Topic 'L2TPoIPSEC problems' in forum 'ZyXEL' - dslreports.com

Re: L2TPoIPSEC problems

Sat, 23 Mar 2013 13:59:33 EDT

superataru posted :

said by Anav:

Thanks for the feedback superataru. If I have any questions I will give you an IM.

LOL

Re: L2TPoIPSEC problems

Sat, 23 Mar 2013 09:19:08 EDT

Anav posted : Thanks for the feedback superataru. If I have any questions I will give you an IM.

Re: L2TPoIPSEC problems

Sat, 23 Mar 2013 04:01:10 EDT

superataru posted : Hi all.
Sorry for delay. I tested again, and successfully L2TP connections from Android ad iPAD2, working only from ISP mobile connections (Vodafone), and found them very fast. (The same performances, it seems, as with DSL conncection).
I also routed traffic from L2TP to all IPSEC end points of H&S. Used RDP services and web pages of surveillance cameras of customer (sorry Anav, no resource browsing), with good results. Lt2p clients also use same remote-pool-addresses of SSL connections, easily, with no overlapping. I had to write down all policy routes, also to l2tp end point LAN1 (sure it was not necessary).
It's all ok, now. IPSEC, SSL and L2TP. Thanks all, as with suggestions and tests i improved my knowledge.

Re: L2TPoIPSEC problems

Sat, 09 Mar 2013 10:36:12 EDT

Anav posted : I had to reset my router but once I have my android back up with L2TP I will help out.

Re: L2TPoIPSEC problems

Sat, 09 Mar 2013 09:54:46 EDT

vikino posted : Hi all,
im still having issue with L2TP over IPSec with android,
log says that Phase 1 is completed and disconnected, but Phase 2 says Local policy mismatch, i followed Branos guides step by step, in VPN connection i have as local policy interface WAN IP, so the public IP...In my case it is internally from ISP the 192.168.140.21 but for this IP is done full NAT of an public IP...
Any idea?

Re: L2TPoIPSEC problems

Thu, 28 Feb 2013 22:16:10 EDT

Anav posted : Didnt seem to make a diff but was not much of a controlled attempt. I did try wifi at timmies and I could get a tv show to start but it stuttered a lot or froze, mss set to 600.

Re: L2TPoIPSEC problems

Thu, 28 Feb 2013 21:38:43 EDT

Brano posted :

said by Anav:

Brano I am running avast and something called Advanced Mobile Care. Obviously lowing MSS to 600 helped somewhat but still less than adequate.

I'd definitely try disabling/removing any AV tool for testing.

Re: L2TPoIPSEC problems

Thu, 28 Feb 2013 11:13:32 EDT

Kirby Smith posted : Brano:

I can't say that that built-in flow diagnostic wouldn't reveal what is going on between IP address pools, but from the categories shown I hadn't previously considered it. Since I can't simulate Anav's setup, I'll have to leave it to him to investigate.

kirby

Re: L2TPoIPSEC problems

Thu, 28 Feb 2013 07:56:45 EDT

Anav posted : Brano I am running avast and something called Advanced Mobile Care. Obviously lowing MSS to 600 helped somewhat but still less than adequate. Do you think the above two apps are the problem??

Re: L2TPoIPSEC problems

Thu, 28 Feb 2013 02:39:55 EDT

superataru posted : Kool Cisco tool.
They added packet tracert i used to get examinations into device diagnostics page. Wonderful.

Re: L2TPoIPSEC problems

Thu, 28 Feb 2013 01:29:08 EDT

superataru posted :

said by Anav:

While I search in vain for optimal MSS size, getting sidetracked in CISCO forums and very detailed and complex Checkpoint, VPN PDF document it came to me in a vision LOL,

I brought it down to 600 from auto. I can now browse all files but streaming is still not working sometimes the opening screen shows up but is frozen. I did not my phone switched to 4G during several attempts (from LTE).

Would SSL VPN to my shares be faster or better?????????

Nice question, if you consider that i've understood 5 mins ago what you was really looking for. :-)

I got not Galaxy, and tested L2TP VPNs just with Win Clients, two Android pads by mediacom and one IPad (a customer connected with parameters i sent him, sayng "It works! i see my servers now".
Always rdp, web and icmp traffic, dunno about performances with media streaming from the remote (and also with or without Anti-X enabled from/to). Consider that we have not 4G atm, and a bb line with 24/8 Mbps, here, is a nice dream.

In my everyday experience i can say SSL-VPNs (only Win clients supported, if i am not wrong) has same performaces, in full tunnel.
"Simple" reverse proxy is very fast, instead.

