L2TP VPN for USG40 not working IOS

cantonim
cantonim Posts: 12  Freshman Member
First Comment First Anniversary
edited April 2021 in Security

Good morning,

I have followed many configuration guides but have not solved the problem. I need to connect IOS mobile devices (versions 12 and 13) to the zyxel USG40 connected via WAN to a modem / router.

1) Create VPN User (Object / User tab)

2) Create WAN, L2TP_POOL and LAN addresses accordingly (L2TP range TO BE completely outside any home / external IP range, that might be in use in either end of the VPN tunnel during VPN utilization - otherwise you may expect trouble ...)

3) Create IPSEC VPN gateway

4) Create VPN connection that uses above created VPN gateway (you can utilize default available or create own)

5) Create L2TP VPN

 

Is it possible to receive a correct guide to configure the l2tp connection for mobile devices?

thanks

All Replies

  • cantonim
    cantonim Posts: 12  Freshman Member
    First Comment First Anniversary
    add version firmware: V4.35(AALA.0)
  • cantonim
    cantonim Posts: 12  Freshman Member
    First Comment First Anniversary

    tested both in easy mode and in expert mode
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary

    @cantonim

    Is the USG40 using public IP to access the network or behind another NAT router?

    On VPN profile, you should configure algorithm as below

    In phase 1:

    AES256+SHA256, Key Group=DH14

    In phase 2:

    AES256+SHA1, PFS=none

    Please also share the log message after you established VPN failed?(category select "IKE" )



  • cantonim
    cantonim Posts: 12  Freshman Member
    First Comment First Anniversary

    I succeeded, in the end what was missing in the various guides was the setting in VPN connection, in Related Settings, with its zone.
  • hi if you dont mind can you please explain me how did you do it ? 
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 885  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited November 2021
    Hi @srihiru
    For iOS L2TP.Client used to "main mode" to negotiate.
    Thus It should use ikev1 with main mode. (phase1).
    Meanwhile,Please kindly notice support ciphers of iOS
    In phase 1: AES256+SHA256, Key Group=DH14
    In phase 2: AES256+SHA256, PFS=none
    If the issue persist,Please kindly share the log as well as related configuration in Private message.
    BR
    Kevin
  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Hi cantonim, here are the IKE (VPN Gateway) and Crypto (VPN Connection) configurations for an L2TP connection that work with all  iOS Devices and most legacy L2TP clients.

    This is from our lab USG40 and has been working flawlessly for years (unitl a recent firmware update :'(  )... works fine.

    Works with oldest and seemingly recent iOS phones using their native L2TP inbuilt client.

    The L2TP authentication use here a different authentctaion (not shown here) however just test to group local.. and it will work. (a PSK is used here not a cert) 

    I have attached a txt file with the yellow 'code' statments in here as these dont format well at all in some browsers..  :s

    VPN Gateway.. as other forum members have correctly pointed out , pay attention to the Phase 1 Encryption Proposal offered to the device..
    <div>Router> <b>show ike policy usg40_lab_L2TP_gateway</b>&nbsp;</div><div>IKE policy: usg40_lab_L2TP_gateway</div><div>&nbsp; IKD_ID: 4</div><div>&nbsp; negotiation mode: main</div><div>&nbsp; proposal: 1</div><div>&nbsp; &nbsp; <b>encryption: 3des</b></div><div><b>&nbsp; &nbsp; authentication: sha</b></div><div>&nbsp; SA lifetime: 3600</div><div>&nbsp; key group: group2</div><div>&nbsp; NAT traversal: yes</div><div>&nbsp; dead peer detection: no</div><div>&nbsp; my address: wan1</div><div>&nbsp; &nbsp; type: interface</div><div>&nbsp; secure gateway address: 1</div><div>&nbsp; &nbsp; address: 0.0.0.0</div><div>&nbsp; secure gateway address: 2</div><div>&nbsp; &nbsp; address: 0.0.0.0</div><div>&nbsp; fall back: deactivate</div><div>&nbsp; fall back check interval: 300</div><div>&nbsp; authentication method: pre-share</div><div>&nbsp; pre-shared key: *******************************</div><div>&nbsp; certificate: default</div><div>&nbsp; local ID: 0.0.0.0</div><div>&nbsp; &nbsp; type: ip</div><div>&nbsp; peer ID:&nbsp;</div><div>&nbsp; &nbsp; type: any</div><div>&nbsp; user ID:&nbsp;</div><div>&nbsp; type:&nbsp;</div><div>&nbsp; X-Auth: no</div><div>&nbsp; &nbsp; type:&nbsp;</div><div>&nbsp; &nbsp; method:&nbsp;</div><div>&nbsp; &nbsp; allowed user:&nbsp;</div><div>&nbsp; &nbsp; username:&nbsp;</div><div>&nbsp; &nbsp; password:&nbsp;</div><div>&nbsp; EAP-Auth: no</div><div>&nbsp; &nbsp; type:&nbsp;</div><div>&nbsp; &nbsp; aaa method:&nbsp;</div><div>&nbsp; &nbsp; allowed user:&nbsp;</div><div>&nbsp; &nbsp; allowed auth method: mschapv2</div><div>&nbsp; &nbsp; username:&nbsp;</div><div>&nbsp; &nbsp; auth method: mschapv2</div><div>&nbsp; &nbsp; password:&nbsp;</div><div>&nbsp; VPN connection: usg40_lab_L2TP_connection</div><div>&nbsp; vcp reference count: 0</div><div>&nbsp; IKE_version: IKEv1</div><div>&nbsp; active: yes</div><div>Router></div>
    here is the VPN Connection Crypto config for Phase2 - important for recent iOS devices I recall. Again pay attention to the Phase 2 Encryption Proposals offered to the device..

    <div>Router> <b>show crypto map&nbsp; usg40_lab_L2TP_connection</b></div><div>cryptography mapping: usg40_lab_L2TP_connection</div><div>&nbsp; VPN gateway: usg40_lab_L2TP_gateway</div><div>&nbsp; Gateway IP Version: IPv4</div><div>&nbsp; encapsulation: transport</div><div>&nbsp; active protocol: esp</div><div>&nbsp; transform set: 1</div><div><b>&nbsp; &nbsp; encryption: aes128</b></div><div><b>&nbsp; &nbsp; authentication: sha</b></div><div><b>&nbsp; transform set: 2</b></div><div><b>&nbsp; &nbsp; encryption: 3des</b></div><div><b>&nbsp; &nbsp; authentication: sha</b></div><div>&nbsp; SA lifetime: 3600</div><div>&nbsp; PFS: none</div><div>&nbsp; nail up: no</div><div>&nbsp; scenario: remote-access-server</div><div>&nbsp; l2tp: yes</div><div>&nbsp; local policy: msf_WAN_any_IP_INTERFACE</div><div>&nbsp; remote policy: any</div><div>&nbsp; protocol type: any</div><div>&nbsp; configuration provide:&nbsp; &nbsp;</div><div>&nbsp; &nbsp; mode config: no</div><div>&nbsp; &nbsp; configuration payload: no</div><div>&nbsp; &nbsp; address pool:&nbsp;</div><div>&nbsp; &nbsp; first dns:&nbsp;</div><div>&nbsp; &nbsp; second dns:&nbsp;</div><div>&nbsp; &nbsp; first wins:&nbsp;</div><div>&nbsp; &nbsp; second wins:&nbsp;</div><div>&nbsp; policy enforcement: no</div><div>&nbsp; replay detection: no</div><div>&nbsp; narrowed: yes</div><div>&nbsp; adjust mss: yes</div><div>&nbsp; mss value: 0</div><div>&nbsp; stop rekeying: no</div><div>&nbsp; NetBIOS broadcast over IPSec: no</div><div>&nbsp; outbound SNAT: no</div><div>&nbsp; &nbsp; source:&nbsp;</div><div>&nbsp; &nbsp; destination:&nbsp;</div><div>&nbsp; &nbsp; target:&nbsp;</div><div>&nbsp; inbound SNAT: no</div><div>&nbsp; &nbsp; source:&nbsp;</div><div>&nbsp; &nbsp; destination:&nbsp;</div><div>&nbsp; &nbsp; target:&nbsp;</div><div>&nbsp; inbound DNAT: no</div><div>&nbsp; vcp reference count: 0</div><div>&nbsp; active: yes</div><div>&nbsp; VTI:&nbsp;</div><div>&nbsp; VPN ID: 4</div><div>&nbsp; connected: yes</div><div>&nbsp; connectivity check: no</div><div>&nbsp; &nbsp; check method: none</div><div>&nbsp; &nbsp; IP address: none</div><div>&nbsp; &nbsp; period: none</div><div>&nbsp; &nbsp; timeout: none</div><div>&nbsp; &nbsp; fail tolerance: none</div><div>&nbsp; &nbsp; port: none</div><div>&nbsp; &nbsp; log: no</div><div>&nbsp; rule type: 4in4</div><div>Router></div>
    Note that this same USG40 router ALSO provides an IKEV2 Client gateway (irrelevant here)  for later operating systems/platforms that dont support L2TP.. these coexist equally. 

    Refer to the attachment labusg40_ike_crpto_client_configs.txt should the above formatting be troublesome.

    HTH
    Warwick
    Hong Kong

     
  • Hi @srihiru
    For iOS L2TP.Client used to "main mode" to negotiate.
    Thus It should use ikev1 with main mode. (phase1).
    Meanwhile,Please kindly notice support ciphers of iOS
    In phase 1: AES256+SHA256, Key Group=DH14
    In phase 2: AES256+SHA256, PFS=none
    If the issue persist,Please kindly share the log as well as related configuration in Private message.
    BR
    Kevin
    Thank you i changed it and worked , thank you 

Security Highlight