dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3931
StaggerLee
join:2014-01-19
sweden

StaggerLee

Member

L2TP/IPsec on USG 50 to Windows Server 2012

Hello,

I tried to connect from the built-in VPN-client on my Mac. It worked on the first try, but on the USG 50 I've tried hundreds of times, without success.

What are recommended settings?

I can't seem to find which encryption schemes WS2012 prefers. Any tool I can use to find out how the Mac client connects?

Most grateful for any tips.
StaggerLee

StaggerLee

Member

Latest news …

It turns out that I can actually connect to the server. RAS gives the server a separate interface called "Internal" that represents all RAS connections. This means I have two interfaces with two separate IP addresses on server side of the VPN:

Internal 192.168.100.1 notice - User - - User lhvpn from l2tp has logged in ZyWALL - 192.168.100.1 - [empty] - Account: lhvpn

I can't help but get the feeling that the problems are routing related, perhaps because the Zywall end of the tunnel doesn't get an IP.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano to StaggerLee

MVM

to StaggerLee
I'm still not sure I understand your scenario.

What is on each end of the VPN? USG to MAC? Or USG to WS2012? Or MAC to WS2012?
What kind of VPN? Plain IPSec or L2TP/IPSec?
StaggerLee
join:2014-01-19
sweden

1 edit

StaggerLee

Member

Hehe, sorry for the confusion, and thanks for responding! I've tried all of the above. The Mac was just for testing.

This is what I have now:

L2TP/IPsec
Initiator: WS2012
Responder: USG

At first I wanted plain IPsec, but I simply couldn't get them to react to each other.

One difference from your howto, is that you used the WAN1_PPP interface on the USG. The PPP interfaces require more settings that are not shown in your guide. I used the WAN1 interface, which has the public IP of ths USG. I can't tell if that would affect anything and if so what.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

In my how-to I'm also using wan1_ppp for wan interface so the setup should be pretty much the same.

What problem are you experiencing? Did you see the »L2TP VPN on USG - quick how-to (Win7 updated)
StaggerLee
join:2014-01-19
sweden

StaggerLee

Member

Ok, we have similar configs then.

No, I did not see that how-to. Thanks, I'll try it out!

About problems. Well, my setup actually seems to work right now. It's "only" a demand dialed connection, but is there any difference in terms of stability? What is the actual difference?

I also get log these messages like once every second:

Tunnel [L2TP_VPN_GW:L2TP_VPN_Connection:0x00000000] is disconnected

I'm of course curious why I can't get a "normal" site-to-site tunnel to work. I had too many problems with that so I gave up.

Now I'm also building a similar setup but using an old D-Link DFL-800 to build the tunnel, posted it here: »[Help Me] VPN between DFL-800 and Windows Server 2012
StaggerLee

StaggerLee

Member

One disadvantage I discovered with a demand dial VPN tunnel is that it's not reinitiated after for example a reboot, and it can't be initiated from the USG's side. So unless I setup the server to ping the USG (or similar) it will stay down.
StaggerLee

1 edit

StaggerLee

Member

After a few of days googling and trying out innumerable combinations I managed to connect the two … barely. Many thanks to Brano for his howto (»L2TP VPN on USG - quick how-to).

I hoped for a site-to-site tunnel, at least that's what I thought most suitable, but I can't get the machines to connect in that mode.

The Windows Server is a virtual host with a public IP. From it I can initiate a demand-dial L2TP/IPsec to the Zywall. I confirmed it by pinging resources on 192.168.17.0 network behind the Zywall from the Server. I could not however ping back.

It seemed however that there was some problem with the L2TP connection, the log continued to report it as deconnected and it never showed up in the VPN monitor on the Zywall.

Then I found a log entry on the server:

A connection has been established on port VPN0-127 using interface VPN_Zywall, but the remote side got no IP address.

I did set it up the interface as instructed elsewhere with an IP range 192.168.100.100-199. It seems to be a case of unnumbered connectionstechnet.microsoft.com/en ··· 0).aspx). So I tried to give the interface a static IP instead, but that created other problems.

Anyway, this is how the log looks right now:

notice - Firewall - priority:12, from WAN to ZyWALL, UDP, service VPN_IPSEC, ACCEPT - WinServer:500 - Zywall:500 - ACCESS FORWARD
info - IKE - The cookie pair is : 0x9c4b9982c0cd6b96 / 0x0000000000000000 - WinServer:500 - Zywall:500 - IKE_LOG
info - IKE - Recv Main Mode request from [WinServer] - WinServer:500 - Zywall:500 - IKE_LOG
info - IKE - The cookie pair is : 0xcd31df7f97646d9e / 0x9c4b9982c0cd6b96 [count=5] - WinServer:500 - Zywall:500 - IKE_LOG
info - IKE - Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID] - WinServer:500 - Zywall:500 - IKE_LOG
info - IKE - The cookie pair is : 0x9c4b9982c0cd6b96 / 0xcd31df7f97646d9e [count=9] - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID] - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - Recv:[KE][NONCE][PRV][PRV] - WinServer:500 - Zywall:500 - IKE_LOG
info - IKE - Send:[KE][NONCE][PRV][PRV] - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - Recv:[ID][HASH] - WinServer:500 - Zywall:500 - IKE_LOG
info - IKE - Send:[ID][HASH] - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - Phase 1 IKE SA process done - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - Recv:[HASH][SA][NONCE][ID][ID] - WinServer:500 - Zywall:500 - IKE_LOG
info - IKE - Send:[HASH][SA][NONCE][ID][ID] - Zywall:500 - WinServer:500 - IKE_LOG
notice - Firewall - priority:12, from WAN to ZyWALL, service VPN_IPSEC, ACCEPT - WinServer - Zywall - ACCESS FORWARD
error  IPSec - SPI: 0x95fa2c28 (2516200488) SEQ: 0x1 (1) No rule found, Dropping ESP packet - WinServer - Zywall - ipsec
info - IKE - Recv:[HASH] - WinServer:500 - Zywall:500 - IKE_LOG
notice - Firewall - priority:13, from TUNNEL to ZyWALL, UDP, service L2TP-UDP, ACCEPT - - WinServer:1701 - Zywall:1701 - ACCESS FORWARD
info - IKE - [Responder:Zywall][Initiator:WinServer] - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - [Policy: ipv4(udp:1701,Zywall)-ipv4(udp:1701,WinServer)] - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - [ESP aes-cbc|hmac-sha1-96][SPI 0x95fa2c28|0xcdeb4262][Lifetime 250000 kilobytes 3640 seconds] - Zywall:500 - WinServer:500 - IKE_LOG
info - IKE - Dynamic Tunnel [L2TP_VPN_GW:L2TP_VPN_Connection:0xcdeb4262] built successfully - Zywall:500 - WinServer:500 - IKE_LOG
notice - User - - User lhvpn from l2tp has logged in ZyWALL - 192.168.100.1 - [empty] - Account: lhvpn
info - L2TP Over IPSec - User lhvpn has been granted an L2TP over IPSec session. - Zywall:1701 - WinServer:1701 - L2TP_LOG
notice - Firewall - priority:7, from TUNNEL to ANY, ICMP Type:8, service others, ICMP Type:8, ACCEPT [count=2] - 192.168.100.1 - 192.168.17.38 - ACCESS FORWARD
error - IPSec - SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping Unknown(1) packet [count=2] - 192.168.17.34 - 192.168.100.100 - ipsec
 

The last dropped packet is me pinging from the Zywall LAN to the server.

If anybody has any ideas on how I should go about to solve this, please share your thoughts. I'm happy to provide screendumps or list of settings, but I don't know where to begin.

Thanks!
StaggerLee

StaggerLee

Member

Ok, another go att site to site. Here's the log from the USG:

1
2014-01-26 19:47:35
info
IKE
ISAKMP SA [IPsec_VPN_GW] is disconnected
USG50:500
WS2012:500
IKE_LOG
2
2014-01-26 19:47:35
info
IKE
The cookie pair is : 0x13d431ea13fd81db / 0xd240e1ce1890c389
USG50:500
WS2012:500
IKE_LOG
3
2014-01-26 19:47:35
info
IKE
Recv:[NOTIFY:NO_PROPOSAL_CHOSEN]
WS2012:500
USG50:500
IKE_LOG
4
2014-01-26 19:47:35
info
IKE
The cookie pair is : 0xd240e1ce1890c389 / 0x13d431ea13fd81db
WS2012:500
USG50:500
IKE_LOG
5
2014-01-26 19:47:35
info
IKE
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
USG50:500
WS2012:500
IKE_LOG
6
2014-01-26 19:47:35
info
IKE
Send Main Mode request to [WS2012]
USG50:500
WS2012:500
IKE_LOG
7
2014-01-26 19:47:35
info
IKE
Tunnel [IPsec_VPN_Connection] Sending IKE request
USG50:500
WS2012:500
IKE_LOG
8
2014-01-26 19:47:35
info
IKE
The cookie pair is : 0x13d431ea13fd81db / 0x0000000000000000 [count=3]
USG50:500
WS2012:500
IKE_LOG

So at this stage the problem is, IKE phase 1. The Windows log is unfortunately in Swedish, but basically it says "Unknown authentication" and "Policy match error".

Only 3DES-SHA1-D2 on both sides.
SA life time: 1440 min on both sides.
AH, ESP, NATT, IKE are allowed in the USG50 firewall.
The WS2012 firewall is off.

Ideas?
StaggerLee

StaggerLee

Member

I left my setup, went to see The Hobbit (not recommended) and on my way home I secretly prayed that I would suddenly understand what I had missed. Sitting down and trying to connect the tunnel, to my enormous surprise it worked!