dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2799
share rss forum feed

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Anav

Re: L2TPoIPSEC problems

We probably need flow diagrams of how ZyXEL has assembled a router out of iptables parts and their own modules to understand many questions like yours. The more I learn about these things the more impressed I am that anyone can construct a mostly-functioning router, whether ZyXEL or the pfSense team.

Your L2TP pool is probably like a VLAN to LAN1, but there is no series L2 switch to do any discrimination. Unless your firewall blocks 192.168.1.X from 192.168.100.X, the two "LANs" have connectivity so long as you use IP addresses between them, just as one could communicate between 192.168.1.100 and 192.168.2.200 if LANs 1 and 2 were populated.

kirby



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

said by Kirby Smith:

We probably need flow diagrams ...

How about this? ...and it's clickable too



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Anav

said by Anav:

Im assuming you mean the admin router access. Even after checking that box, I get past the certificate check stage but no router menus come up :-((

I mean this



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Yes Brano, that is the box I clicked and still no joy. I tried both the built in browser in samsung galaxy s3 and chrome.

And by the way, ES file explorer does not do as well as X-plore. X-explore gets me further in the menu and folder structures than ES file explorer but in the end none of them can handle the folders with large number of media files (none can stream them either of course).



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

Interesting. On good LTE connections I can actually stream from mapped folder via VPN (tried that with ES Explorer and MX player).

Your problem seems to be like MSS size related, did you try it from elsewhere (i.e. from other than home GSM cell locations?) Try manually lowering MSS for that particular VPN connection (It's in advanced settings I believe)



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano


Third
Click for full size
Second
Click for full size
First
Click for full size
Overview
said by Brano:

said by Kirby Smith:

We probably need flow diagrams ...

No thats very static and list oriented. This is a dynamic tool WITH ANIMATION, whereby you can watch the ingress and egress of traffic and its status on each step of the way. Much better!!


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

Click for full size
Last jpegs........


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Brano

said by Brano:

Interesting. On good LTE connections I can actually stream from mapped folder via VPN (tried that with ES Explorer and MX player).

Your problem seems to be like MSS size related, did you try it from elsewhere (i.e. from other than home GSM cell locations?) Try manually lowering MSS for that particular VPN connection (It's in advanced settings I believe)

I will give that a try, and yes its at home. No I did not try elsewhere, what diff will it make? My next test is to try wifi at Timmies.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
reply to superataru

While I search in vain for optimal MSS size, getting sidetracked in CISCO forums and very detailed and complex Checkpoint, VPN PDF document it came to me in a vision LOL,

I brought it down to 600 from auto. I can now browse all files but streaming is still not working sometimes the opening screen shows up but is frozen. I did not my phone switched to 4G during several attempts (from LTE).

Would SSL VPN to my shares be faster or better?????????



superataru

join:2004-12-07
Kearny, NJ

said by Anav:

While I search in vain for optimal MSS size, getting sidetracked in CISCO forums and very detailed and complex Checkpoint, VPN PDF document it came to me in a vision LOL,

I brought it down to 600 from auto. I can now browse all files but streaming is still not working sometimes the opening screen shows up but is frozen. I did not my phone switched to 4G during several attempts (from LTE).

Would SSL VPN to my shares be faster or better?????????

Nice question, if you consider that i've understood 5 mins ago what you was really looking for.

I got not Galaxy, and tested L2TP VPNs just with Win Clients, two Android pads by mediacom and one IPad (a customer connected with parameters i sent him, sayng "It works! i see my servers now".
Always rdp, web and icmp traffic, dunno about performances with media streaming from the remote (and also with or without Anti-X enabled from/to). Consider that we have not 4G atm, and a bb line with 24/8 Mbps, here, is a nice dream.

In my everyday experience i can say SSL-VPNs (only Win clients supported, if i am not wrong) has same performaces, in full tunnel.
"Simple" reverse proxy is very fast, instead.

Now, i am not sure, but maybe i've found a bug (or a misconfiguration of mine?): full tunnel drops if you estabilish it but not use (seems not related to user timeout).
Reverse proxy, you was using, keeps on on working, without problems.


superataru

join:2004-12-07
Kearny, NJ
reply to superataru

Kool Cisco tool.
They added packet tracert i used to get examinations into device diagnostics page. Wonderful.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

Brano I am running avast and something called Advanced Mobile Care. Obviously lowing MSS to 600 helped somewhat but still less than adequate. Do you think the above two apps are the problem??


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Brano

Brano:

I can't say that that built-in flow diagnostic wouldn't reveal what is going on between IP address pools, but from the categories shown I hadn't previously considered it. Since I can't simulate Anav's setup, I'll have to leave it to him to investigate.

kirby



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to Anav

said by Anav:

Brano I am running avast and something called Advanced Mobile Care. Obviously lowing MSS to 600 helped somewhat but still less than adequate.

I'd definitely try disabling/removing any AV tool for testing.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

Didnt seem to make a diff but was not much of a controlled attempt. I did try wifi at timmies and I could get a tv show to start but it stuttered a lot or froze, mss set to 600.


vikino

join:2013-03-09

1 edit
reply to superataru

Click for full size
Hi all,
im still having issue with L2TP over IPSec with android,
log says that Phase 1 is completed and disconnected, but Phase 2 says Local policy mismatch, i followed Branos guides step by step, in VPN connection i have as local policy interface WAN IP, so the public IP...In my case it is internally from ISP the 192.168.140.21 but for this IP is done full NAT of an public IP...
Any idea?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to superataru

I had to reset my router but once I have my android back up with L2TP I will help out.



superataru

join:2004-12-07
Kearny, NJ
reply to superataru

Hi all.
Sorry for delay. I tested again, and successfully L2TP connections from Android ad iPAD2, working only from ISP mobile connections (Vodafone), and found them very fast. (The same performances, it seems, as with DSL conncection).
I also routed traffic from L2TP to all IPSEC end points of H&S. Used RDP services and web pages of surveillance cameras of customer (sorry Anav, no resource browsing), with good results. Lt2p clients also use same remote-pool-addresses of SSL connections, easily, with no overlapping. I had to write down all policy routes, also to l2tp end point LAN1 (sure it was not necessary).
It's all ok, now. IPSEC, SSL and L2TP. Thanks all, as with suggestions and tests i improved my knowledge.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Thanks for the feedback superataru. If I have any questions I will give you an IM.



superataru

join:2004-12-07
Kearny, NJ

said by Anav:

Thanks for the feedback superataru. If I have any questions I will give you an IM.

LOL