG with the 20W I couldn't figure out how to set up a VPN between a Shrew client and the 2WG, let alone a tunnel that would give me remote access to the Internet. I haven't tried anything with the 20W - I'm scared to upset the balance since I at least have a tunnel working with OpenVPN. Your guidance in this thread makes me want to try it with the 20W though, especially now that I can use the VPN client that comes with Windoze. I'd love to uninstall OpenVPN - that "server" computer has too many things running on it.

Saved a link to this thread, saved the page in an mht file - I WILL get up the courage to try this out! So happy you shared...

I'm sad to hear about the lack of split tunneling on the Android though.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

said by Gork:

Thanks Brano See Profile
I'm sad to hear about the lack of split tunneling on the Android though.

I don't really mind this default setting. It would have been worse if the split tunneling was enabled by default without option to turn it off.
This way I can "safely" browse internet from my phone using my home connection without ISP being able to watch

Of course having option to enable / disable would be nice.
I have to check of there are any 3rd party VPN clients for android.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

I thought android was a third party



Gork
Ou812ic

join:2001-10-06
Bountiful, UT
reply to Brano

Yeah, if split tunneling were enabled by default that would be worse.

.mht file updated.


logman

join:2012-02-22
reply to Brano

Umm, what kind rule i need set so i can ping/access vpn clients on lan

vpn clients can ping on lan pc's and access lan pc's but not other way..



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Should be just matter of enabling ping response on your VPN client PC. Enable respond to ping and open appropriate firewall if applicable (i.e. on windows is ping typically blocked)


logman

join:2012-02-22

1 edit

Hmm now it works, somehow firewall does not like vpn...

Weird my android device i can ping on lan but not in vpn


logman

join:2012-02-22
reply to Brano

Click for full size
I have looked my logs, should i be worrying or is this normal?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

No idea what these are.
Are you using XAUTH?


logman

join:2012-02-22

2 edits
reply to Brano

Those are not my connections, i use Pre-shared Key on ipsec

If someone trying to get in, is vpn easy to hack in when using l2tp/ipsec ?

Is there way to tell if security has compromised?



dslp_travel

@bystronic.com

Are the source ip's known? If so not a problem, if not then it could be roadwarrior client that is not configure correctly or its somebody that tries to bruteforce your vpn. Then its down to how secure your password is and that they are able to guess encryptionscheme etc.

Also your device is the src ip or the dst ip in this log?

The msg shown, I have not used a VPN device for ages, seems to me to indicate that the info about the remote end is using the wrong settings in the identification of the endpoints.