L2TP configuration

Hello there,

The port needs to be open by your ISP, I would recommend you to reach out to them to confirm if the port is open.

You can see if the packets are arriving to the XG, by SSH in to the device and in the Advanced Shell (5>3) enter

#tcpdump -eni any port 1701

If you don't see traffic arriving it might be either that the Port is closed outbound where the computer is connecting from or the port is closed at your ISP level.

I would recommend you to use SSL VPN on Port 443, as most ISP allow that port by default. 

Regards,

1. My ISP does not block any port. Opening the same on XG should be enough for the task. XG is itself working as ISP router too. No other router is used.

2. There is no any traffic seen on tcpdump 1701.

3. While being inside LAN, NMAP command shows port 1701 is closed.

4. Using SSLVPN is not helpful here as I need same subnet on VPN clients as that of XG's DHCP. I want remote peers on same LAN virtually. In SSLVPN, it's not possible AFAIK.

Hello,

If you aren’t seeing traffic coming to Port 1701, it would indicate that either the port on the source destination is closed or your ISP is blocking that port. 

You should be able to see this during the tcpdump

XG125_XN03_SFOS 18.0.4 MR-4# tcpdump -eni any port 1701
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 byt es
09:51:59.330268 Port2, IN: In a4:7b:2c:4f:1f:b5 ethertype IPv4 (0x0800), length 68: 216.232.XXX.XXX.44077 > 99.199.XXX.XXX.1701: Flags [S], seq 137050612, win 292 00, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
09:52:00.329248 Port2, IN: In a4:7b:2c:4f:1f:b5 ethertype IPv4 (0x0800), length 68: 216.232.XXX.XXX.44077 > 99.199.XXX.XXX.1701: Flags [S], seq 137050612, win 292

Try running the following command in the XG for port 1701, so you can confirm it is listening on the Port 

# netstat -na | grep "1701"
udp 0 0 0.0.0.0:1701 0.0.0.0:*

If you are trying to put them in the same subnet, and only require users connected to the VPN, to see their traffic as if it were from the LAN side, you can always masquerade the traffic as it comes into the VPN.

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/124204/sophos-xg-how-to-source-nat-incoming-ipsec-traffic-on-v18-and-v17

Regards,

Thank you Emmanuel for reply..

1. Using command netstat -na | grep "1701", I am getting response as shown..

udp 0 0 0.0.0.0:1701 0.0.0.0:*

It means, XG is listening on port 1701

2. Using command tcpdump -vv -eni any port 1701 I am getting following trafic in multiple lots, as shown below

124.x.x.x is client's IP address and 59.x.x.x is XG's wan IP address.

It meanse, port is open for public. I generated this traffic by polling [xg public hostname:1701] from the client.

I have configured L2TP profile VPN connection on client (windows 10 pro machine) using this tutorial. But when I tried connecting from windows's connection manager, XG couldn't see any traffic. That's why I generated the above traffic using third party tool.

Now, I have exactly followed this tutorial. But no traffic on port 1701

Any help here? Is there any port apart from 1701 need to be checked for accessibility?

Hello there,

Thank you for the follow-up.

It only requires UDP Port 1701. The KB you shared is the documentation we have for L2TP. Try using the Public IP in the L2TP connection rather than the hostname to see if this helps with the connection.

Regards,

As suggested, I tried using IP address instead hostname. But problem percist.

No successful connection on client machine or no traffic on XG during this connection activity.

As suggested, I tried using IP address instead hostname. But problem percist.

No successful connection on client machine or no traffic on XG during this connection activity.

Hello there,

Thank you, that change was just to force the connection to the Public IP, and not to relay in DNS. 

The other thing that could be happening is NAT Traversal, in which then the connection would be coming on port 4500 to the XG.

Regards,

Do I have to change something on XG for this? Can I verify this somewhere??

Hello there,

No change needed in the XG, you can verify only the traffic arriving at the XG by doing the tcpdump on Port 4500

# tcpdump -eni any port 4500

You can try also installing Wireshark on one of the computers, and you should be able to see more of the communication

Are you able to test from a different physical location L2TP with a different computer?

Regards,

Ok. I will check the suggested points.

Yesterday, I tried PPTP connection. And that worked like a charm. Without any single failure. I used same mentioned public hostname (provided by myfirewall.co ddns service). Will this somehow help in the invistigation??

For time being, I can use PPTP. But as using PPTP is not that much safe as that of L2TP or IPSec. And PPTP is considered deprecated too. Finally my organization will ask me to stop using PPTP. Thats why I can't rest upon PPTP.

Any comment on my last reply?? plz.

Hello WebShield,

PPTP uses a different port 1723. So this sounds like the local computer or local router is doing something to port 1701. 

I would just check using Wireshark and it should give you some clue as to what is happening, as mentioned the XG  isn’t seeing any traffic arriving at it from the computer, so the issue is on the other end at the moment.

Regards,