L2TP on Windows 10, both firewall and client behind NAT, cannot connect.
AndreaTosi
Posts: 14 Freshman Member
Hi everyone,
I finished migrating our business from mixed Zywalls to VPNxxx under SDWAN.
Now I see our 8 branches connected to our main site... yay!
New problem is: I need to grant external users an access to internal resources. To keep an easy example: i'd like to let a single user connect his Windows 10 Pro computer to our main site.
I went in main site's device configuration, Enabled "VPN Client to AutoVPN", selected the correct WAN interface, selected "local user", create a new user and sent configuration file.
Since my firewall AND client are behind a Nat, enabled "support servers behind nat".
In my router's configuration, opened 3 nat rules, 500, 4500, 1701 (both tcp/udp) to firewall's wan IP.
Client side, imported the L2TP VPN. BUT i'm stuck at Windows being unable to negotiate encryption parameters...
Already modified registry with this entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
I keep getting RAS error 788. Everything i've read so far doesn't get me to a working connection...
In my firewall's logs i keep reading:
ISAKMP SA [] is disconnected |
The cookie pair is : 0xc34d09542c0b343b / 0x0000000000000000 |
Recv Main Mode request from [5.ZZ.XX.YY] |
[SA] : No proposal chosen |
Send:[NOTIFY:NO_PROPOSAL_CHOSEN] |
Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID] |
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ). |
Any help you'd like to share would be very appreciated... Thanks!
Andrea
P.S. during migration, I HAD to edit default Organization/OrgPlan/IPSec Policy, now they are as follows:
Encryption: AES128
Authentication: SHA1
DH Group: 2
PFS: 2
Tryied various combination but to no avail ...
0
Comments
-
Resolved my issue by buying an 8IP subnet from my ISP and assigned directly to the WAN1 port.
Anyone has ever successfully created a natted l2tp ?0 -
At least 5 times... did you specify the correct public IP Address into the network section?
Which is your ISP?
0 -
thank you, mMontana, for replying... I'll leave it as it is now, with a public IP on my wan interface.
Since i'm on a SDWAN device, i have no power on what parameters goes where in l2tp configuration.
Next sdwan firewall I'll have to remotely connect i'll double check and update this post...
Bye!
0 -
I beg your pardon... i was referring to my activity on USG devices (3.x and 4.x firmware version), I lost in your post you were referring to VPNxxx Devices from Zyxel.
0 -
no problem! thanks for letting me know it works on other devices!0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight