dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
54843
share rss forum feed


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Gork

Re: L2TP VPN on USG - quick how-to

said by Gork:

Thanks Brano See Profile
I'm sad to hear about the lack of split tunneling on the Android though.

I don't really mind this default setting. It would have been worse if the split tunneling was enabled by default without option to turn it off.
This way I can "safely" browse internet from my phone using my home connection without ISP being able to watch

Of course having option to enable / disable would be nice.
I have to check of there are any 3rd party VPN clients for android.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
I thought android was a third party


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
reply to Brano
Yeah, if split tunneling were enabled by default that would be worse.

.mht file updated.

logman

join:2012-02-22
reply to Brano
Umm, what kind rule i need set so i can ping/access vpn clients on lan

vpn clients can ping on lan pc's and access lan pc's but not other way..


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Should be just matter of enabling ping response on your VPN client PC. Enable respond to ping and open appropriate firewall if applicable (i.e. on windows is ping typically blocked)

logman

join:2012-02-22

1 edit
Hmm now it works, somehow firewall does not like vpn...

Weird my android device i can ping on lan but not in vpn

logman

join:2012-02-22
reply to Brano
Click for full size
I have looked my logs, should i be worrying or is this normal?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
No idea what these are.
Are you using XAUTH?

logman

join:2012-02-22

2 edits
reply to Brano
Those are not my connections, i use Pre-shared Key on ipsec

If someone trying to get in, is vpn easy to hack in when using l2tp/ipsec ?

Is there way to tell if security has compromised?


dslp_travel

@bystronic.com
Are the source ip's known? If so not a problem, if not then it could be roadwarrior client that is not configure correctly or its somebody that tries to bruteforce your vpn. Then its down to how secure your password is and that they are able to guess encryptionscheme etc.

Also your device is the src ip or the dst ip in this log?

The msg shown, I have not used a VPN device for ages, seems to me to indicate that the info about the remote end is using the wrong settings in the identification of the endpoints.

logman

join:2012-02-22
Source ip is my wan1 Ip, and Destination is who is trying to connect from that ip..

I have domain name it's ip is to Wan1 so i think they trying to connect it or it's just random..

What i did look those ip's who trying to connect is not from this country.. ;P

How long should i use same password before i change user/vpn pre-shared key?

And how long should Pre-shared key and users's password?

- atm using minimal 8 character password, is that enought?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
8 no
64 best
Would not do anything less than around 20 with randomly generate upper lower case, numbers and letters


RogierV

@xs4all.nl
reply to Brano
Click for full size
Firewall Rules
Click for full size
Logfile entries
hi Brano! Thanks for the excellent howto. I've found quite a few on the net, including ones from studerus, zyxel sweden and others - but this is the only one that included firewall rules.

Unfortunately, I don't get it to work. Must say I am trying with apple devices instead of with Android, but I do not believe the problem is there. The connect over VPN seems to work immediately, and the Zywall USG 50 I have also reports that I have successfully logged in. But that is it. It seems no traffic is routed from the iPhone/Ipads to the LAN and back. Trying to access devices in my LAN via their internal webserver doesn't work over VPN, and neither does access my fileserver using SMB or RDP.

My feeling is that something is wrong in the firewall config, but I have no idea what. I've posted firewall rules & logfile entries below. Willing to post other info as well if that helps, but don't want to pollute with a really big post now.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5


Rogier

@kpn.com
reply to Brano
No it doesn't. It's largely similar to what brano posted but does not contain firewall rules. And it speaks of a policy rule to allow Internet access over the VPN tunnel using the zywall's WAN connection. From what I understand from the howto, it should work without. Whichever way that is, it should affect whether or not I am able to access the Internet or not. And I can't access a thing.

logman

join:2012-02-22
reply to Brano
Hi,

is there way to limit access what country or ip pool who can access on vpn?

I do get those random vpn connections..


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
You could create firewall rules but that's more pain than usefull.

Just create strong pre-shared key and ignore the port scans.

logman

join:2012-02-22
I hope that 20 key pre-shared key is enough.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
20 is a decent minimum. Greater than 15 and random with U, l case numbers and symbols.

logman

join:2012-02-22

1 edit
Randomly generate upper lower case, numbers and letters, + user's password done also same way ;o


Rogier

@xs4all.nl
reply to Rogier
As an update to the above: I just checked on my Apple devices, and find they connect to 10.64.64.64 as an IP address. Strange, as that is not my WAN IP. Any idea to whether this is normal?

bigboy

join:2000-12-04
Palo Alto, CA
reply to Brano

L2TP_POOL required?

Quick question - I am able to get things working with the example here (and in the Zyxel doc). The examples always use a separate subnet for L2TP connections, which I'm sure is best practices, but would L2TP work if I have the connections use, say, LAN1?

The reason why I'm asking is that the only way I can get things to work on my Macbook (Lion) is if I have all my traffic through the VPN tunnel. I suspect that I might have to manually add a route to push LAN1 packets through my L2TP_POOL address on my laptop, whereas if I was already on a LAN1 address, the subnetting makes it work automagically.

I guess I could try it, but I'm afraid of breaking it after my glitch and lost configuration from a few weeks ago. Better ask first than be sorry!

RemoteMike

join:2012-04-12
reply to Brano

Re: L2TP VPN on USG - quick how-to

Brano!
Than you very much for this great how-to. Its the best I found, now that I am searching a week to help me get my USG 20W ZDL 3.0 work with L2tp.
Anyway I am somehow too stupid to get it right. It would be great if you can give me one further hint.
1. I keyed in the whole configuration as you described. Including you firewall rules, and all objects.
2. A. With the build in OSX 10.7.3 VPN Client: I get

12.04.12 07:57:51.432 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:57:54.435 racoon: IKE Packet: transmit success. (Phase1 Retransmit).
12.04.12 07:57:54.458 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:57:57.461 racoon: IKE Packet: transmit success. (Phase1 Retransmit).
12.04.12 07:57:57.482 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:58:09.493 racoon: IKE Packet: transmit success. (Phase1 Retransmit).
12.04.12 07:58:09.514 racoon: IKE Packet: receive success. (Information message).
12.04.12 07:58:12.000 kernel: Validation failed, dataSuffix:
12.04.12 07:58:12.000 kernel: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12.04.12 07:58:12.000 kernel: vnode_validate_compressed_file_Type4 error: 22
12.04.12 07:58:12.000 kernel: Validation failed, dataSuffix:
12.04.12 07:58:12.000 kernel: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12.04.12 07:58:12.000 kernel: vnode_validate_compressed_file_Type4 error: 22
12.04.12 07:58:18.215 pppd: IPSec connection failed

B. With the ipsecuritas »www.lobotomo.com/products/IPSecuritas/ Client I get a similar error: Authentication failed

C. With the iPhone iOS 5.1 it times out.

On the USG 20W it is always the same:
IKE - Process is trying 3 times.
It shows the cookie pairs =x012345678/x012345678
Then it says "Authentication failed" probably due to mismatch in shared secret.

What I did: I tried different pre-shared keys - with/without numbers and then HEX: 0x12345678 etc.
No success - always the same errors
I checked the encryption, DH-group, Hash-types
- no success.
I cannot believe I do not manage to get Phase1 running :-(

Should I reflash the firmware of the USG?
Any hint is more than welcome. Thanx


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Unfortunately I don't have OSX or iOS to test this with so hopefully someone else with OSX experience can pitch in.
From what I'm seeing is that you indeed seem to have Pre-shared key mismatch. ... check it again on both sides.

RemoteMike

join:2012-04-12
Thank you for the quick response - I cross my fingers, hope for the best and will keep digging into that matter.


mbaran

@rr.com
reply to Brano
I've followed this guide to a T on a USG 20 with the new 3.0 firmware which allows for L2TP.

I am getting the error message of

SPI: 0x0 SEQ 0x0 No rule found, Dropping packet [count=xx].

I can sign on fine, and I get an IP within the subnet I chose, but from there it does nothing. I cannot ping any of the servers, nor can I browse out to the internet.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano
Brano I have an IMAC at home, and would like to test to see if I can connect to you over ssl vpn.
Are you up to the idea.........


mbaran

@rr.com
reply to mbaran
I solved my own issue. The remote network and my local network were both on the 192.168.1.0/24 network. This was causing funny issues with routes.

I logged in from a MiFi which was the 192.168.0.0/24 network and all was well.

Thanks for the tutorial!


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano
Regarding L2TP over ipsec for the MAC.
One of the steps I have seen is to ensure its at the top of the services running ..... Network tab sprocket symbol at the bottom to open it up. (speaking about the mac os x part)