| |
Re: Zywall L2TP VPN problems due to ?no L2TP IPSEC protection?Same behavior from an android device, so it looks like this is something on the zywall side...
After some more debugging, I found this in the debug log on the zywall. Looks like the IPSEC tunnel comes up, but there is some sort of L2TP layer issue. Any suggestions as to where to look to resolve this?
995 2014-11-07 10:58:16 6.6.6.6:1701 3.3.3.3:57537 debug l2tp-over-ipsec L2TP_LOG Terminating tunnel request thread.
996 2014-11-07 10:58:16 debug ike IKE_LOG Reason: No IPSec protection for the L2TP tunnel
997 2014-11-07 10:58:16 debug ike IKE_LOG Message: Tunnel request rejected
998 2014-11-07 10:58:16 debug l2tp-over-ipsec L2TP_LOG Remote L2TP peer 3.3.3.3:57537
999 2014-11-07 10:58:16 debug l2tp-over-ipsec L2TP_LOG Local L2TP peer 6.6.6.6:1701
1000 2014-11-07 10:58:16 debug l2tp-over-ipsec L2TP_LOG L2TP [Responder, incoming-call] negotiation failed:
1001 2014-11-07 10:58:16 6.6.6.6:1701 3.3.3.3:57537 debug l2tp-over-ipsec L2TP_LOG No IPSec protection for L2TP tunnel
1002 2014-11-07 10:58:16 6.6.6.6:1701 3.3.3.3:57537 debug l2tp-over-ipsec L2TP_LOG Looking up IPSec SA for the L2TP tunnel
1003 2014-11-07 10:58:13 3.3.3.3:57537 debug l2tp-over-ipsec L2TP_LOG Retransmit L2TP packet: outage: 1, ack_count=0, timeout=2, #packets=1
1004 2014-11-07 10:58:11 3.3.3.3:57537 debug l2tp-over-ipsec L2TP_LOG Retransmit L2TP packet: outage: 1, ack_count=0, timeout=2, #packets=1
1005 2014-11-07 10:58:09 3.3.3.3:57537 debug l2tp-over-ipsec L2TP_LOG Retransmit L2TP packet: outage: 1, ack_count=0, timeout=2, #packets=1
|
|
SG79
join:2009-05-27
New York, NY |
SG79
Member
2014-Nov-11 12:47 am
What type of encryption are you using? I had to change my encryption cypher (decrease strength) to get the VPN to work with Android / iOS devices. |
|
| |
I tried several different changes to encryption settings while trying to debug this, and nothing seemed to work. Also, from the logs, it looks like the IPSEC tunnel does get established, and it's running into a problem with the L2TP layer after the tunnel is up (so that would seem to me that the cipher are OK - but maybe I don't fully understand how this works)...
But in any event, I currently have the following ciphers enabled:
Phase1:
Neg Mode: Main
1. 3DES-SHA1
2. AES128-SHA1
Key Group: DH2
Phase2:
Encaps: Transport
1. AES256-SHA1
2. AES128-SHA1
3. 3DES-SHA1
PFS: none
If you don't mind posting what you're using successfully, that would be great! Also, I assume you have this working on FW 4.10(AAAA.1)? Did you have the VPN configured before upgrading? I had to do the "double-upgrade" from (if I remember correctly), 3.10->3.20, and then 3.20->4.10. Before the upgrade I had a regular IPSEC tunnel working with the Shrewsoft client from Win7, and also an L2TP/IPSEC tunnel working from both IOS and Android. After the double-upgrade, the Shrewsoft was still working, but IOS/Android is now broken....
Thanks! |
|
| |
For me, USG 40 4.10(AAA.1) using my Samsung Note2 4.3 android. I have AES256 MD5, AES256 SHA1, 3DES SHA1. Local policy address object for host 0.0.0.0
For the vpn gateway,
negotiation main
AES256 SHA1
AES256 MD5
key group dh2
Nat traversal checked
My address - interface address object of my WAN interface.
The key for me was the my address setting in the gateway. I had to use an address object of type interface, my wan Interface. It seems my version of Android only sends the VPN servers address (the USG) in the negotiation. Until I set that my negotiation would fail. |
|
| |
Thanks. Unfortunately matching your settings didn't help for me .... Argh.
Can anyone post the relevant settings for a Zywall 110 with a working L2TP VPN between FW v4.10(AAAA.1) and IOS 8.1?
Thanks.... |
|
