dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4277
share rss forum feed

lion06

join:2013-04-03

2 edits

L2TP USG 50 - Phase 2 Local Policy mismatch

Click for full size
Click for full size
Click for full size
Phase1
Click for full size
Phase2
Click for full size
L2TP
Click for full size
Firewall rules

IP WAN

Pool IP
Hello everyone! I'm reading this guide of Brano for three days and now it is in my heart
I had some doubts, so I did a reset of my USG 50.
I'm freaking out, my USG is the same as that of Bravo, but I still to read "Phase 2 Local Policy mismatch".
The only different is that I have a ADSL/Router (192.168.1.1) that forwarding all port TCP/UDP to USG-WAN-Port (192.168.1.2).
Zywall is so cool...when work :P

PS
I read WIN7 update too


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Im sure we are all overjoyed with Brano's new love interest but back to the matter of concern.

Please post your associated VPN IPSEC pages (2) and LT2P Page (1) and FWRule page(1). Scratch out any public IP addresses.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
reply to lion06
What's the connecting client? Win? Android? iOS? What version?
What is the purpose of the Netgear NAT in front of USG? Any chance you can get rid of the NAT?

Post a screenshot from your Phase 2 settings.

lion06

join:2013-04-03
reply to lion06
thanks for all this questions
I updated the first post with all screenshots of my usg50.

the problem appears (same log error) with Windows 7 SP1 and with Android 4.2.2

I have a ADSL internet connection (PPPoA) so i have need a modem.
My Netgear have 1 rule: all tcp/upd port redirect to USG50. In fact I have a FTP server in my dmz and everything works fine from 1 year

USG SSL VPN works fine too, but now I have vpn with android and windows without ssl

JPedroT

join:2005-02-18
kudos:1
Why does your LAN range on the USG say 192.168.100.x/24 and the network drawing say 192.168.3.x/24 for the LAN
--
"Perl is executable line noise, Python is executable pseudo-code."


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to lion06
(1) Well JP, I would say the nomenclature of the pool is not critical as long as it does not match some other lan structure, apparently it needs to be unique. So IMHO and rather inexperienced (no formal training, complete layperson boob), nothing wrong with l2tp pool.

(2) What we are not seeing is the policy route associated with this.
The policy route will identify the source (LAN where tunnel poops into), the destination (L2TP lan pool), and the next HOP -the identified VPN tunnel name - L2TP_VPN_Connection. THis may help!

(3) I did note the interface is not shown for the VPN gateway perhap to protect addresses but that is a missing piece (but not necessarily needed here: edit maybe critical?).

(4) What is throwing me off is the netgear in between as I am not used to seeing the Local POlicy in the iPSec connection being a LANIP address vice a WAN IP. Okay I checked the diagram and it looks like the address is okay with respect to physical placement of the units assuming the WANIP of the USG is 192.168.1.2 (within lan structure of the netgear).

(5) So I went to look at the definition of L2TP_IP_WAN and lo and behold it states WAN2 TISCAL. Okay is that a funky name used for the object 192.168.1.2??

(6) We need to know if the Gateway associated has the IP 192.168.1.2 and a proper subnet mask identified. In other words prehaps the problem is the mysterious object WAN2 TISCAL??

(7) Back to being befuddled by the netgear, is it transparent in all this, how does traffic flow in and out of it without mentioning it or its WANIP anywhere in the mix????

Did I mention this is fun!!
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

lion06

join:2013-04-03
reply to lion06
Click for full size
Policy Route
Click for full size
Ethernet page
Click for full size
WAN-TISCAL
Click for full size
Firewall Netgear DG834
(2) Here are my Policy Route :)
(3) I don't understand exactly what you mean: (
(4) Netgear ha 4 ethernet port RJ45 + 1 RJ11 (for adsl connection).
RJ11 is for telephone cable and it is a WAN port with public static IP.
One RJ45 in a LAN port with ip 192.168.1.1; my server have gateway 192.168.1.2 (USG50) and my USG50 use 192.168.1.1 like un altro gateway
(5) Yes, WAN2-TISCA is just a name, as you can see from my new attachment
(6) In the ethernet properties i have set "IP Address Assignment" for USG WAN Port 1 IP (192.168.1.2) and Netgear Router like gateway (192.168.1.1), so I can go online
(7) You Should see my last attachment with netgear settings. Everything that comes to Netgear is sent to the USG

PS: There you can see my Netgear log when i'm conneting to VPN
Thu, 2013-04-04 15:17:25 - UDP Packet - Source:93.xxx.xxx.xxx,500 Destination:217.xxx.xxx.xxx,500 - [Any(ALL) rule match]
Thu, 2013-04-04 15:17:26 - UDP Packet - Source:93.xxx.xxx.xxx,4500 Destination:217.xxx.xxx.xxx,4500 - [Any(ALL) rule match]
 

93.xxx.xxx.xxx --> IP of my mobile phone
217.xxx.xxx.xxx --> Public static ip of my internet connetion


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to lion06
Thanks, it looks like your want2 tiscal and setting are copacetic then. The policy route looks funky however.
Try changing the first policy source to be specific to:

user: any
Schedule:none
Incoming: any(Exl
Source: LAN1 Subnet
Destination: L2TP-LAN_Range
any
any
any
Next Hop: L2TP_VPN_Connection (Vpn connection)
preserve
SNAT: None

INACTIVATE The second policy. I have no clue what that does, as its not in any of the instructions Ive read, but just in case its interfering.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

lion06

join:2013-04-03
reply to lion06
Click for full size
new policy
Thanks for your help
I updated my policy, but the error is always there


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to lion06
Beyond my scope of knowledge then. Hopefully the experts can now take over.

JPedroT

join:2005-02-18
kudos:1
Its not an LT2P problem, its an IPSec tunnel problem, the Phase 2 settings are not identical on both sides.

The log says the USG sends back a No Proposal choosen, if I remember correctly that means that it was unable to understand what the other side sent over.
Usually due to wrong encryption method or hashing method.
--
"Perl is executable line noise, Python is executable pseudo-code."

lion06

join:2013-04-03
you have right, but the settings are the same of
»L2TP VPN on USG - quick how-to (Win7 updated)
(as you can see from my screenshot)
Really, i don't understand there is the problem :(

JPedroT

join:2005-02-18
kudos:1
The problem is easy, the client that connects to the USG sends the wrong information compared to what you have configured on the client.

You need to compare those two
--
"Perl is executable line noise, Python is executable pseudo-code."

lion06

join:2013-04-03

1 edit
With android I can set host, psk, user id and password only
how can I compare them?

EDIT: maybe the problem is that i've a router and not a bridget. Tomorrow i will think about that :P


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to lion06
said by JPedroT:

The problem is easy, the client that connects to the USG sends the wrong information compared to what you have configured on the client.

You need to compare those two

In addition, try setting the Local policy to the true WAN IP before the first NAT ... not sure if this is the issue but worth a try.

lion06

join:2013-04-03
reply to lion06
a little update.
I bought a bridge and my new ISP give me a pubblic (and static) ip.
BUT:
my ISP use a special NAT system, so my USG have a private ip of my ISP DHCP (10.x.x.x) and if I try to connect with the public IP I get the same error.

I suppose that the problem is that android connects with the public ip, but the firewall using the private ip from my isp

sigh!

lion06

join:2013-04-03
reply to lion06
Click for full size
new log after new isp and new bridge
10.17.212.108 --> INTERFACE IP (from my ISP with a bridge)
31.190.42.20 --> IP of my mobile phone (android)

I'm trying to setup the "NAT" page, but i don't know that i can do...too strange