Now, i am not sure, but maybe i've found a bug (or a misconfiguration of mine?): full tunnel drops if you estabilish it but not use (seems not related to user timeout).
Reverse proxy, you was using, keeps on on working, without problems.

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 22:41:13 EDT

Anav posted : While I search in vain for optimal MSS size, getting sidetracked in CISCO forums and very detailed and complex Checkpoint, VPN PDF document it came to me in a vision LOL,

I brought it down to 600 from auto. I can now browse all files but streaming is still not working sometimes the opening screen shows up but is frozen. I did not my phone switched to 4G during several attempts (from LTE).

Would SSL VPN to my shares be faster or better?????????

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 22:21:06 EDT

Anav posted :

said by Brano:

Interesting. On good LTE connections I can actually stream from mapped folder via VPN (tried that with ES Explorer and MX player).

Your problem seems to be like MSS size related, did you try it from elsewhere (i.e. from other than home GSM cell locations?) Try manually lowering MSS for that particular VPN connection (It's in advanced settings I believe)

I will give that a try, and yes its at home. No I did not try elsewhere, what diff will it make? My next test is to try wifi at Timmies.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 22:18:34 EDT

Anav posted : Last jpegs........

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 22:17:29 EDT

Anav posted :

said by Brano:

said by Kirby Smith:

We probably need flow diagrams ...

No thats very static and list oriented. This is a dynamic tool WITH ANIMATION, whereby you can watch the ingress and egress of traffic and its status on each step of the way. Much better!!

Third
Second
First
Overview

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 22:08:42 EDT

Brano posted : Interesting. On good LTE connections I can actually stream from mapped folder via VPN (tried that with ES Explorer and MX player).

Your problem seems to be like MSS size related, did you try it from elsewhere (i.e. from other than home GSM cell locations?) Try manually lowering MSS for that particular VPN connection (It's in advanced settings I believe)

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 21:49:42 EDT

Anav posted : Yes Brano, that is the box I clicked and still no joy. I tried both the built in browser in samsung galaxy s3 and chrome.

And by the way, ES file explorer does not do as well as X-plore. X-explore gets me further in the menu and folder structures than ES file explorer but in the end none of them can handle the folders with large number of media files (none can stream them either of course).

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 21:14:38 EDT

Brano posted :

said by Anav:

Im assuming you mean the admin router access. Even after checking that box, I get past the certificate check stage but no router menus come up :-((

I mean this
[att=1]

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 21:08:01 EDT

Brano posted :

said by Kirby Smith:

We probably need flow diagrams ...

How about this? ...and it's clickable too ;)
[att=1]

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 12:29:25 EDT

Kirby Smith posted : We probably need flow diagrams of how ZyXEL has assembled a router out of iptables parts and their own modules to understand many questions like yours. The more I learn about these things the more impressed I am that anyone can construct a mostly-functioning router, whether ZyXEL or the pfSense team.

Your L2TP pool is probably like a VLAN to LAN1, but there is no series L2 switch to do any discrimination. Unless your firewall blocks 192.168.1.X from 192.168.100.X, the two "LANs" have connectivity so long as you use IP addresses between them, just as one could communicate between 192.168.1.100 and 192.168.2.200 if LANs 1 and 2 were populated.

kirby

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 10:57:23 EDT

Anav posted : Hi Kirby my comms are poorly written.

My L2TP pool is 192.168.100.1 to 192.168.100.10

My Lan is 192.168.1.33 to 192.168.1.XX

I have no LAN2 or DMZ at all with any structure such as 192.168.100.0

How does my samsung on a different LANIP pool even see my shares^^^^^^^^ Is it because at that point they are in the same boiling pot of LAN1, no traffic cops to go through (see how I dont have a clue and am reduced to simple analogies LOL)

Now obviously I am getting thru as using ES explorer I was able to map to all MY NAS boxes, and on one test, access the folders, a sub folder, open a plain text file and read the word test. So its working. BUT BUT BUT its sheite trying to opne a folded with many media files. It cannot. It stalls. Obviously streaming anything is out of the question but REALLY, not enough throughput to show list of files?????
(or do all apps/programs try to display thumbnails for example)

The other pizzoff is that on the admin to router routing I get connected. I type in the LANIP of the router to access the web gui, and I get to hey its not an official certificate side, and simply state CONTINUE and it stops there....... no getting to the official login page..... Argggg.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 10:39:17 EDT

Kirby Smith posted : Anav:

If I understood what you wrote, then it may be worth pointing out that if the LAN IP pool is .2 to .33, and the Samsung is given .123, and if both the LAN devices and the Samsung use a network mask of 255.255.255.0, then they should be able to see each other.

kirby

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 07:47:36 EDT

Anav posted : So this seems stupid. I have an excellent connection from my ISP, I have LTE on phone why is the throughput seemingly so limited.

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 07:18:41 EDT

Anav posted : IM connecting from a samsung galaxy S3 not a computer.
To report, ES file explorer sees my shares, I can drill down to what folders are a the first level but I cannot open any lists of contents of the folders.
All other file explorers or media explorer-players failed to connect to the LAN at all.

IM now not convinced that I was actually accessing anything on ES explorer other than cache or already stored data. So I cleared all and then could not add a server. (error cannot find the server).
Hmm somehow I was disconnected from my VPN argggg will try again disrgeard above.

No after creating a new server, it found the server could then go to the folders but would not read any content of folders. I think it may be just timing out??

Okay, so its extremely limited in capability. I can open folder that are small or do not have a many media files. I can easily open a small folder and open and view a simple text file.

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 06:54:13 EDT

superataru posted : Mmm.
Using same settings from a WinXP, or Win 7 pc?

said by Anav:

The problem is clear as mud. My policy route is correct. I created an object for my LAN, i suppose I could have used the default LAN1 subnet too. BUT BUT BUT, the IP pool the router assigns is not the same as my LAN and thus theoretically my samsung should not be able to see didly squat even if its on the LAN. At least now when I join my network at home via wifi it gets a LAN IP address.
The other issue is that the router access (and my other policy route here works too) stops at the browser???
Brano I will try ES explorer and report.

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 06:32:35 EDT

Anav posted : The problem is clear as mud. My policy route is correct. I created an object for my LAN, i suppose I could have used the default LAN1 subnet too. BUT BUT BUT, the IP pool the router assigns is not the same as my LAN and thus theoretically my samsung should not be able to see didly squat even if its on the LAN. At least now when I join my network at home via wifi it gets a LAN IP address.
The other issue is that the router access (and my other policy route here works too) stops at the browser???
Brano I will try ES explorer and report.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

Re: L2TPoIPSEC problems

Wed, 27 Feb 2013 06:06:16 EDT

Brano posted :

said by Anav:

Also what about accessing shares?

ES File Manager

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 23:46:14 EDT

superataru posted : Sorry, i have not understood, Anav.

(Yep, users settings have no scalability)

Now you are connected to you remote end point.
You should set L2TP to LAN zone firewall (i use to declare remote-not-overlapping-subnets in the rules) and destination subnet.
Add policy route too, without SNAT on output interface-LAN-interface.

Doesn't work?

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 23:19:26 EDT

Anav posted : Im assuming you mean the admin router access. Even after checking that box, I get past the certificate check stage but no router menus come up :-((

Also what about accessing shares?

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 22:55:44 EDT

Brano posted : Seen that before, check ignore don't fragment packets in global ipsec settings.

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 22:39:22 EDT

Anav posted : I can as admin access the router somewhat. In that I can type in the URL of the router and I get to the unkown certificate do you trust in and proceed phase but never seem to be able to enter the router (yes it switches to Https and hits the right port)

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 22:02:40 EDT

Anav posted : SUCCESS.... my preshared keys did not match, fixed and I successfully built a tunnel and the user was accepted. So I am halfway there.

On my samsung, how do I check which IP I have?
How do I see my shares?
Should I name the vpn connection name as the same as my LAN name?
Using file explorer or browser didnt seem to do the trick.

I have a connection but how to access ???

Okay couple of thoughts as well to the above dilemma...
I found it very annoying that i could not create a bunch of users as there is more than one of us with smartphone. What I mean is that I could NOT apply a group name to the L2TP VPN SETTINGS for ALLOWED users ----- ONLY a single USer or ANY. WHY is that????????
Do I have to create a separate rule for ever USER??

Second the IP pool I created is probably my problem, it has a different structure than my LAN identified in the ROUTING Policys.
Is this right or wrong and stupid.
If wrong should I simply create firewall rules to allow the L2PT LAN POOL numbers access to the specific shares on the lan desired???

For ex.
my lan is .1.33-xx
my l2tp pool is identified as .100.33-xx

Now I have no lan or dmz in my router setup for .100.0 so HOW CAN the router create a ficticious pool???????

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 21:52:06 EDT

Anav posted : Okay on VPN IPSEC CONNECTION TAB, I am using....
ESP-Transport - AES128 - SHA1

On VPN IPSEC GATEWAY TAB, I am using
Main - 3DES - SHA1 - DH2

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 21:28:44 EDT

Brano posted : Do you have encapsulation set to TRANSPORT in VPN Phase 2?

Re: L2TPoIPSEC problems

Tue, 26 Feb 2013 20:01:03 EDT

Anav posted : No need to start a new thread as this one is relevant enough.
I am now trying to attach my smartphone via VPN to the router and the lan. So far unsuccessful, I have provided my logs as proof of my incompentence LOL. Reading them the only thing that stood out was perhaps a mismatch on pre-shared key, so I will double check that and retry later. IN the meantime if something else looks off please let me know. Running android 4.1.1
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

Re: L2TPoIPSEC problems

Tue, 05 Feb 2013 09:25:08 EDT

superataru posted : Modify:

FW rules: L2TP -> LAN1

Re: L2TPoIPSEC problems

Mon, 04 Feb 2013 09:20:00 EDT

superataru posted :

said by Brano:

1) Upgrade to the latest FW »USG series 3.00 (xxx.4) firmware is out!
2) Follow instructions here »L2TP VPN on USG - quick how-to
and update as per here »L2TP VPN on USG - quick how-to (Win7 updated)

[SOLVED]
Most of all thanks to Brano 's HowTo(s).

All works fine. I have to add some interesting (surely to me) things:

(note: i created a L2TP Zone to make it easier to manage.)

- We need, working on the Internet, that WAN Iface has the Public IP (no chances behind a NAT), or bridge the Router that connects to Internet;
- we need to allow L2TP -> ZYWALL all services we want to allow from client to targets behind the remote USG (while i was thinking L2TP to LAN1, in my case. But, for real, L2TP should be considered Client to Client VPN, so it's correct: ZyWALL works as L2TP Client);

- Performing a ping -t command from L2TP client to remote LAN address ... i had some considerations:

- If we start client behind a remote ZyWALL that has an other IPSec VPN (not nailed up) to same destination USG:
---- L2TP VPNs does not cause the other Tunnel to go up, if it stars as first;
---- If the other Tunnel was already UP: L2TP Vpn take the traffic, and the working one stays up, but just with services related ipsec-service traffic.

Hope it could help.
Please, post here, if you think you i wrote incorrect things.

Re: L2TPoIPSEC problems

Sun, 03 Feb 2013 01:34:29 EDT

superataru posted :

said by Brano:

Tnx mate.
Firewall already have latest firmware.
Going to read how-to.
Tnx so much.
I will report!

Re: L2TPoIPSEC problems

Sun, 03 Feb 2013 01:27:06 EDT

Brano posted : 1) Upgrade to the latest FW »USG series 3.00 (xxx.4) firmware is out!
2) Follow instructions here »L2TP VPN on USG - quick how-to
and update as per here »L2TP VPN on USG - quick how-to (Win7 updated)

L2TPoIPSEC problems

Sun, 03 Feb 2013 01:20:43 EDT

superataru posted : Hi all, folks.
After some Yrs using only IPSEC/SSL, we decided to use Win7-8 / Android laptop/mobiles' clients to reach HQ, too.
So trying to setup L2TP VPNs on USG100 and USG200. Both 3.00(XX4). No Policies before.

It's killing me :-).

At the moment working with a W8 netbook. But also tested with W7 and Tablet with Android 4.3.X.

Remote USG----(internet)---(Router)----(ClavisterSG50)----W8Client

I got IPSEC tunnel (NAT-T)-SitetoSite USG===SG50, if i need, so UDP 500 and 4500 traffic are working fine.

I setup, as manuals say, both end points.

I always have Error 788, back from Windows Client.
Looking USG logs i find that PH1 closes successfully, than USG keeps searching the right VPN connection (among those with dynamic peers) until it declares there is
NO PROPOSAL CHOSEN.

Had a look on: »USG50 with V3.0 L2TP settings lockup Zywall..

and found that:
- Mode is Transport, not Tunnel;
- Needed a TUNNELtoZYWALL rule (allow udp 1701), as after IPSEC rules, device applies rules Tunnel-to Zywall;

From pics i observer ppl using connection with "RemoteAccess(server role)", and Italian User Guide reports Site-to-site with Dynamic Peer, and it's wrong, maybe, as it asks also for "force policy ...." flag, that exists only on "Site-to-site" and "Remote Access (Client Role)" settings.

Where should i correct something (not only in my brain ...)???

Thanks in advance.