How to set up USG40 as VPN behind another router (FritzBox)

lion
lion Posts: 4
Friend Collector First Comment
edited April 2021 in Security
Dear all,

I have been trying to set up the USG40 as the VPN for my environment behind a Fritzbox router but I am currently stuck with an Match default rule, DROP. The VPN is actually accessible through the WAN IP when I am connected to the Fritzbox router, but I cannot access the VPN when connected to another wifi connection or mobile hotspot data. I have been looking around from other QnAs and it seems that I have to configure the NAT in order to connect to the VPN from other wifi connections. Would anyone be able to shed some light for this matter? I am not so sure whether I should pick Virtual Server, or 1:1 NAT. Furthermore I am not so sure what exactly should the Internal IP be. 

Thanks in advance!

Accepted Solution

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @lion

    I suppose you are trying to establish a VPN from anywhere outside your network to the USG40, but the USG is behind a Fritzbox router (and I suppose your public ip address is on the wan interface of the Fritzbox).

    In that scenario, NAT rules must be configured on the Fritzbox, it depends on the VPN but in most of the cases the following NAT 1:1 should be configured:

    - Port 500 udp (ISAKMP)
    - ESP (ip protocol 50) and AH (ip protocol 51)
    - Port 4500 udp (IKEv2)
  • lion
    lion Posts: 4
    Friend Collector First Comment
    Hi @Alfonso

    thank you for your answer. Unfortunately that does not solve the problem.
    The port forwarding for UDP 500, UDP 4500 and ESP is enabled, but it is not possible to forward AH in the Fritzbox.

    After enabling logging for some more rule I'm getting the follwing message which seems to be the problem:

    [ID] : Tunnel [WIZ_L2TP_VPN] Phase 2 Local policy mismatch

    I also tried to change the local policy but no luck.

    Do you have any further suggestions?
    Thanks in advance.
  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @lion

    So the issue is related to Phase 2.

    Phase 1 is IKE where you start things out...  Diffie-Hellman is used to set up your negotiation and setup of your traffic-encryption keys to get started.  Your IKE SA will be completed here.

     

    Phase 2 is IPSec (ISAKMP) where you get into what specifics you set up in your policies to have your keys set.  This is the traffic keys themselves.  And the traffic is getting encrypted here.  IPSec SA is present if everything goes well.

     

    Phase 2 is already expecting the key information but it comes FROM phase 1.



    Which clients are trying to connect? Android phones? IOS phones? 
  • lion
    lion Posts: 4
    Friend Collector First Comment
    Hi @Alfonso

    I tried to connect PCs with Windows 10 using the built in VPN client.

    Phase 1 seems to work fine since I'm getting a message, stating that it was completed.
  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Answer ✓
    Hi @lion

    L2TP IPSec on Windows 10 problems are known.

    Quick solution is to execute, and reboot the pc

    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

    But I suggest to read the following links:

    https://superuser.com/questions/1298513/l2tp-ipsec-vpn-fails-to-connect-on-windows-10-works-fine-on-ios
    https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows

    I hope it helps you.

    Best regards
  • lion
    lion Posts: 4
    Friend Collector First Comment
    Hi @Alfonso

    thank you so much! It finally works :)
  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @lion

    It sounds great. Nice to help you. 


Security Highlight