Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 1 subscriber
  • Views 6032 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to setup VPN L2TSP

thefuzz4
Hey Everyone,

So I'm finally after several years attempting to get the VPN on my Astaro Box working.  I'm currently using the UTM 9.  I can connect just fine to my VPN with no issues.  But once I'm connected I can not go anywhere.  I have created firewall rules to allow the VPN address pool for the L2TSP to have access to both my internal network as well as the internet.  But what I find interesting in the logs is that when I connect, in the firewall log instead of showing my vpn address it shows the actual external address of where I'm connecting in from.


15:14:55 Packet filter rule #23 L2TP
8.x.x.x  : 46141

199.167.177.37 : 1227

In this example I was just trying to go whatismyip.com

I've also added the appropriate masq rules as well.  Thank you all in advance for your help with this.

I am currently testing this with an Android Tablet running ICS.  Thanks


This thread was automatically locked due to age.
  • 0
    Hi, 
    Maybe your masquerading or packetfilter rules are wrong; please post screenshots.

    Barry
  • 0
    screenshots will be coming your way good sir
  • 0
    Hmm... looks OK to me.

    Is DNS working for the VPN client?
    How about pings?

    Barry
  • 0
    Ok its working now somewhat but very slowly,  The one thing that I'm seeing a lot of is the default drops in the FW log for Port 443 for the L2TP.  Not really sure whats causing those to show up in there.
  • 0
    Ok its working now somewhat but very slowly, The one thing that I'm seeing a lot of is the default drops in the FW log for Port 443 for the L2TP.

    OK, prodably two different things.  Show us the FW log for the access attempt.

    Cheers S- Bob
  • 0
    Here is the exert from the logs

    2012:08:06-15:06:42 phoenix-1 ulogd[8000]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="23" initf="ppp0" outitf="eth1" mark="0x106" app="262" srcmac="0:1a:8c:f0:cb:41" srcip="8.30.133.40" dstip="199.167.177.37" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="46141" dstport="1227" tcpflags="ACK" 
    2012:08:06-15:06:45 phoenix-1 ulogd[8000]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="23" initf="ppp0" outitf="eth1" mark="0x106" app="262" srcmac="0:1a:8c:f0:cb:41" srcip="8.30.133.40" dstip="199.167.177.37" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="46141" dstport="1227" tcpflags="ACK" 

    2012:08:06-15:07:13 phoenix-1 ulogd[8000]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="23" initf="ppp0" outitf="eth1" mark="0x106" app="262" srcmac="0:1a:8c:f0:cb:41" srcip="8.30.133.40" dstip="4.68.90.79" proto="6" length="89" tos="0x00" prec="0x00" ttl="63" srcport="38783" dstport="443" tcpflags="ACK PSH FIN"

    2012:08:06-15:07:15 phoenix-1 ulogd[8000]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="2" initf="ppp0" outitf="eth1" mark="0x106" app="262" srcmac="0:1a:8c:f0:cb:41" srcip="10.242.3.2" dstip="199.83.168.136" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="56812" dstport="443" tcpflags="SYN" 



    Thank you for your help with this, its just a little confusing as to why it would be dropping it.  Let me know if you need more samples from my log files. 
    EDIT: FYI the 10.242.3.2 is the VPN client address and the 8.30.133.40 is the internet address of the client
  • 0
    Your Firewall rule #23 is causing these drops.

    Cheers - Bob
  • 0
    Hey Bob,

    Ok so with rule 23 currently disabled (all it was, was my catch all deny for anything not meeting the FW rules)  Here is what I'm seeing in the live logs


    10:24:09	Default DROP	L2TP	
    8.30.130.131	:	53619

    66.220.149.99	:	443
    [ACK]	len=64	ttl=63	tos=0x00	srcmac=0:1a:8c:f0:cb:41
    10:24:09	Default DROP	L2TP	
    8.30.130.131	:	40747

    4.68.90.79	:	443
    [ACK PSH FIN]	len=89	ttl=63	tos=0x00	srcmac=0:1a:8c:f0:cb:41
    10:24:09	Default DROP	L2TP	
    8.30.130.131	:	55683

    74.125.227.134	:	443
    [ACK]	len=64	ttl=63	tos=0x00	srcmac=0:1a:8c:f0:cb:41
    10:24:11	Default DROP	L2TP	
    8.30.130.131	:	33122

    199.83.168.136	:	443
    [ACK PSH]	len=156	ttl=63	tos=0x00	srcmac=0:1a:8c:f0:cb:41
    10:24:12	Default DROP	L2TP	
    8.30.130.131	:	40747

    4.68.90.79	:	443
    [AC K PSH FIN]	len=89	ttl=63	tos=0x00	srcmac=0:1a:8c:f0:cb:41


    Thank you for your help with this
  • 0
    The Firewall Live Log doesn't have much information compared to the full logfile.  I would suspect 'Anti-DoS Flooding' if the Defaul DROP rule is "60013" in that file.

    Cheers - Bob