This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't make L2TP over IPSec work.

Hi,

I'm going crazy with that L2TP over IPSec stuff. Here's what I've done;

1. Setup the Astaro; masquerade, packet filter, etc
RESULT: OK, I can browse the Internet, my server behind NAT work fine, ok let's add a VPN. I'll choose L2TP over IPSec (for what I remember from CCNA it's the best you can get, whatever).

2. GO to IPSec VPN >> Connections
             Status: ENABLE
             New IPSec Connection:
             Name: XP_VPN
             Type: MS Windows L2TP over IPSec
             Local Endpoint: External
             Remote Endpoint: Any
             IPSec Shared Secret: xxxxxx

3. GO to Definitions >> Networks
    Check if IPSEC-Pool has been generated...YES

NOW the first point of failure in my configuration:

     Changed IPSEC-Pool subnet to the internal LAN I would like the client connects to.

IS THIS CORRECT ??? Or is this already I configuration mistake? (I've tried also with autogenerated IPSEC-Pools; result doesn't work either).

4. GO to IPSec VPN >> L2TP over IPSec
    L2TP over IPSec Settings
             Authentication: Local Users (user already created and allowed to use L2TP over IPSec)
             Debugging: Off
             IP address assignement: Static IP pool
     L2TP over IPSec IP Pool
             Network: IPSEC-Pool
             Network Address: internal network of the ASTARO (where I'd like to connect from the outside through a VPN)
             Subnet Mask:   255.255.255.0 (oh no you can see my subnet mask, hehe)
             Useable IP Addresses:   253
     L2TP over IPSec Client Parameters
             Client DNS Servers: internal network DNS server IP

I didn't added any NAT MASQUERADE for the IPSec-Pool at first nor Packet filtering rules.
RESULT: it doesn't work

5. Added NAT MASQUERADE RULE as for the Internal Network but this time for the IPSEC-POOL as well
   Added PACKET FILTER RULES for the IPSEC-POOL (source: IPSEC-POOL destination: ANY service: ANY). Well the most open rules to avoid problems here.
RESULT: doesn't work;

            I can connect to the VPN, it verifies username and password, it assigns an IP to the client, ipconfig on the VPN client seems fine except I have no gateway, and I don't know how to define it for the client (should use the ASTARO as gateway by default. I mean, the ASTARO should act as a gateway for my IPSEC-Pool and allow me to access the remote network)

             BUT, except the VPN client IP obtained from the IPSec-Pool, I can't ping nor reach any host in the remote network.

ASTARO VERSION: 6.300
CLIENT CONFIGURATION: 2003 SP1 or XP SP2 (tried on both systems)

Everything by default on the VPN connection except shared key.

And there I'm stuck.

Let me know if there's enough information for anyone to help me (I didn't added attachments, I don't know if the VBulletin Forum of Astaro will accept screenshots of my ASTARO configuration.

Hope someone will have a good HOW TO to solve this problem.

This thread was automatically locked due to age.

Parents

0 headhunter_unit23 over 19 years ago

I will post the full HOW TO quickly setup a VPN host-to-net using XP and pre shared keys
Cancel
Vote Up 0 Vote Down

Cancel
0 eric.dechansiaud@free.fr over 19 years ago in reply to headhunter_unit23

Thank you in forwarding your how-to, I'm interested
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 eric.dechansiaud@free.fr over 19 years ago in reply to headhunter_unit23

Thank you in forwarding your how-to, I'm interested
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 InlineFive over 18 years ago in reply to eric.dechansiaud@free.fr

Is your Packet Filter Spoof Protection set to Strict? My L2TP wouldn't work until I set it to Normal.

And now all I have to do is figure out which policy L2TP uses so I can get it off of 3DES. Apparently it doesn't use MS_DEFAULT like it did in ASGv5.
Cancel
Vote Up 0 Vote Down

Cancel