L2TP VPN behind a NAT Firewall

maximp
maximp Posts: 2  Freshman Member
edited April 2021 in Security
Hi,

I configured an L2TP VPN server on an USG 210. My network topology has USG210 between LAN (192.168.1.1) and DMZ (192.168.2.1) and a Netgear firewall between DMZ (192.168.2.2) and Internet (public IP, lets say 1.2.3.4). If I put a client in DMZ, it connects succesfuly to the VPN. I then forwarded the public UDP ports 1701, 500, 4500 to the USG210, and changed the VPN connection so that local policy refers to the public IP address. The Netgear router supports VPN passthrough correctly. Now, the same client moved to Internet cannot connect. Looking at the log, seems that both phases of IPSEC finished correctly, up to the tunnel building, but then it continues to rekey the tunel without authenticating user. Just to clarify, these are the differences in logs:

FROM DMZ (GOOD):

....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xbb274bc8]builtsuccessfully
RADIUS:Acceptingtheuser'test'
Usertest(MAC=)froml2tphasloggedinDevice
UsertesthasbeengrantedanL2TPoverIPsecsession.

FROM Internet (BAD):

.....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]builtsuccessfully
[ESPaes-cbc|hmac-sha1-96][SPI0xdab8d2b5|0xe43c88ec][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]rekeyedsuccessfully
Recv:[HASH][DEL][count=3]
Thecookiepairis:0xeea4692cd6bb2372/0xe0377f88d856d514[count=3]
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]isdisconnected
Send:[HASH][DEL][count=6]
[ESPaes-cbc|hmac-sha1-96][SPI0x966eb455|0x2a054556][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0x2a054556]rekeyedsuccessfully
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]isdisconnected
.....

This cycle repeats until client timeout.

What may I check ?

Thanks.

Massimo.

All Replies

  • jasailafan
    jasailafan Posts: 154  Master Member
    I guess the topology is as follows.
    You may check if the settings on Netgear and USG210 are correct.
    PC-------Internet-------(wan)Netgear(lan)-------(wan)USG210(lan)-----LAN subnet

    On the Netgear, add a NAT rule. 
    Ex: Map the Netgear's wan IP to USG210's wan IP.
    Then allow services IKE, NATT and L2TP-UDP for USG210.
    Ex: Allow service IKE, NATT and L2TP-UDP from any to USG210's wan IP.

    On USG210, configure L2TP.
    VPN gateway: My Address is USG210's wan IP.
    VPN connection: Local policy is Netgear's wan IP.

    On the PC, configure the Netgear's wan IP address as the L2TP server address.  

Security Highlight