dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2806
share rss forum feed


superataru

join:2004-12-07
Kearny, NJ

L2TPoIPSEC problems

Hi all, folks.
After some Yrs using only IPSEC/SSL, we decided to use Win7-8 / Android laptop/mobiles' clients to reach HQ, too.
So trying to setup L2TP VPNs on USG100 and USG200. Both 3.00(XX4). No Policies before.

It's killing me .

At the moment working with a W8 netbook. But also tested with W7 and Tablet with Android 4.3.X.

Remote USG----(internet)---(Router)----(ClavisterSG50)----W8Client

I got IPSEC tunnel (NAT-T)-SitetoSite USG===SG50, if i need, so UDP 500 and 4500 traffic are working fine.

I setup, as manuals say, both end points.

I always have Error 788, back from Windows Client.
Looking USG logs i find that PH1 closes successfully, than USG keeps searching the right VPN connection (among those with dynamic peers) until it declares there is
NO PROPOSAL CHOSEN.

Had a look on: »USG50 with V3.0 L2TP settings lockup Zywall..

and found that:
- Mode is Transport, not Tunnel;
- Needed a TUNNELtoZYWALL rule (allow udp 1701), as after IPSEC rules, device applies rules Tunnel-to Zywall;

From pics i observer ppl using connection with "RemoteAccess(server role)", and Italian User Guide reports Site-to-site with Dynamic Peer, and it's wrong, maybe, as it asks also for "force policy ...." flag, that exists only on "Site-to-site" and "Remote Access (Client Role)" settings.

Where should i correct something (not only in my brain ...)???

Thanks in advance.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1) Upgrade to the latest FW »USG series 3.00 (xxx.4) firmware is out!
2) Follow instructions here »L2TP VPN on USG - quick how-to
and update as per here »L2TP VPN on USG - quick how-to (Win7 updated)



superataru

join:2004-12-07
Kearny, NJ

said by Brano:

1) Upgrade to the latest FW »USG series 3.00 (xxx.4) firmware is out!
2) Follow instructions here »L2TP VPN on USG - quick how-to
and update as per here »L2TP VPN on USG - quick how-to (Win7 updated)

Tnx mate.
Firewall already have latest firmware.
Going to read how-to.
Tnx so much.
I will report!


superataru

join:2004-12-07
Kearny, NJ

1 edit
reply to Brano

said by Brano:

1) Upgrade to the latest FW »USG series 3.00 (xxx.4) firmware is out!
2) Follow instructions here »L2TP VPN on USG - quick how-to
and update as per here »L2TP VPN on USG - quick how-to (Win7 updated)

[SOLVED]
Most of all thanks to Brano See Profile's HowTo(s).

All works fine. I have to add some interesting (surely to me) things:

(note: i created a L2TP Zone to make it easier to manage.)

- We need, working on the Internet, that WAN Iface has the Public IP (no chances behind a NAT), or bridge the Router that connects to Internet;
- we need to allow L2TP -> ZYWALL all services we want to allow from client to targets behind the remote USG (while i was thinking L2TP to LAN1, in my case. But, for real, L2TP should be considered Client to Client VPN, so it's correct: ZyWALL works as L2TP Client);

- Performing a ping -t command from L2TP client to remote LAN address ... i had some considerations:

- If we start client behind a remote ZyWALL that has an other IPSec VPN (not nailed up) to same destination USG:
---- L2TP VPNs does not cause the other Tunnel to go up, if it stars as first;
---- If the other Tunnel was already UP: L2TP Vpn take the traffic, and the working one stays up, but just with services related ipsec-service traffic.

Hope it could help.
Please, post here, if you think you i wrote incorrect things.


superataru

join:2004-12-07
Kearny, NJ

Modify:

FW rules: L2TP -> LAN1



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

Click for full size
No need to start a new thread as this one is relevant enough.
I am now trying to attach my smartphone via VPN to the router and the lan. So far unsuccessful, I have provided my logs as proof of my incompentence LOL. Reading them the only thing that stood out was perhaps a mismatch on pre-shared key, so I will double check that and retry later. IN the meantime if something else looks off please let me know. Running android 4.1.1
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Do you have encapsulation set to TRANSPORT in VPN Phase 2?



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Okay on VPN IPSEC CONNECTION TAB, I am using....
ESP-Transport - AES128 - SHA1

On VPN IPSEC GATEWAY TAB, I am using
Main - 3DES - SHA1 - DH2



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

3 edits
reply to superataru

SUCCESS.... my preshared keys did not match, fixed and I successfully built a tunnel and the user was accepted. So I am halfway there.

On my samsung, how do I check which IP I have?
How do I see my shares?
Should I name the vpn connection name as the same as my LAN name?
Using file explorer or browser didnt seem to do the trick.

I have a connection but how to access ???

Okay couple of thoughts as well to the above dilemma...
I found it very annoying that i could not create a bunch of users as there is more than one of us with smartphone. What I mean is that I could NOT apply a group name to the L2TP VPN SETTINGS for ALLOWED users ----- ONLY a single USer or ANY. WHY is that????????
Do I have to create a separate rule for ever USER??

Second the IP pool I created is probably my problem, it has a different structure than my LAN identified in the ROUTING Policys.
Is this right or wrong and stupid.
If wrong should I simply create firewall rules to allow the L2PT LAN POOL numbers access to the specific shares on the lan desired???

For ex.
my lan is .1.33-xx
my l2tp pool is identified as .100.33-xx

Now I have no lan or dmz in my router setup for .100.0 so HOW CAN the router create a ficticious pool???????

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

I can as admin access the router somewhat. In that I can type in the URL of the router and I get to the unkown certificate do you trust in and proceed phase but never seem to be able to enter the router (yes it switches to Https and hits the right port)



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Seen that before, check ignore don't fragment packets in global ipsec settings.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Im assuming you mean the admin router access. Even after checking that box, I get past the certificate check stage but no router menus come up :-((

Also what about accessing shares?



superataru

join:2004-12-07
Kearny, NJ
reply to superataru

Sorry, i have not understood, Anav.

(Yep, users settings have no scalability)

Now you are connected to you remote end point.
You should set L2TP to LAN zone firewall (i use to declare remote-not-overlapping-subnets in the rules) and destination subnet.
Add policy route too, without SNAT on output interface-LAN-interface.

Doesn't work?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
reply to Anav

said by Anav:

Also what about accessing shares?

ES File Manager


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

The problem is clear as mud. My policy route is correct. I created an object for my LAN, i suppose I could have used the default LAN1 subnet too. BUT BUT BUT, the IP pool the router assigns is not the same as my LAN and thus theoretically my samsung should not be able to see didly squat even if its on the LAN. At least now when I join my network at home via wifi it gets a LAN IP address.
The other issue is that the router access (and my other policy route here works too) stops at the browser???
Brano I will try ES explorer and report.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



superataru

join:2004-12-07
Kearny, NJ

Mmm.
Using same settings from a WinXP, or Win 7 pc?

said by Anav:

The problem is clear as mud. My policy route is correct. I created an object for my LAN, i suppose I could have used the default LAN1 subnet too. BUT BUT BUT, the IP pool the router assigns is not the same as my LAN and thus theoretically my samsung should not be able to see didly squat even if its on the LAN. At least now when I join my network at home via wifi it gets a LAN IP address.
The other issue is that the router access (and my other policy route here works too) stops at the browser???
Brano I will try ES explorer and report.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

3 edits
reply to superataru

IM connecting from a samsung galaxy S3 not a computer.
To report, ES file explorer sees my shares, I can drill down to what folders are a the first level but I cannot open any lists of contents of the folders.
All other file explorers or media explorer-players failed to connect to the LAN at all.

IM now not convinced that I was actually accessing anything on ES explorer other than cache or already stored data. So I cleared all and then could not add a server. (error cannot find the server).
Hmm somehow I was disconnected from my VPN argggg will try again disrgeard above.

No after creating a new server, it found the server could then go to the folders but would not read any content of folders. I think it may be just timing out??

Okay, so its extremely limited in capability. I can open folder that are small or do not have a many media files. I can easily open a small folder and open and view a simple text file.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

So this seems stupid. I have an excellent connection from my ISP, I have LTE on phone why is the throughput seemingly so limited.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Anav

Anav:

If I understood what you wrote, then it may be worth pointing out that if the LAN IP pool is .2 to .33, and the Samsung is given .123, and if both the LAN devices and the Samsung use a network mask of 255.255.255.0, then they should be able to see each other.

kirby



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Hi Kirby my comms are poorly written.

My L2TP pool is 192.168.100.1 to 192.168.100.10

My Lan is 192.168.1.33 to 192.168.1.XX

I have no LAN2 or DMZ at all with any structure such as 192.168.100.0

How does my samsung on a different LANIP pool even see my shares^^^^^^^^ Is it because at that point they are in the same boiling pot of LAN1, no traffic cops to go through (see how I dont have a clue and am reduced to simple analogies LOL)

Now obviously I am getting thru as using ES explorer I was able to map to all MY NAS boxes, and on one test, access the folders, a sub folder, open a plain text file and read the word test. So its working. BUT BUT BUT its sheite trying to opne a folded with many media files. It cannot. It stalls. Obviously streaming anything is out of the question but REALLY, not enough throughput to show list of files?????
(or do all apps/programs try to display thumbnails for example)

The other pizzoff is that on the admin to router routing I get connected. I type in the LANIP of the router to access the web gui, and I get to hey its not an official certificate side, and simply state CONTINUE and it stops there....... no getting to the official login page..... Argggg.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

We probably need flow diagrams of how ZyXEL has assembled a router out of iptables parts and their own modules to understand many questions like yours. The more I learn about these things the more impressed I am that anyone can construct a mostly-functioning router, whether ZyXEL or the pfSense team.

Your L2TP pool is probably like a VLAN to LAN1, but there is no series L2 switch to do any discrimination. Unless your firewall blocks 192.168.1.X from 192.168.100.X, the two "LANs" have connectivity so long as you use IP addresses between them, just as one could communicate between 192.168.1.100 and 192.168.2.200 if LANs 1 and 2 were populated.

kirby



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

said by Kirby Smith:

We probably need flow diagrams ...

How about this? ...and it's clickable too



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Anav

said by Anav:

Im assuming you mean the admin router access. Even after checking that box, I get past the certificate check stage but no router menus come up :-((

I mean this



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Yes Brano, that is the box I clicked and still no joy. I tried both the built in browser in samsung galaxy s3 and chrome.

And by the way, ES file explorer does not do as well as X-plore. X-explore gets me further in the menu and folder structures than ES file explorer but in the end none of them can handle the folders with large number of media files (none can stream them either of course).



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

Interesting. On good LTE connections I can actually stream from mapped folder via VPN (tried that with ES Explorer and MX player).

Your problem seems to be like MSS size related, did you try it from elsewhere (i.e. from other than home GSM cell locations?) Try manually lowering MSS for that particular VPN connection (It's in advanced settings I believe)



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano


Third
Click for full size
Second
Click for full size
First
Click for full size
Overview
said by Brano:

said by Kirby Smith:

We probably need flow diagrams ...

No thats very static and list oriented. This is a dynamic tool WITH ANIMATION, whereby you can watch the ingress and egress of traffic and its status on each step of the way. Much better!!


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

Click for full size
Last jpegs........


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano

said by Brano:

Interesting. On good LTE connections I can actually stream from mapped folder via VPN (tried that with ES Explorer and MX player).

Your problem seems to be like MSS size related, did you try it from elsewhere (i.e. from other than home GSM cell locations?) Try manually lowering MSS for that particular VPN connection (It's in advanced settings I believe)

I will give that a try, and yes its at home. No I did not try elsewhere, what diff will it make? My next test is to try wifi at Timmies.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
reply to superataru

While I search in vain for optimal MSS size, getting sidetracked in CISCO forums and very detailed and complex Checkpoint, VPN PDF document it came to me in a vision LOL,

I brought it down to 600 from auto. I can now browse all files but streaming is still not working sometimes the opening screen shows up but is frozen. I did not my phone switched to 4G during several attempts (from LTE).

Would SSL VPN to my shares be faster or better?????????



superataru

join:2004-12-07
Kearny, NJ

said by Anav:

While I search in vain for optimal MSS size, getting sidetracked in CISCO forums and very detailed and complex Checkpoint, VPN PDF document it came to me in a vision LOL,

I brought it down to 600 from auto. I can now browse all files but streaming is still not working sometimes the opening screen shows up but is frozen. I did not my phone switched to 4G during several attempts (from LTE).

Would SSL VPN to my shares be faster or better?????????

Nice question, if you consider that i've understood 5 mins ago what you was really looking for.

I got not Galaxy, and tested L2TP VPNs just with Win Clients, two Android pads by mediacom and one IPad (a customer connected with parameters i sent him, sayng "It works! i see my servers now".
Always rdp, web and icmp traffic, dunno about performances with media streaming from the remote (and also with or without Anti-X enabled from/to). Consider that we have not 4G atm, and a bb line with 24/8 Mbps, here, is a nice dream.

In my everyday experience i can say SSL-VPNs (only Win clients supported, if i am not wrong) has same performaces, in full tunnel.
"Simple" reverse proxy is very fast, instead.

Now, i am not sure, but maybe i've found a bug (or a misconfiguration of mine?): full tunnel drops if you estabilish it but not use (seems not related to user timeout).
Reverse proxy, you was using, keeps on on working, without problems.