DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
L2TP/IPSec on 2860
- pic-o
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
09 Apr 2014 15:05 #79613
by pic-o
L2TP/IPSec on 2860 was created by pic-o
Hello,
I am trying to setup an L2TP tunnell on IPSec. I can get the IPSec channel to be created but every client that I have tried crashes when negotiating the L2TP tunnel. I have tried Android, Windows 7 and Ubuntu all of which could not connect.
I have used various setup on the router for the Remote Dial-in User profile but all end up the same, the L2TP tunnel would not be created.
PPTP and SSL VPNs are working fine, easy to setup no problems at all.
The Firmware I am on is 3.7.4.1
Below you can find an extract from the syslog server.
1412014-04-08 14:46:46Apr 8 14:46:36VigorReceive client L2L remote network setting is x.y.z.w/32
1412014-04-08 14:46:46Apr 8 14:46:36VigorResponding to Quick Mode from x.y.z.w
1412014-04-08 14:46:46Apr 8 14:46:36VigorIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x43b8a059
1412014-04-08 14:46:46Apr 8 14:46:36VigorIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x43b8a059
1412014-04-08 14:46:46Apr 8 14:46:36VigorIPsec SA established with x.y.z.w. In/Out Index: 34/0
1412014-04-08 14:46:47Apr 8 14:46:37VigorL2TP <== Control(0xC802)-L-S Ver:2 Len:117, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
1412014-04-08 14:46:47Apr 8 14:46:37VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
1412014-04-08 14:46:48Apr 8 14:46:38VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
...
1412014-04-08 14:46:52Apr 8 14:46:42VigorL2TP <== Control(0xC802)-L-S Ver:2 Len:45, Tunnel ID:0, Session ID:0, Ns:1, Nr:0
1412014-04-08 14:46:52Apr 8 14:46:43VigorIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x9433a87c
1412014-04-08 14:46:52Apr 8 14:46:43VigorIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xeaf9cb27
1412014-04-08 14:46:53Apr 8 14:46:43VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
...
1412014-04-08 14:46:58Apr 8 14:46:48VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
1662014-04-08 13:29:17Apr 8 13:29:08VigorWAN1 PPPoE ==> Protocol:LCP(c021) EchoRep Identifier:0x95Magic Number: 0x0 00 00 ##
1662014-04-08 13:29:27Apr 8 13:29:18VigorWAN1 PPPoE <== Protocol:LCP(c021) EchoReq Identifier:0x96Magic Number: 0x6fd6 0a 2f ##
...
I am trying to setup an L2TP tunnell on IPSec. I can get the IPSec channel to be created but every client that I have tried crashes when negotiating the L2TP tunnel. I have tried Android, Windows 7 and Ubuntu all of which could not connect.
I have used various setup on the router for the Remote Dial-in User profile but all end up the same, the L2TP tunnel would not be created.
PPTP and SSL VPNs are working fine, easy to setup no problems at all.
The Firmware I am on is 3.7.4.1
Below you can find an extract from the syslog server.
1412014-04-08 14:46:46Apr 8 14:46:36VigorReceive client L2L remote network setting is x.y.z.w/32
1412014-04-08 14:46:46Apr 8 14:46:36VigorResponding to Quick Mode from x.y.z.w
1412014-04-08 14:46:46Apr 8 14:46:36VigorIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x43b8a059
1412014-04-08 14:46:46Apr 8 14:46:36VigorIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x43b8a059
1412014-04-08 14:46:46Apr 8 14:46:36VigorIPsec SA established with x.y.z.w. In/Out Index: 34/0
1412014-04-08 14:46:47Apr 8 14:46:37VigorL2TP <== Control(0xC802)-L-S Ver:2 Len:117, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
1412014-04-08 14:46:47Apr 8 14:46:37VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
1412014-04-08 14:46:48Apr 8 14:46:38VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
...
1412014-04-08 14:46:52Apr 8 14:46:42VigorL2TP <== Control(0xC802)-L-S Ver:2 Len:45, Tunnel ID:0, Session ID:0, Ns:1, Nr:0
1412014-04-08 14:46:52Apr 8 14:46:43VigorIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x9433a87c
1412014-04-08 14:46:52Apr 8 14:46:43VigorIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xeaf9cb27
1412014-04-08 14:46:53Apr 8 14:46:43VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
...
1412014-04-08 14:46:58Apr 8 14:46:48VigorL2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:5955, Session ID:0, Ns:0, Nr:1
1662014-04-08 13:29:17Apr 8 13:29:08VigorWAN1 PPPoE ==> Protocol:LCP(c021) EchoRep Identifier:0x95Magic Number: 0x0 00 00 ##
1662014-04-08 13:29:27Apr 8 13:29:18VigorWAN1 PPPoE <== Protocol:LCP(c021) EchoReq Identifier:0x96Magic Number: 0x6fd6 0a 2f ##
...
Please Log in or Create an account to join the conversation.
- rondr
- Offline
- Banned
Less
More
- Posts: 7
- Thank you received: 0
29 Apr 2014 19:47 #79778
by rondr
Replied by rondr on topic Re: L2TP/IPSec on 2860
The same for me.
Tested OK:
- WinXP / PPTP
- Win7 / PPTP
- Win8.1 / PPTP
- WinXP / L2TP/IPSEC
- Win8.1 / L2TP/IPSEC
Tested not OK, error 789:
- Win7 / L2TP/IPSEC
Tested OK:
- WinXP / PPTP
- Win7 / PPTP
- Win8.1 / PPTP
- WinXP / L2TP/IPSEC
- Win8.1 / L2TP/IPSEC
Tested not OK, error 789:
- Win7 / L2TP/IPSEC
Please Log in or Create an account to join the conversation.
- rondr
- Offline
- Banned
Less
More
- Posts: 7
- Thank you received: 0
05 May 2014 18:17 #79845
by rondr
Replied by rondr on topic Re: L2TP/IPSec on 2860
I solved the issue in my case.
It is the AVM VPN client installed on the computer who makes the connection wrong. By stopping "AVM FRITZ!VPN Client" and "AVM FRITZ!VPN IKE Service" services and restarting "IKE and AuthIP IPSec Keying module" service, I can make the connection without the 789 error.
It is the AVM VPN client installed on the computer who makes the connection wrong. By stopping "AVM FRITZ!VPN Client" and "AVM FRITZ!VPN IKE Service" services and restarting "IKE and AuthIP IPSec Keying module" service, I can make the connection without the 789 error.
Please Log in or Create an account to join the conversation.
- pic-o
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
14 May 2014 11:08 #79978
by pic-o
Replied by pic-o on topic Re: L2TP/IPSec on 2860
Thanks Rondr, I will have a look at this. Sorry for the late reply.
Please Log in or Create an account to join the conversation.
- pic-o
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
14 May 2014 11:21 #79979
by pic-o
Replied by pic-o on topic Re: L2TP/IPSec on 2860
Rondr, could you summarise the setup you have used for both the client and the router? Also which FW are you on?
Please Log in or Create an account to join the conversation.
- pic-o
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 10
- Thank you received: 0
04 Jun 2014 20:56 #80246
by pic-o
Replied by pic-o on topic Re: L2TP/IPSec on 2860
After much much much time wasted/invested on this issue, I seem to have found what the problem is although I cannot say this is yet a solution for me.
A bit of background of my setup:
I have 8 public IPs from my ISP, let's say the subnet is 193.16.0.0/29. 193.16.0.6 is allocated to my router the rest, between 1 and 5, are setup on the public interface of a firewall.
With this setup the router needs to provide routing on 193.16.0.0/29 via its IP 193.16.0.6. The firewall's GW is then 193.16.0.6. To provide this function I have setup the router as follows:
LAN -> General Setup I have enabled IP Routed Subnet with IP Address 193.16.0.6.
Under this conditions the firewall can nicely route to the public internet via 193.16.0.6, SSL and PPTP VPN can be established with 193.16.0.6 but no L2TP/IPSec
Via Draytek's support I had the opportunity to connect to one of their routers which had been configured to troubleshoot my problem but on which the issue could not be replicated. After looking at their configuration the obvious difference was that their router had been setup to provide basic NAT masquerade behind its public IP; no routing via the public interface. To cat the story short this is exactly why the L2TP/IPSec was working on their router, immediately after I have disabled my IP Routed Subnet on my router too, the VPN could be established.
This is obviously not solving my problem yet!
A bit of background of my setup:
I have 8 public IPs from my ISP, let's say the subnet is 193.16.0.0/29. 193.16.0.6 is allocated to my router the rest, between 1 and 5, are setup on the public interface of a firewall.
With this setup the router needs to provide routing on 193.16.0.0/29 via its IP 193.16.0.6. The firewall's GW is then 193.16.0.6. To provide this function I have setup the router as follows:
LAN -> General Setup I have enabled IP Routed Subnet with IP Address 193.16.0.6.
Under this conditions the firewall can nicely route to the public internet via 193.16.0.6, SSL and PPTP VPN can be established with 193.16.0.6 but no L2TP/IPSec
Via Draytek's support I had the opportunity to connect to one of their routers which had been configured to troubleshoot my problem but on which the issue could not be replicated. After looking at their configuration the obvious difference was that their router had been setup to provide basic NAT masquerade behind its public IP; no routing via the public interface. To cat the story short this is exactly why the L2TP/IPSec was working on their router, immediately after I have disabled my IP Routed Subnet on my router too, the VPN could be established.
This is obviously not solving my problem yet!
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek