L2TP on Windows 10, both firewall and client behind NAT, cannot connect.

AndreaTosi
AndreaTosi Posts: 14  Freshman Member
edited April 14 in Security
Hi everyone,
I finished migrating our business from mixed Zywalls to VPNxxx under SDWAN.
Now I see our 8 branches connected to our main site... yay!

New problem is: I need to grant external users an access to internal resources. To keep an easy example: i'd like to let a single user connect his Windows 10 Pro computer to our main site.

I went in main site's device configuration, Enabled "VPN Client to AutoVPN", selected the correct WAN interface, selected "local user", create a new user and sent configuration file.
Since my firewall AND client are behind a Nat, enabled "support servers behind nat".
In my router's configuration, opened 3 nat rules, 500, 4500, 1701 (both tcp/udp) to firewall's wan IP.

Client side, imported the L2TP VPN. BUT i'm stuck at Windows being unable to negotiate encryption parameters...
Already modified registry with this entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

I keep getting RAS error 788. Everything i've read so far doesn't get me to a working connection...
In my firewall's logs i keep reading:
ISAKMP SA [] is disconnected
The cookie pair is : 0xc34d09542c0b343b / 0x0000000000000000
Recv Main Mode request from [5.ZZ.XX.YY]
[SA] : No proposal chosen
Send:[NOTIFY:NO_PROPOSAL_CHOSEN]
Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ).

Any help you'd like to share would be very appreciated... Thanks!
  Andrea

P.S. during migration, I HAD to edit default Organization/OrgPlan/IPSec Policy, now they are as follows:
Encryption: AES128
Authentication: SHA1
DH Group: 2
PFS: 2
Tryied various combination but to no avail ...

Comments

  • AndreaTosi
    AndreaTosi Posts: 14  Freshman Member
    :s Resolved my issue by buying an 8IP subnet from my ISP and assigned directly to the WAN1 port.
    Anyone has ever successfully created a natted l2tp ?
  • mMontana
    mMontana Posts: 128  Ally Member
    At least 5 times... did you specify the correct public IP Address into the network section?
    Which is your ISP?
  • AndreaTosi
    AndreaTosi Posts: 14  Freshman Member
    thank you, mMontana, for replying... I'll leave it as it is now, with a public IP on my wan interface.
    Since i'm on a SDWAN device, i have no power on what parameters goes where in l2tp configuration.
    Next sdwan firewall I'll have to remotely connect i'll double check and update this post...
    Bye!

  • mMontana
    mMontana Posts: 128  Ally Member
    I beg your pardon... i was referring to my activity on USG devices (3.x and 4.x firmware version), I lost in your post you were referring to VPNxxx Devices from Zyxel.
  • AndreaTosi
    AndreaTosi Posts: 14  Freshman Member
    no problem! thanks for letting me know it works on other devices!
Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!