| L2TPoIPSEC problems Hi all, folks.
After some Yrs using only IPSEC/SSL, we decided to use Win7-8 / Android laptop/mobiles' clients to reach HQ, too.
So trying to setup L2TP VPNs on USG100 and USG200. Both 3.00(XX4). No Policies before.
It's killing me  .
At the moment working with a W8 netbook. But also tested with W7 and Tablet with Android 4.3.X.
Remote USG----(internet)---(Router)----(ClavisterSG50)----W8Client
I got IPSEC tunnel (NAT-T)-SitetoSite USG===SG50, if i need, so UDP 500 and 4500 traffic are working fine.
I setup, as manuals say, both end points.
I always have Error 788, back from Windows Client.
Looking USG logs i find that PH1 closes successfully, than USG keeps searching the right VPN connection (among those with dynamic peers) until it declares there is
NO PROPOSAL CHOSEN.
Had a look on: »USG50 with V3.0 L2TP settings lockup Zywall..
and found that:
- Mode is Transport, not Tunnel;
- Needed a TUNNELtoZYWALL rule (allow udp 1701), as after IPSEC rules, device applies rules Tunnel-to Zywall;
From pics i observer ppl using connection with "RemoteAccess(server role)", and Italian User Guide reports Site-to-site with Dynamic Peer, and it's wrong, maybe, as it asks also for "force policy ...." flag, that exists only on "Site-to-site" and "Remote Access (Client Role)" settings.
Where should i correct something (not only in my brain ...)???
Thanks in advance. |
|
|
|
 BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6
 ·Bell Fibe
| 1) Upgrade to the latest FW »USG series 3.00 (xxx.4) firmware is out!
2) Follow instructions here »L2TP VPN on USG - quick how-to
and update as per here »L2TP VPN on USG - quick how-to (Win7 updated) |
|
| Tnx mate.
Firewall already have latest firmware.
Going to read how-to.
Tnx so much.
I will report! |
|
1 edit | reply to Brano
[SOLVED]
Most of all thanks to Brano  's HowTo(s).
All works fine. I have to add some interesting (surely to me) things:
(note: i created a L2TP Zone to make it easier to manage.)
- We need, working on the Internet, that WAN Iface has the Public IP (no chances behind a NAT), or bridge the Router that connects to Internet;
- we need to allow L2TP -> ZYWALL all services we want to allow from client to targets behind the remote USG (while i was thinking L2TP to LAN1, in my case. But, for real, L2TP should be considered Client to Client VPN, so it's correct: ZyWALL works as L2TP Client);
- Performing a ping -t command from L2TP client to remote LAN address ... i had some considerations:
- If we start client behind a remote ZyWALL that has an other IPSec VPN (not nailed up) to same destination USG:
---- L2TP VPNs does not cause the other Tunnel to go up, if it stars as first;
---- If the other Tunnel was already UP: L2TP Vpn take the traffic, and the working one stays up, but just with services related ipsec-service traffic.
Hope it could help.
Please, post here, if you think you i wrote incorrect things. |
|
| Modify:
FW rules: L2TP -> LAN1 |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to superataru
No need to start a new thread as this one is relevant enough.
I am now trying to attach my smartphone via VPN to the router and the lan. So far unsuccessful, I have provided my logs as proof of my incompentence LOL. Reading them the only thing that stood out was perhaps a mismatch on pre-shared key, so I will double check that and retry later. IN the meantime if something else looks off please let me know. Running android 4.1.1
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6 | Do you have encapsulation set to TRANSPORT in VPN Phase 2? |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Okay on VPN IPSEC CONNECTION TAB, I am using....
ESP-Transport - AES128 - SHA1
On VPN IPSEC GATEWAY TAB, I am using
Main - 3DES - SHA1 - DH2 |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3
3 edits | reply to superataru
SUCCESS.... my preshared keys did not match, fixed and I successfully built a tunnel and the user was accepted. So I am halfway there.
On my samsung, how do I check which IP I have?
How do I see my shares?
Should I name the vpn connection name as the same as my LAN name?
Using file explorer or browser didnt seem to do the trick.
I have a connection but how to access ???
Okay couple of thoughts as well to the above dilemma...
I found it very annoying that i could not create a bunch of users as there is more than one of us with smartphone. What I mean is that I could NOT apply a group name to the L2TP VPN SETTINGS for ALLOWED users ----- ONLY a single USer or ANY. WHY is that????????
Do I have to create a separate rule for ever USER??
Second the IP pool I created is probably my problem, it has a different structure than my LAN identified in the ROUTING Policys.
Is this right or wrong and stupid.
If wrong should I simply create firewall rules to allow the L2PT LAN POOL numbers access to the specific shares on the lan desired???
For ex.
my lan is .1.33-xx
my l2tp pool is identified as .100.33-xx
Now I have no lan or dmz in my router setup for .100.0 so HOW CAN the router create a ficticious pool???????
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to superataru
I can as admin access the router somewhat. In that I can type in the URL of the router and I get to the unkown certificate do you trust in and proceed phase but never seem to be able to enter the router (yes it switches to Https and hits the right port) |
|
BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6 | Seen that before, check ignore don't fragment packets in global ipsec settings. |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Im assuming you mean the admin router access. Even after checking that box, I get past the certificate check stage but no router menus come up :-((
Also what about accessing shares? |
|
| reply to superataru
Sorry, i have not understood, Anav.
(Yep, users settings have no scalability)
Now you are connected to you remote end point.
You should set L2TP to LAN zone firewall (i use to declare remote-not-overlapping-subnets in the rules) and destination subnet.
Add policy route too, without SNAT on output interface-LAN-interface.
Doesn't work? |
|
BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6 | reply to Anav
said by Anav:Also what about accessing shares?
ES File Manager |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to superataru
The problem is clear as mud. My policy route is correct. I created an object for my LAN, i suppose I could have used the default LAN1 subnet too. BUT BUT BUT, the IP pool the router assigns is not the same as my LAN and thus theoretically my samsung should not be able to see didly squat even if its on the LAN. At least now when I join my network at home via wifi it gets a LAN IP address.
The other issue is that the router access (and my other policy route here works too) stops at the browser???
Brano I will try ES explorer and report.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
| Mmm.
Using same settings from a WinXP, or Win 7 pc?
said by Anav:The problem is clear as mud. My policy route is correct. I created an object for my LAN, i suppose I could have used the default LAN1 subnet too. BUT BUT BUT, the IP pool the router assigns is not the same as my LAN and thus theoretically my samsung should not be able to see didly squat even if its on the LAN. At least now when I join my network at home via wifi it gets a LAN IP address.
The other issue is that the router access (and my other policy route here works too) stops at the browser???
Brano I will try ES explorer and report.
|
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3
3 edits | reply to superataru
IM connecting from a samsung galaxy S3 not a computer.
To report, ES file explorer sees my shares, I can drill down to what folders are a the first level but I cannot open any lists of contents of the folders.
All other file explorers or media explorer-players failed to connect to the LAN at all.
IM now not convinced that I was actually accessing anything on ES explorer other than cache or already stored data. So I cleared all and then could not add a server. (error cannot find the server).
Hmm somehow I was disconnected from my VPN argggg will try again disrgeard above.
No after creating a new server, it found the server could then go to the folders but would not read any content of folders. I think it may be just timing out??
Okay, so its extremely limited in capability. I can open folder that are small or do not have a many media files. I can easily open a small folder and open and view a simple text file. |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | reply to superataru
So this seems stupid. I have an excellent connection from my ISP, I have LTE on phone why is the throughput seemingly so limited. |
|
| reply to Anav
Anav:
If I understood what you wrote, then it may be worth pointing out that if the LAN IP pool is .2 to .33, and the Samsung is given .123, and if both the LAN devices and the Samsung use a network mask of 255.255.255.0, then they should be able to see each other.
kirby |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Hi Kirby my comms are poorly written.
My L2TP pool is 192.168.100.1 to 192.168.100.10
My Lan is 192.168.1.33 to 192.168.1.XX
I have no LAN2 or DMZ at all with any structure such as 192.168.100.0
How does my samsung on a different LANIP pool even see my shares^^^^^^^^ Is it because at that point they are in the same boiling pot of LAN1, no traffic cops to go through (see how I dont have a clue and am reduced to simple analogies LOL)
Now obviously I am getting thru as using ES explorer I was able to map to all MY NAS boxes, and on one test, access the folders, a sub folder, open a plain text file and read the word test. So its working. BUT BUT BUT its sheite trying to opne a folded with many media files. It cannot. It stalls. Obviously streaming anything is out of the question but REALLY, not enough throughput to show list of files?????
(or do all apps/programs try to display thumbnails for example)
The other pizzoff is that on the admin to router routing I get connected. I type in the LANIP of the router to access the web gui, and I get to hey its not an official certificate side, and simply state CONTINUE and it stops there....... no getting to the official login page..... Argggg.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
