Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 16287 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP client-to-site VPN "asynchronous network error"

FrankLamozik

Hi

Ive set up an client-to-site remote access over L2TP on UTM 9.

UTM 9 is the server - a Synology Diskstation is the client.

Connection works, but I get very poor data rates (~200kb/s / 3MB/s possible). The log shows several errors like this:

ERROR: asynchronous network error report on eth1 for message to 95.222.24.192 port 29364, complainant 95.222.24.192: No route to host [errno 113, origin ICMP type 11 code 1 (not authenticated)]

What does this mean and how can I correct this?

PPTP does work like a charm (with full speed), but I am trying to avoid PPTP because it is considered unsecure.

Site-to-site does not work unfortunatley, because the client is behind a NATed IPv4 (DS-lite).

Thanks for you help,

Frank



This thread was automatically locked due to age.
Parents

  • Hi

    Thanks for your answer :)

    Ive checked the rules - everything seems ok except of several

    "WARNING! packet already has AFC mark value (0x00003106), replacing with 0x000001d8"

    in application control log. Reading this post, this shouldn't be any problem:

    preimbuing2.rssing.com/browser.php


    As described above the client has no public IPv4 (not even a dynamic one - cheers to Unitymedia DS-Lite-crap!).

    The server has a static IPv4.

    So how is a site-to-site VPN possible? Till now, I thought this is not possible without public IPs on both sides.

    Frank

  • in reply to FrankLamozik
    L2TP/IPsec: I also would check the firewall log on the device in front of the Synology. I bet you see it blocking something related to the Synology's attempt to connect.

    Site-to-Site: Assuming that the UTM has a public IP and is not also behind a NATting router, the easiest is to make a Remote gateway in the UTM that is "Respond only" using a PSK. Then, just configure the Synology as you would as if it also had a public IP. This will cause the UTM to wait for the Synology to "call" it, thus mimicking a Remote Access connection.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • in reply to FrankLamozik
    L2TP/IPsec: I also would check the firewall log on the device in front of the Synology. I bet you see it blocking something related to the Synology's attempt to connect.

    Site-to-Site: Assuming that the UTM has a public IP and is not also behind a NATting router, the easiest is to make a Remote gateway in the UTM that is "Respond only" using a PSK. Then, just configure the Synology as you would as if it also had a public IP. This will cause the UTM to wait for the Synology to "call" it, thus mimicking a Remote Access connection.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML