DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
L2TP: what is missing?
- giacecco
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 31
- Thank you received: 0
21 Feb 2017 21:10 #88344
by giacecco
L2TP: what is missing? was created by giacecco
I am trying using https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/how-to-establish-l2tp-tunnel-from-iphone-to-vigor-router/ as a starting point to understand what the minimum settings are to setup a L2TP VPN between my Vigor and - as clients, my Fedora Linux and my Android 7.x phone, but there is no way I can get it to work with either device.
Of the settings that are not listed in the guide mentioned above, I am using:
- Maximum MPPE (128 bit)
- No mutual authentication
- Remote dial-in as the only PPP authentication method
- No PPTP LDAP profile
- Both "Medium" and all "High" IP Security Methods ticked
... and nothing ticked across the other several dozen settings
The settings are matched on Linux and Android wherever they exist there, too. On Android, for example, most of this detail is completely missing. Screenshots of the settings on the Draytek are below.
-https://doc-0s-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/dq733gp04dfo30638iqjge8ovnbich93/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAeVpDVkNKMWJlbHc?e=view&h=05516109048717929186&nonce=tsq1lea6o6s2u&user=15757117163700496642&hash=bmrvpor8l1c20pi0brl5s5d8pq47lt6j
-https://doc-0c-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/bc2kam6vko9gglssmsqm3b37a86ctdde/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAUHhWb2dzX3FDcW8?h=05516109048717929186&e=view
-https://doc-14-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/effeb47emjh146mq9dsun4lv9etaqkkd/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzANnFOTDBGckJwMGM?h=05516109048717929186&e=view
-https://doc-14-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/njr7h2s48rfgs3a7ji4ub2qgitvfa8fn/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzATno2c0ZIU3MwX0U?h=05516109048717929186&e=view
-https://doc-04-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/1kc0nfhg0smj8s4hvb02ka4ubvfitk5f/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAZ3RZRnJVWGtWQ1U?h=05516109048717929186&e=view
-https://doc-0k-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/8vf2rurrj7unosudbtllohj0t798b9hg/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAdE13VExEbWFOYmM?h=05516109048717929186&e=view
What could I be missing, and what is the best place to debug what's happening, on either the Vigor side or the Fedora side? Surprisingly, Linux does not give any explanation of the failure, unless I probably need to look deeper into some logs through the console.
Thank you in advance,
Giacecco
Of the settings that are not listed in the guide mentioned above, I am using:
- Maximum MPPE (128 bit)
- No mutual authentication
- Remote dial-in as the only PPP authentication method
- No PPTP LDAP profile
- Both "Medium" and all "High" IP Security Methods ticked
... and nothing ticked across the other several dozen settings
The settings are matched on Linux and Android wherever they exist there, too. On Android, for example, most of this detail is completely missing. Screenshots of the settings on the Draytek are below.
-
-
-
-
-
-
What could I be missing, and what is the best place to debug what's happening, on either the Vigor side or the Fedora side? Surprisingly, Linux does not give any explanation of the failure, unless I probably need to look deeper into some logs through the console.
Thank you in advance,
Giacecco
Please Log in or Create an account to join the conversation.
- giacecco
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 31
- Thank you received: 0
01 Mar 2017 13:57 #88411
by giacecco
Replied by giacecco on topic Re: L2TP: what is missing?
A quick update. I've given up on Fedora, as a prosumer OS of course has many more movable parts that can be potentially an issue. I've started focusing only on Android and also started collecting syslogs on a USB stick connected to the router.
The first thing I noticed is how few messages are recorded, despite ticking all syslog services. Anybody reading this has an example of how the syslog should look like when a L2TP connection is attempted and - potentially - initiated?
Thanks.
The first thing I noticed is how few messages are recorded, despite ticking all syslog services. Anybody reading this has an example of how the syslog should look like when a L2TP connection is attempted and - potentially - initiated?
Thanks.
Please Log in or Create an account to join the conversation.
- fryr
- Offline
- Junior Member
Less
More
- Posts: 24
- Thank you received: 0
13 Apr 2017 09:57 #88691
by fryr
Replied by fryr on topic Re: L2TP: what is missing?
Your google links are not public - so getting access denied.
I used to run l2tp VPN and connect in from Windows, Andoid and IOS
From memory I enabled both l2tp and ipsec in the VPN services. I configured a certificate on the Draytek and assigned it to the VPN. I configured a shared secret to be used. I created a dial in user and allocated them access to l2tp and ipsec and configured them accordingly.
I used to run l2tp VPN and connect in from Windows, Andoid and IOS
From memory I enabled both l2tp and ipsec in the VPN services. I configured a certificate on the Draytek and assigned it to the VPN. I configured a shared secret to be used. I created a dial in user and allocated them access to l2tp and ipsec and configured them accordingly.
Please Log in or Create an account to join the conversation.
- jasonrafferty
- Offline
- New Member
Less
More
- Posts: 1
- Thank you received: 0
26 Apr 2017 11:47 #88776
by jasonrafferty
Replied by jasonrafferty on topic Re: L2TP: what is missing?
I also run L2TP over IPSEC - you must have IPSEC ticked as well as L2TP in the service types. This threw me for a while although it is obvious when you think about it!
Currently connecting via OSx and iOS.
Currently connecting via OSx and iOS.
Please Log in or Create an account to join the conversation.
- giacecco
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 31
- Thank you received: 0
01 May 2017 14:51 #88812
by giacecco
Replied by giacecco on topic Re: L2TP: what is missing?
@fryr @jasonrafferty thank you for your advice and sorry for not getting back to you sooner.
I've tried enabling both IPSec and L2TP but that did not solve the problem.
@fryr I did not configure a certificate, I thought it was optional, is that correct? Moreover, on Android, I am trying using L2TP/IPSec PSK, not RSA.
Moreover, can you confirm that I don't need to open any ports on the router (in NAT > Port Redirection or NAT > Open Ports), as if the VPN server was a separate device somewhere on the internal network?
I made new screenshot of what I think are the relevant configuration settings herehttps://photos.google.com/share/AF1QipM4dzE6G_mtuPQjsHLS5GOpmeltBcSQhvrMeRtH5UfpaaX_4jV7QKsQXLm_dfzTBA?key=U2U4ZkQwWnpQZ2pkMC1RZ05nV2hMSU1uQVVsdjRn .
Thank you for any hint. I am tempted to sell the Draytek at this point and downgrade to something more user friendly.
I've tried enabling both IPSec and L2TP but that did not solve the problem.
@fryr I did not configure a certificate, I thought it was optional, is that correct? Moreover, on Android, I am trying using L2TP/IPSec PSK, not RSA.
Moreover, can you confirm that I don't need to open any ports on the router (in NAT > Port Redirection or NAT > Open Ports), as if the VPN server was a separate device somewhere on the internal network?
I made new screenshot of what I think are the relevant configuration settings here
Thank you for any hint. I am tempted to sell the Draytek at this point and downgrade to something more user friendly.
Please Log in or Create an account to join the conversation.
- gsb1
- Offline
- Junior Member
Less
More
- Posts: 40
- Thank you received: 0
01 May 2017 15:26 #88814
by gsb1
Replied by gsb1 on topic Re: L2TP: what is missing?
Hi,
Relatively few steps to make this work, I'll cover what I know in case it jogs something for you.
VPN and Remote Access > Remote Access Control
Enable IPSec VPN Service - checked
Enable L2TP VPN Service - checked
VPN and Remote Access > IPsec General Setup
Certificate for Dial-in - None (default)
Pre-Shared Key - set to something and confirm (use whatever you want for testing, after initial setup make nice and strong)
IPsec Security Method - just the High options ticked
VPN and Remote Access > Remote Dial-in User
Ensure you have remote user created and enabled (as I see you do). The only settings I configured were:
Allowed Dial-In Type
IPsec Tunnel
L2TP with IPsec Policy "must"
Username and password
IPsec Security Method
Again just the high options ticked.
That's it.
So client side you are using the native Android VPN settings? You want an "L2TP/IPsec PSK" connection type. Connection just needs a name (anything), the connection type (L2TP/IPsec PSK), the internet address of your router, the IPsec pre-shared key (the key you entered on the router), then the username and password you set.
Relatively few steps to make this work, I'll cover what I know in case it jogs something for you.
VPN and Remote Access > Remote Access Control
Enable IPSec VPN Service - checked
Enable L2TP VPN Service - checked
VPN and Remote Access > IPsec General Setup
Certificate for Dial-in - None (default)
Pre-Shared Key - set to something and confirm (use whatever you want for testing, after initial setup make nice and strong)
IPsec Security Method - just the High options ticked
VPN and Remote Access > Remote Dial-in User
Ensure you have remote user created and enabled (as I see you do). The only settings I configured were:
Allowed Dial-In Type
IPsec Tunnel
L2TP with IPsec Policy "must"
Username and password
IPsec Security Method
Again just the high options ticked.
That's it.
So client side you are using the native Android VPN settings? You want an "L2TP/IPsec PSK" connection type. Connection just needs a name (anything), the connection type (L2TP/IPsec PSK), the internet address of your router, the IPsec pre-shared key (the key you entered on the router), then the username and password you set.
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek