L2TP on Windows 10, both firewall and client behind NAT, cannot connect.

AndreaTosi
AndreaTosi Posts: 14
First Comment
 Freshman Member
edited April 2021 in Security
Hi everyone,
I finished migrating our business from mixed Zywalls to VPNxxx under SDWAN.
Now I see our 8 branches connected to our main site... yay!

New problem is: I need to grant external users an access to internal resources. To keep an easy example: i'd like to let a single user connect his Windows 10 Pro computer to our main site.

I went in main site's device configuration, Enabled "VPN Client to AutoVPN", selected the correct WAN interface, selected "local user", create a new user and sent configuration file.
Since my firewall AND client are behind a Nat, enabled "support servers behind nat".
In my router's configuration, opened 3 nat rules, 500, 4500, 1701 (both tcp/udp) to firewall's wan IP.

Client side, imported the L2TP VPN. BUT i'm stuck at Windows being unable to negotiate encryption parameters...
Already modified registry with this entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

I keep getting RAS error 788. Everything i've read so far doesn't get me to a working connection...
In my firewall's logs i keep reading:
ISAKMP SA [] is disconnected
The cookie pair is : 0xc34d09542c0b343b / 0x0000000000000000
Recv Main Mode request from [5.ZZ.XX.YY]
[SA] : No proposal chosen
Send:[NOTIFY:NO_PROPOSAL_CHOSEN]
Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ).

Any help you'd like to share would be very appreciated... Thanks!
  Andrea

P.S. during migration, I HAD to edit default Organization/OrgPlan/IPSec Policy, now they are as follows:
Encryption: AES128
Authentication: SHA1
DH Group: 2
PFS: 2
Tryied various combination but to no avail ...

Comments

  • AndreaTosi
    AndreaTosi Posts: 14
    First Comment
     Freshman Member
    :s Resolved my issue by buying an 8IP subnet from my ISP and assigned directly to the WAN1 port.
    Anyone has ever successfully created a natted l2tp ?
  • mMontana
    mMontana Posts: 988
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    At least 5 times... did you specify the correct public IP Address into the network section?
    Which is your ISP?
  • AndreaTosi
    AndreaTosi Posts: 14
    First Comment
     Freshman Member
    thank you, mMontana, for replying... I'll leave it as it is now, with a public IP on my wan interface.
    Since i'm on a SDWAN device, i have no power on what parameters goes where in l2tp configuration.
    Next sdwan firewall I'll have to remotely connect i'll double check and update this post...
    Bye!

  • mMontana
    mMontana Posts: 988
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    I beg your pardon... i was referring to my activity on USG devices (3.x and 4.x firmware version), I lost in your post you were referring to VPNxxx Devices from Zyxel.
  • AndreaTosi
    AndreaTosi Posts: 14
    First Comment
     Freshman Member
    no problem! thanks for letting me know it works on other devices!

Security Highlight