This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Establishing remote access VPN

Hi All,
I'm trying to set up remote access VPN to my home LAN which is protected by an Astaro UTM 9.x gateway. I'm wanting to use L2TP over IPsec but can't get the link to establish through my external NIC. Using the same settings (except to change the VPN to 'internal interface') I can establish a stable VPN via the LAN side of the gateway. I've tried disabling as amny security feature as I can think of and have set up a rule for allow 'anything to anywhere' but it's got me beat!
I've copied in the VPN logs in the hope that it means something to someone...
Thanks,
Colin

(PS - sorry this will look like War & Peace)

External interface (WAN) – can’t establish VPN

CandCB pluto[21248]: loading secrets from "/etc/ipsec.secrets"
CandCB pluto[21248]: loaded PSK secret for 88.104.166.168 %any
CandCB pluto[21248]: forgetting secrets
CandCB pluto[21248]: loading secrets from "/etc/ipsec.secrets"
CandCB pluto[21248]: loaded PSK secret for 88.104.166.168 %any
CandCB pluto[21248]: loading ca certificates from '/etc/ipsec.d/cacerts'
CandCB pluto[21248]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
CandCB pluto[21248]: loading aa certificates from '/etc/ipsec.d/aacerts'
CandCB pluto[21248]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
CandCB pluto[21248]: loading attribute certificates from '/etc/ipsec.d/acerts'
CandCB pluto[21248]: Changing to directory '/etc/ipsec.d/crls'
CandCB pluto[21248]: "S_for RemoteUser": deleting connection
CandCB pluto[21248]: "S_for RemoteUser": deleting connection
CandCB pluto[21248]: added connection description "S_for RemoteUser"
CandCB pluto[21248]: added connection description "S_for RemoteUser"
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [FRAGMENTATION]
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [Vid-Initial-Contact]
CandCB pluto[21248]: "S_for RemoteUser"[1] 88.104.166.254 #67: responding to Main Mode from unknown peer 88.104.166.254
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [FRAGMENTATION]
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [Vid-Initial-Contact]
CandCB pluto[21248]: "S_for RemoteUser"[1] 88.104.166.254 #68: responding to Main Mode from unknown peer 88.104.166.254
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [FRAGMENTATION]
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [Vid-Initial-Contact]
CandCB pluto[21248]: "S_for RemoteUser"[1] 88.104.166.254 #69: responding to Main Mode from unknown peer 88.104.166.254
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [FRAGMENTATION]
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [Vid-Initial-Contact]
CandCB pluto[21248]: "S_for RemoteUser"[1] 88.104.166.254 #70: responding to Main Mode from unknown peer 88.104.166.254
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [FRAGMENTATION]
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [Vid-Initial-Contact]
CandCB pluto[21248]: "S_for RemoteUser"[1] 88.104.166.254 #71: responding to Main Mode from unknown peer 88.104.166.254
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [FRAGMENTATION]
CandCB pluto[21248]: packet from 88.104.166.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2012:12:06-19:35:15 CandCB pluto[21248]: "S_for RemoteUser"[1] 88.104.166.254 #72: responding to Main Mode from unknown peer 88.104.166.254
2012:12:06-19:35:22 CandCB pluto[21248]: packet from 88.104.166.254:500: ignoring Delete SA payload: not encrypted

Internal interface – VPN works fine
CandCB pluto[21248]: packet from 192.168.0.99:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
CandCB pluto[21248]: packet from 192.168.0.99:500: ignoring Vendor ID payload [FRAGMENTATION]
CandCB pluto[21248]: packet from 192.168.0.99:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
CandCB pluto[21248]: packet from 192.168.0.99:500: ignoring Vendor ID payload [Vid-Initial-Contact]
CandCB pluto[21248]: "S_for RemoteUser"[1] 192.168.0.99 #73: responding to Main Mode from unknown peer 192.168.0.99
CandCB pluto[21248]: "S_for RemoteUser"[1] 192.168.0.99 #73: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
CandCB pluto[21248]: "S_for RemoteUser"[1] 192.168.0.99 #73: Peer ID is ID_IPV4_ADDR: '192.168.0.99'
CandCB pluto[21248]: "S_for RemoteUser"[1] 192.168.0.99 #73: sent MR3, ISAKMP SA established
CandCB pluto[21248]: "S_for RemoteUser"[1] 192.168.0.99 #74: responding to Quick Mode
CandCB pluto[21248]: "S_for RemoteUser"[1] 192.168.0.99 #74: IPsec SA established {ESP=>0x4a5b7498  WAITCTLCONN
CandCB openl2tpd[25731]: PROTO: tunl 11823: SCCCN received from peer 1
CandCB openl2tpd[25731]: FSM: CCE(11823) event SCCCN_ACCEPT in state WAITCTLCONN
CandCB openl2tpd[25731]: FUNC: tunl 11823 up
CandCB openl2tpd[25731]: FSM: CCE(11823) state change: WAITCTLCONN --> ESTABLISHED
CandCB openl2tpd[25731]: PROTO: tunl 11823/0: ICRQ received from peer 1
CandCB openl2tpd[25731]: PROTO: tunl 11823/19360: sending ICRP to peer 1/1
CandCB openl2tpd[25731]: PROTO: tunl 11823/19360: ICCN received from peer 1
CandCB pppd-l2tp[5852]: Plugin aua.so loaded.
CandCB pppd-l2tp[5852]: AUA plugin initialized.
CandCB pppd-l2tp[5852]: Plugin ippool.so loaded.
CandCB pppd-l2tp[5852]: Plugin pppol2tp.so loaded.
CandCB pppd-l2tp[5852]: pppd 2.4.5 started by (unknown), uid 0
CandCB pppd-l2tp[5852]: using channel 23
CandCB pppd-l2tp[5852]: Using interface ppp1
CandCB pppd-l2tp[5852]: Connect: ppp1
CandCB pppd-l2tp[5852]: Overriding mtu 1500 to 1380
CandCB pppd-l2tp[5852]: PPPoL2TP options: lnsmode tid 11823 sid 19360 debugmask 0
CandCB pppd-l2tp[5852]: Overriding mru 1500 to mtu value 1380
CandCB pppd-l2tp[5852]: sent [LCP ConfReq id=0x1    ]

This thread was automatically locked due to age.

0 BAlfson over 12 years ago

I've tried to establish a VPN via the internet today but it failed again.

Do you mean that you tried to connect from another location? If so, then you might check with your ISP to see if they block IPsec for home users.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 ColinB over 12 years ago in reply to BAlfson

Hi Bob,

I've asked my ISP (TalkTalk) to clarify if they do anything to block VPN connections on residential customer accounts. Their reply was rather vague but when pushed further, their subsequent reply (copied below) suggests that they probably do try to prevent VPN's as a way of differentiating their 'business' services. I also talked to one of the IT programmers at work who agreed with you that it seemed likely that TalkTalk are blocking VPN access. He suggested using the SSL protocol (OpenVPN) as he suggested this was more configurable and can be harder to block.
I've tried this and can successfully create the VPN link to my home server via the web. Do you have any experience of the SSL protocol from a security standpoint? If so, would you recommend any particular settings?

Thanks again,
Colin

Question to TalkTalk
I'm trying to set up a VPN connection so that I when I'm out I can conect to my home server. I'm using L2TP over IPsec but can't establish a connection to my home IP (determined via DynDNS). Do TalkTalk do anything to prevent inbound VPN connections?

TalkTalk reply
I apologise for the inconvenience this is causing you.
Kindly note that Virtual Private Network or VPN is not available to TalkTalk residential customers, as this requires a static IP address. We can only provide dynamic IP address for residential customers.
Your patience and understanding in this regard are highly appreciated.
If you have any further queries, please do not hesitate to reply or visit TalkTalk Help for more
information.
Yours sincerely,
TalkTalk Customer Relations
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

In the interest of having it be as fast as possible, it's best to configure the SSL VPN with UDP instead of TCP. Other than being a little slower than an IPsec VPN, it's just as reliable and secure. In fact, unless you configure L2TP/IPsec with a certificate instead of a PSK, SSL is more secure because it only works with certificates.

TalkTalk didn't answer your question at all, did they? It appears from their answer that they thought you were trying to configure a site-to-site VPN, but, even then, their answer is incorrect.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel