BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
to Gork
Re: L2TP VPN on USG - quick how-tosaid by Gork:Thanks Brano I'm sad to hear about the lack of split tunneling on the Android though. I don't really mind this default setting. It would have been worse if the split tunneling was enabled by default without option to turn it off. This way I can "safely" browse internet from my phone using my home connection without ISP being able to watch Of course having option to enable / disable would be nice. I have to check of there are any 3rd party VPN clients for android. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-12 2:09 pm
I thought android was a third party |
|
GorkOu812ic join:2001-10-06 Bountiful, UT |
to Brano
Yeah, if split tunneling were enabled by default that would be worse. .mht file updated. |
|
|
to Brano
Umm, what kind rule i need set so i can ping/access vpn clients on lan
vpn clients can ping on lan pc's and access lan pc's but not other way.. |
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Mar-15 12:42 pm
Should be just matter of enabling ping response on your VPN client PC. Enable respond to ping and open appropriate firewall if applicable (i.e. on windows is ping typically blocked) |
|
1 edit |
logman
Member
2012-Mar-15 1:43 pm
Hmm now it works, somehow firewall does not like vpn...
Weird my android device i can ping on lan but not in vpn |
|
logman |
to Brano
I have looked my logs, should i be worrying or is this normal? |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Mar-21 9:00 am
No idea what these are. Are you using XAUTH? |
|
2 edits |
to Brano
Those are not my connections, i use Pre-shared Key on ipsec
If someone trying to get in, is vpn easy to hack in when using l2tp/ipsec ?
Is there way to tell if security has compromised? |
|
|
dslp_travel
Anon
2012-Mar-22 6:32 am
Are the source ip's known? If so not a problem, if not then it could be roadwarrior client that is not configure correctly or its somebody that tries to bruteforce your vpn. Then its down to how secure your password is and that they are able to guess encryptionscheme etc.
Also your device is the src ip or the dst ip in this log?
The msg shown, I have not used a VPN device for ages, seems to me to indicate that the info about the remote end is using the wrong settings in the identification of the endpoints. |
|
|
logman
Member
2012-Mar-22 10:03 am
Source ip is my wan1 Ip, and Destination is who is trying to connect from that ip..
I have domain name it's ip is to Wan1 so i think they trying to connect it or it's just random..
What i did look those ip's who trying to connect is not from this country.. ;P
How long should i use same password before i change user/vpn pre-shared key?
And how long should Pre-shared key and users's password?
- atm using minimal 8 character password, is that enought? |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-22 11:31 am
8 no 64 best Would not do anything less than around 20 with randomly generate upper lower case, numbers and letters |
|
|
RogierV to Brano
Anon
2012-Mar-25 8:32 am
to Brano
Firewall Rules | Logfile entries |
hi Brano! Thanks for the excellent howto. I've found quite a few on the net, including ones from studerus, zyxel sweden and others - but this is the only one that included firewall rules. Unfortunately, I don't get it to work. Must say I am trying with apple devices instead of with Android, but I do not believe the problem is there. The connect over VPN seems to work immediately, and the Zywall USG 50 I have also reports that I have successfully logged in. But that is it. It seems no traffic is routed from the iPhone/Ipads to the LAN and back. Trying to access devices in my LAN via their internal webserver doesn't work over VPN, and neither does access my fileserver using SMB or RDP. My feeling is that something is wrong in the firewall config, but I have no idea what. I've posted firewall rules & logfile entries below. Willing to post other info as well if that helps, but don't want to pollute with a really big post now. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-25 9:03 am
|
|
|
Rogier to Brano
Anon
2012-Mar-25 10:00 am
to Brano
No it doesn't. It's largely similar to what brano posted but does not contain firewall rules. And it speaks of a policy rule to allow Internet access over the VPN tunnel using the zywall's WAN connection. From what I understand from the howto, it should work without. Whichever way that is, it should affect whether or not I am able to access the Internet or not. And I can't access a thing. |
|
|
to Brano
Hi,
is there way to limit access what country or ip pool who can access on vpn?
I do get those random vpn connections.. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Mar-26 9:31 pm
You could create firewall rules but that's more pain than usefull.
Just create strong pre-shared key and ignore the port scans. |
|
|
logman
Member
2012-Mar-27 8:40 am
I hope that 20 key pre-shared key is enough. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-27 8:44 am
20 is a decent minimum. Greater than 15 and random with U, l case numbers and symbols. |
|
1 edit |
logman
Member
2012-Mar-27 8:47 am
Randomly generate upper lower case, numbers and letters, + user's password done also same way ;o |
|
|
Rogier to Rogier
Anon
2012-Mar-31 10:18 am
to Rogier
As an update to the above: I just checked on my Apple devices, and find they connect to 10.64.64.64 as an IP address. Strange, as that is not my WAN IP. Any idea to whether this is normal? |
|
bigboy join:2000-12-04 Palo Alto, CA |
to Brano
L2TP_POOL required?Quick question - I am able to get things working with the example here (and in the Zyxel doc). The examples always use a separate subnet for L2TP connections, which I'm sure is best practices, but would L2TP work if I have the connections use, say, LAN1? The reason why I'm asking is that the only way I can get things to work on my Macbook (Lion) is if I have all my traffic through the VPN tunnel. I suspect that I might have to manually add a route to push LAN1 packets through my L2TP_POOL address on my laptop, whereas if I was already on a LAN1 address, the subnetting makes it work automagically. I guess I could try it, but I'm afraid of breaking it after my glitch and lost configuration from a few weeks ago. Better ask first than be sorry! |
|
|
to Brano
Re: L2TP VPN on USG - quick how-toBrano! Than you very much for this great how-to. Its the best I found, now that I am searching a week to help me get my USG 20W ZDL 3.0 work with L2tp. Anyway I am somehow too stupid to get it right. It would be great if you can give me one further hint. 1. I keyed in the whole configuration as you described. Including you firewall rules, and all objects. 2. A. With the build in OSX 10.7.3 VPN Client: I get 12.04.12 07:57:51.432 racoon: IKE Packet: receive success. (Information message). 12.04.12 07:57:54.435 racoon: IKE Packet: transmit success. (Phase1 Retransmit). 12.04.12 07:57:54.458 racoon: IKE Packet: receive success. (Information message). 12.04.12 07:57:57.461 racoon: IKE Packet: transmit success. (Phase1 Retransmit). 12.04.12 07:57:57.482 racoon: IKE Packet: receive success. (Information message). 12.04.12 07:58:09.493 racoon: IKE Packet: transmit success. (Phase1 Retransmit). 12.04.12 07:58:09.514 racoon: IKE Packet: receive success. (Information message). 12.04.12 07:58:12.000 kernel: Validation failed, dataSuffix: 12.04.12 07:58:12.000 kernel: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12.04.12 07:58:12.000 kernel: vnode_validate_compressed_file_Type4 error: 22 12.04.12 07:58:12.000 kernel: Validation failed, dataSuffix: 12.04.12 07:58:12.000 kernel: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12.04.12 07:58:12.000 kernel: vnode_validate_compressed_file_Type4 error: 22 12.04.12 07:58:18.215 pppd: IPSec connection failed B. With the ipsecuritas » www.lobotomo.com/product ··· curitas/ Client I get a similar error: Authentication failed C. With the iPhone iOS 5.1 it times out. On the USG 20W it is always the same: IKE - Process is trying 3 times. It shows the cookie pairs =x012345678/x012345678 Then it says "Authentication failed" probably due to mismatch in shared secret. What I did: I tried different pre-shared keys - with/without numbers and then HEX: 0x12345678 etc. No success - always the same errors I checked the encryption, DH-group, Hash-types - no success. I cannot believe I do not manage to get Phase1 running :-( Should I reflash the firmware of the USG? Any hint is more than welcome. Thanx |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Apr-12 10:05 am
Unfortunately I don't have OSX or iOS to test this with so hopefully someone else with OSX experience can pitch in. From what I'm seeing is that you indeed seem to have Pre-shared key mismatch. ... check it again on both sides. |
|
|
Thank you for the quick response - I cross my fingers, hope for the best and will keep digging into that matter. |
|
|
mbaran to Brano
Anon
2012-Apr-12 6:06 pm
to Brano
I've followed this guide to a T on a USG 20 with the new 3.0 firmware which allows for L2TP.
I am getting the error message of
SPI: 0x0 SEQ 0x0 No rule found, Dropping packet [count=xx].
I can sign on fine, and I get an IP within the subnet I chose, but from there it does nothing. I cannot ping any of the servers, nor can I browse out to the internet. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav to Brano
Premium Member
2012-Apr-12 6:27 pm
to Brano
Brano I have an IMAC at home, and would like to test to see if I can connect to you over ssl vpn. Are you up to the idea......... |
|
|
mbaran to mbaran
Anon
2012-Apr-13 4:40 pm
to mbaran
I solved my own issue. The remote network and my local network were both on the 192.168.1.0/24 network. This was causing funny issues with routes.
I logged in from a MiFi which was the 192.168.0.0/24 network and all was well.
Thanks for the tutorial! |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav to Brano
Premium Member
2012-Apr-13 6:10 pm
to Brano
Regarding L2TP over ipsec for the MAC. One of the steps I have seen is to ensure its at the top of the services running ..... Network tab sprocket symbol at the bottom to open it up. (speaking about the mac os x part) |
|