Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG Personal Firewall - L2TP IPSec VPN - HELP!

Let me first state that I'm a complete newbie when it comes to setting up VPN connections and a novice at firewall rules.  My networking experience is moderate, but I'm still fuzzy on some stuff.  I've probably messed something up and am not opposed to reinstalling from scratch and setting it up differently. So treat me like a novice, please.

This is what my network layout looks like, basically:


My ASG is a VM.  I'm trying to set up VPN on it over IPSEC, and here's my settings screens for L2TP over IPSEC, IPSEC, Packet Filter, NAT:
    (It only let me do 4 images, but the other one is masquerading).

When I turn on NAT-T via ASG, I get: 

cannot respond to IPsec SA request because no connection is known for 71.x.x.x/32===10.0.1.240:4500[10.0.1.240]:17/1701...66.y.y.y:61731[21.z.z.z3]:17/%any==={21.z.z.z/32}

When I turn it back off, I get:

initial Main Mode message received on 10.0.1.240:500 but no connection has been authorized with policy=PSK.

Here's my ipsec.conf file:


config setup
        charonstart="no"
        plutodebug="none"
        uniqueids="no"
        nocrsend="yes"
        nat_traversal="yes"
        keep_alive="60"
        crlcheckinterval="0"
        strictcrlpolicy="no"
        probe_psk="no"

conn %default
        rekeyfuzz="100%"
        keyingtries="0"
        leftsendcert="always"
        dpddelay="30"
        dpdtimeout="120"
        dpdaction="restart"

# Inside
conn S_REF_tzRjfXcsrd_0
        authby="psk"
        auto="add"
        compress="no"
        esp="aes256-md5"
        ike="aes256-md5-modp1536"
        ikelifetime="7800"
        keyexchange="ike"
        keyingtries="3"
        keylife="3600"
        left="10.0.1.240"
        leftsubnet="10.0.1.0/24"
        leftupdown="/usr/libexec/ipsec/updown classic"
        pfs="no"
        rekeymargin="540"
        right="0.0.0.0"
        rightid="%any"
        rightsourceip="%REF_DefaultRWPool"
        type="tunnel"

# L2TP over IPsec
conn S_REF_XBQClMWtmT_0
        authby="psk"
        auto="add"
        compress="no"
        esp="3des-md5"
        ike="3des-sha-modp2048"
        ikelifetime="28800"
        keyexchange="ike"
        keyingtries="3"
        keylife="3600"
        left="10.0.1.240"
        leftprotoport="17/1701"
        leftupdown="/usr/libexec/ipsec/updown strict"
        pfs="no"
        rekey="no"
        rekeymargin="540"
        right="0.0.0.0"
        rightid="%any"
        rightprotoport="17/%any"
        rightsubnetwithin="0.0.0.0/0"
        type="transport"

conn S_REF_XBQClMWtmT_1
        authby="psk"
        auto="add"
        compress="no"
        esp="3des-md5"
        ike="3des-sha-modp2048"
        ikelifetime="28800"
        keyexchange="ike"
        keyingtries="3"
        keylife="3600"
        left="10.0.1.240"
        leftprotoport="17/0"
        leftupdown="/usr/libexec/ipsec/updown strict"
        pfs="no"
        rekey="no"
        rekeymargin="540"
        right="0.0.0.0"
        rightid="%any"
        rightprotoport="17/%any"
        rightsubnetwithin="0.0.0.0/0"
        type="transport"


With the situation listed above, does anyone have any suggestions on what I'm doing wrong or what I need to change? Better yet, can someone explain it to me as well?

Thanks, and sorry for the book.


This thread was automatically locked due to age.
Parents
  • Hi, Superphrk, and welcome to the User BB!

    L2TP over IPsec and IPsec are two different Remote Access servers.  I think the settings on the 'Advanced' tab in IPsec are the same as those in IPsec under Site-to-Site, and that these are used by all IPsec connections including L2TP.  Configuring the 'Connections' tab in IPsec won't have any effect on L2TP.

    It's likely that you will want NAT-T.

    None of your configuration (outside of NAT-T) looks incorrect.  What client(s) are you using?  From where?  In the client(s), what external IP are you connecting to?

    Cheers - Bob
Reply
  • Hi, Superphrk, and welcome to the User BB!

    L2TP over IPsec and IPsec are two different Remote Access servers.  I think the settings on the 'Advanced' tab in IPsec are the same as those in IPsec under Site-to-Site, and that these are used by all IPsec connections including L2TP.  Configuring the 'Connections' tab in IPsec won't have any effect on L2TP.

    It's likely that you will want NAT-T.

    None of your configuration (outside of NAT-T) looks incorrect.  What client(s) are you using?  From where?  In the client(s), what external IP are you connecting to?

    Cheers - Bob
Children
No Data