L2TP VPN for USG40 not working IOS
Good morning,
I have followed many configuration guides but have not solved the problem. I need to connect IOS mobile devices (versions 12 and 13) to the zyxel USG40 connected via WAN to a modem / router.
1) Create VPN User (Object / User tab)
2) Create WAN, L2TP_POOL and LAN addresses accordingly (L2TP range TO BE completely outside any home / external IP range, that might be in use in either end of the VPN tunnel during VPN utilization - otherwise you may expect trouble ...)
3) Create IPSEC VPN gateway
4) Create VPN connection that uses above created VPN gateway (you can utilize default available or create own)
5) Create L2TP VPN
Is it possible to receive a correct guide to configure the l2tp connection for mobile devices?
thanks
All Replies
-
add version firmware: V4.35(AALA.0)0
-
tested both in easy mode and in expert mode0
-
Is the USG40 using public IP to access the network or behind another NAT router?
On VPN profile, you should configure algorithm as below
In phase 1:
AES256+SHA256, Key Group=DH14
In phase 2:
AES256+SHA1, PFS=none
Please also share the log message after you established VPN failed?(category select "IKE" )
0 -
I succeeded, in the end what was missing in the various guides was the setting in VPN connection, in Related Settings, with its zone.0
-
hi if you dont mind can you please explain me how did you do it ?0
-
Hi @srihiruFor iOS L2TP.Client used to "main mode" to negotiate.Thus It should use ikev1 with main mode. (phase1).Meanwhile,Please kindly notice support ciphers of iOSIn phase 1: AES256+SHA256, Key Group=DH14In phase 2: AES256+SHA256, PFS=noneIf the issue persist,Please kindly share the log as well as related configuration in Private message.
BR
Kevin0 -
Hi cantonim, here are the IKE (VPN Gateway) and Crypto (VPN Connection) configurations for an L2TP connection that work with all iOS Devices and most legacy L2TP clients.
This is from our lab USG40 and has been working flawlessly for years (unitl a recent firmware update )... works fine.
Works with oldest and seemingly recent iOS phones using their native L2TP inbuilt client.
The L2TP authentication use here a different authentctaion (not shown here) however just test to group local.. and it will work. (a PSK is used here not a cert)
I have attached a txt file with the yellow 'code' statments in here as these dont format well at all in some browsers..
VPN Gateway.. as other forum members have correctly pointed out , pay attention to the Phase 1 Encryption Proposal offered to the device..<div>Router> <b>show ike policy usg40_lab_L2TP_gateway</b> </div><div>IKE policy: usg40_lab_L2TP_gateway</div><div> IKD_ID: 4</div><div> negotiation mode: main</div><div> proposal: 1</div><div> <b>encryption: 3des</b></div><div><b> authentication: sha</b></div><div> SA lifetime: 3600</div><div> key group: group2</div><div> NAT traversal: yes</div><div> dead peer detection: no</div><div> my address: wan1</div><div> type: interface</div><div> secure gateway address: 1</div><div> address: 0.0.0.0</div><div> secure gateway address: 2</div><div> address: 0.0.0.0</div><div> fall back: deactivate</div><div> fall back check interval: 300</div><div> authentication method: pre-share</div><div> pre-shared key: *******************************</div><div> certificate: default</div><div> local ID: 0.0.0.0</div><div> type: ip</div><div> peer ID: </div><div> type: any</div><div> user ID: </div><div> type: </div><div> X-Auth: no</div><div> type: </div><div> method: </div><div> allowed user: </div><div> username: </div><div> password: </div><div> EAP-Auth: no</div><div> type: </div><div> aaa method: </div><div> allowed user: </div><div> allowed auth method: mschapv2</div><div> username: </div><div> auth method: mschapv2</div><div> password: </div><div> VPN connection: usg40_lab_L2TP_connection</div><div> vcp reference count: 0</div><div> IKE_version: IKEv1</div><div> active: yes</div><div>Router></div>
here is the VPN Connection Crypto config for Phase2 - important for recent iOS devices I recall. Again pay attention to the Phase 2 Encryption Proposals offered to the device..<div>Router> <b>show crypto map usg40_lab_L2TP_connection</b></div><div>cryptography mapping: usg40_lab_L2TP_connection</div><div> VPN gateway: usg40_lab_L2TP_gateway</div><div> Gateway IP Version: IPv4</div><div> encapsulation: transport</div><div> active protocol: esp</div><div> transform set: 1</div><div><b> encryption: aes128</b></div><div><b> authentication: sha</b></div><div><b> transform set: 2</b></div><div><b> encryption: 3des</b></div><div><b> authentication: sha</b></div><div> SA lifetime: 3600</div><div> PFS: none</div><div> nail up: no</div><div> scenario: remote-access-server</div><div> l2tp: yes</div><div> local policy: msf_WAN_any_IP_INTERFACE</div><div> remote policy: any</div><div> protocol type: any</div><div> configuration provide: </div><div> mode config: no</div><div> configuration payload: no</div><div> address pool: </div><div> first dns: </div><div> second dns: </div><div> first wins: </div><div> second wins: </div><div> policy enforcement: no</div><div> replay detection: no</div><div> narrowed: yes</div><div> adjust mss: yes</div><div> mss value: 0</div><div> stop rekeying: no</div><div> NetBIOS broadcast over IPSec: no</div><div> outbound SNAT: no</div><div> source: </div><div> destination: </div><div> target: </div><div> inbound SNAT: no</div><div> source: </div><div> destination: </div><div> target: </div><div> inbound DNAT: no</div><div> vcp reference count: 0</div><div> active: yes</div><div> VTI: </div><div> VPN ID: 4</div><div> connected: yes</div><div> connectivity check: no</div><div> check method: none</div><div> IP address: none</div><div> period: none</div><div> timeout: none</div><div> fail tolerance: none</div><div> port: none</div><div> log: no</div><div> rule type: 4in4</div><div>Router></div>
Note that this same USG40 router ALSO provides an IKEV2 Client gateway (irrelevant here) for later operating systems/platforms that dont support L2TP.. these coexist equally.
Refer to the attachment labusg40_ike_crpto_client_configs.txt should the above formatting be troublesome.
HTH
Warwick
Hong Kong
0 -
Zyxel_Kevin said:Hi @srihiruFor iOS L2TP.Client used to "main mode" to negotiate.Thus It should use ikev1 with main mode. (phase1).Meanwhile,Please kindly notice support ciphers of iOSIn phase 1: AES256+SHA256, Key Group=DH14In phase 2: AES256+SHA256, PFS=noneIf the issue persist,Please kindly share the log as well as related configuration in Private message.
BR
Kevin0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight