L2TP VPN behind a NAT Firewall
Freshman Member
Hi,
I configured an L2TP VPN server on an USG 210. My network topology has USG210 between LAN (192.168.1.1) and DMZ (192.168.2.1) and a Netgear firewall between DMZ (192.168.2.2) and Internet (public IP, lets say 1.2.3.4). If I put a client in DMZ, it connects succesfuly to the VPN. I then forwarded the public UDP ports 1701, 500, 4500 to the USG210, and changed the VPN connection so that local policy refers to the public IP address. The Netgear router supports VPN passthrough correctly. Now, the same client moved to Internet cannot connect. Looking at the log, seems that both phases of IPSEC finished correctly, up to the tunnel building, but then it continues to rekey the tunel without authenticating user. Just to clarify, these are the differences in logs:
FROM DMZ (GOOD):
....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xbb274bc8]builtsuccessfully
RADIUS:Acceptingtheuser'test'
Usertest(MAC=)froml2tphasloggedinDevice
UsertesthasbeengrantedanL2TPoverIPsecsession.
FROM Internet (BAD):
.....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]builtsuccessfully
[ESPaes-cbc|hmac-sha1-96][SPI0xdab8d2b5|0xe43c88ec][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]rekeyedsuccessfully
Recv:[HASH][DEL][count=3]
Thecookiepairis:0xeea4692cd6bb2372/0xe0377f88d856d514[count=3]
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]isdisconnected
Send:[HASH][DEL][count=6]
[ESPaes-cbc|hmac-sha1-96][SPI0x966eb455|0x2a054556][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0x2a054556]rekeyedsuccessfully
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]isdisconnected
.....
This cycle repeats until client timeout.
What may I check ?
Thanks.
Massimo.
I configured an L2TP VPN server on an USG 210. My network topology has USG210 between LAN (192.168.1.1) and DMZ (192.168.2.1) and a Netgear firewall between DMZ (192.168.2.2) and Internet (public IP, lets say 1.2.3.4). If I put a client in DMZ, it connects succesfuly to the VPN. I then forwarded the public UDP ports 1701, 500, 4500 to the USG210, and changed the VPN connection so that local policy refers to the public IP address. The Netgear router supports VPN passthrough correctly. Now, the same client moved to Internet cannot connect. Looking at the log, seems that both phases of IPSEC finished correctly, up to the tunnel building, but then it continues to rekey the tunel without authenticating user. Just to clarify, these are the differences in logs:
FROM DMZ (GOOD):
....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xbb274bc8]builtsuccessfully
RADIUS:Acceptingtheuser'test'
Usertest(MAC=)froml2tphasloggedinDevice
UsertesthasbeengrantedanL2TPoverIPsecsession.
FROM Internet (BAD):
.....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]builtsuccessfully
[ESPaes-cbc|hmac-sha1-96][SPI0xdab8d2b5|0xe43c88ec][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]rekeyedsuccessfully
Recv:[HASH][DEL][count=3]
Thecookiepairis:0xeea4692cd6bb2372/0xe0377f88d856d514[count=3]
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]isdisconnected
Send:[HASH][DEL][count=6]
[ESPaes-cbc|hmac-sha1-96][SPI0x966eb455|0x2a054556][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0x2a054556]rekeyedsuccessfully
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]isdisconnected
.....
This cycle repeats until client timeout.
What may I check ?
Thanks.
Massimo.
0
All Replies
-
I guess the topology is as follows.You may check if the settings on Netgear and USG210 are correct.PC-------Internet-------(wan)Netgear(lan)-------(wan)USG210(lan)-----LAN subnetOn the Netgear, add a NAT rule.Ex: Map the Netgear's wan IP to USG210's wan IP.Then allow services IKE, NATT and L2TP-UDP for USG210.Ex: Allow service IKE, NATT and L2TP-UDP from any to USG210's wan IP.On USG210, configure L2TP.VPN gateway: My Address is USG210's wan IP.VPN connection: Local policy is Netgear's wan IP.On the PC, configure the Netgear's wan IP address as the L2TP server address.0
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
