L2TP on Windows 10, both firewall and client behind NAT, cannot connect.
edited April 2021 in Security
I finished migrating our business from mixed Zywalls to VPNxxx under SDWAN.
Now I see our 8 branches connected to our main site... yay!
New problem is: I need to grant external users an access to internal resources. To keep an easy example: i'd like to let a single user connect his Windows 10 Pro computer to our main site.
I went in main site's device configuration, Enabled "VPN Client to AutoVPN", selected the correct WAN interface, selected "local user", create a new user and sent configuration file.
Since my firewall AND client are behind a Nat, enabled "support servers behind nat".
In my router's configuration, opened 3 nat rules, 500, 4500, 1701 (both tcp/udp) to firewall's wan IP.
Client side, imported the L2TP VPN. BUT i'm stuck at Windows being unable to negotiate encryption parameters...
Already modified registry with this entry:
I keep getting RAS error 788. Everything i've read so far doesn't get me to a working connection...
In my firewall's logs i keep reading:
|ISAKMP SA  is disconnected|
|The cookie pair is : 0xc34d09542c0b343b / 0x0000000000000000|
|Recv Main Mode request from [5.ZZ.XX.YY]|
|[SA] : No proposal chosen|
|Recv IKE sa: SA( protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ).|
Any help you'd like to share would be very appreciated... Thanks!
P.S. during migration, I HAD to edit default Organization/OrgPlan/IPSec Policy, now they are as follows:
DH Group: 2
Tryied various combination but to no avail ...
Resolved my issue by buying an 8IP subnet from my ISP and assigned directly to the WAN1 port.
Anyone has ever successfully created a natted l2tp ?0
At least 5 times... did you specify the correct public IP Address into the network section?
Which is your ISP?
thank you, mMontana, for replying... I'll leave it as it is now, with a public IP on my wan interface.
Since i'm on a SDWAN device, i have no power on what parameters goes where in l2tp configuration.
Next sdwan firewall I'll have to remotely connect i'll double check and update this post...
I beg your pardon... i was referring to my activity on USG devices (3.x and 4.x firmware version), I lost in your post you were referring to VPNxxx Devices from Zyxel.
no problem! thanks for letting me know it works on other devices!0
- 8.1K All Categories
- 1.6K Nebula
- 59 Nebula Ideas
- 54 Nebula Status and Incidents
- 4.3K Security
- 222 Security Ideas
- 935 Switch
- 41 Switch Ideas
- 818 WirelessLAN
- 19 WLAN Ideas
- 5K Consumer Product
- 136 Service & License
- 266 News and Release
- 90 Success Stories
- 52 Security Advisories
- 13 Education Center
- 536 FAQ
- 252 Nebula FAQ
- 132 Security FAQ
- 73 Switch FAQ
- 72 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 66 About Community
- 44 Security Highlight