L2TP VPN behind a NAT Firewall
Options
Freshman Member
Hi,
I configured an L2TP VPN server on an USG 210. My network topology has USG210 between LAN (192.168.1.1) and DMZ (192.168.2.1) and a Netgear firewall between DMZ (192.168.2.2) and Internet (public IP, lets say 1.2.3.4). If I put a client in DMZ, it connects succesfuly to the VPN. I then forwarded the public UDP ports 1701, 500, 4500 to the USG210, and changed the VPN connection so that local policy refers to the public IP address. The Netgear router supports VPN passthrough correctly. Now, the same client moved to Internet cannot connect. Looking at the log, seems that both phases of IPSEC finished correctly, up to the tunnel building, but then it continues to rekey the tunel without authenticating user. Just to clarify, these are the differences in logs:
FROM DMZ (GOOD):
....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xbb274bc8]builtsuccessfully
RADIUS:Acceptingtheuser'test'
Usertest(MAC=)froml2tphasloggedinDevice
UsertesthasbeengrantedanL2TPoverIPsecsession.
FROM Internet (BAD):
.....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]builtsuccessfully
[ESPaes-cbc|hmac-sha1-96][SPI0xdab8d2b5|0xe43c88ec][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]rekeyedsuccessfully
Recv:[HASH][DEL][count=3]
Thecookiepairis:0xeea4692cd6bb2372/0xe0377f88d856d514[count=3]
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]isdisconnected
Send:[HASH][DEL][count=6]
[ESPaes-cbc|hmac-sha1-96][SPI0x966eb455|0x2a054556][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0x2a054556]rekeyedsuccessfully
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]isdisconnected
.....
This cycle repeats until client timeout.
What may I check ?
Thanks.
Massimo.
I configured an L2TP VPN server on an USG 210. My network topology has USG210 between LAN (192.168.1.1) and DMZ (192.168.2.1) and a Netgear firewall between DMZ (192.168.2.2) and Internet (public IP, lets say 1.2.3.4). If I put a client in DMZ, it connects succesfuly to the VPN. I then forwarded the public UDP ports 1701, 500, 4500 to the USG210, and changed the VPN connection so that local policy refers to the public IP address. The Netgear router supports VPN passthrough correctly. Now, the same client moved to Internet cannot connect. Looking at the log, seems that both phases of IPSEC finished correctly, up to the tunnel building, but then it continues to rekey the tunel without authenticating user. Just to clarify, these are the differences in logs:
FROM DMZ (GOOD):
....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xbb274bc8]builtsuccessfully
RADIUS:Acceptingtheuser'test'
Usertest(MAC=)froml2tphasloggedinDevice
UsertesthasbeengrantedanL2TPoverIPsecsession.
FROM Internet (BAD):
.....
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]builtsuccessfully
[ESPaes-cbc|hmac-sha1-96][SPI0xdab8d2b5|0xe43c88ec][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]rekeyedsuccessfully
Recv:[HASH][DEL][count=3]
Thecookiepairis:0xeea4692cd6bb2372/0xe0377f88d856d514[count=3]
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xd35fbcfa]isdisconnected
Send:[HASH][DEL][count=6]
[ESPaes-cbc|hmac-sha1-96][SPI0x966eb455|0x2a054556][Lifetime3620]
DynamicTunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0x2a054556]rekeyedsuccessfully
Tunnel[L2TP_IPSEC_DYN_GW:L2TP_IPSEC_DYN_VPN:0xe43c88ec]isdisconnected
.....
This cycle repeats until client timeout.
What may I check ?
Thanks.
Massimo.
0
All Replies
-
I guess the topology is as follows.You may check if the settings on Netgear and USG210 are correct.PC-------Internet-------(wan)Netgear(lan)-------(wan)USG210(lan)-----LAN subnetOn the Netgear, add a NAT rule.Ex: Map the Netgear's wan IP to USG210's wan IP.Then allow services IKE, NATT and L2TP-UDP for USG210.Ex: Allow service IKE, NATT and L2TP-UDP from any to USG210's wan IP.On USG210, configure L2TP.VPN gateway: My Address is USG210's wan IP.VPN connection: Local policy is Netgear's wan IP.On the PC, configure the Netgear's wan IP address as the L2TP server address.0
Master Member
Categories
- All Categories
- 396 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
