This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPSec behind NAT

Dear experts

I'd like to know it's possible to configure Astaro UTM work behind a NAT firewall and provide L2TP/IPSec remote access.
During the last week I tried serveral configuration and spend hours in reading manuals and forum postings - w/o success. (I'm a IPSec newbie).

My Configuration:
Win Client Router Internet Router Astaro

If the Astaro is behind a NAT router I find following in the log and no connection can be made: "cannot respond to IPsec SA request because no connection is known for...."
It works fine if I remove the router in front of the ASA. But this is not possible in my environment.

My Setup:
- Port Forward 500/4500 UDP. Tried also forwarding whole public IP.
- Set AssumeUDPEncapsulationContextOnSendRule=2 in Windows (Gewusst wie: Konfigurieren Sie einen L2TP/IPSec-Server hinter einem NAT-T-Gerät in Windows Vista und Windows Server 2008)
- Tried different Clients (WinXP, Win7, Android Phone)
- Tried Certificate instead of Pre-shared key
- Tried different Routers (Cisco, Netgear)

Is there a supported way to get it work? If not, I'll use SSL-VPN. But I prefer IPSec because of no need to install additional software.

Thanks, Markus

This thread was automatically locked due to age.

0 BAlfson over 11 years ago

Hi, Markus, and welcome to the User BB!
I'd like to know it's possible to configure Astaro UTM work behind a NAT firewall and provide L2TP/IPSec remote access

This is the first I've seen "Gewusst wie: Konfigurieren Sie einen L2TP/IPSec-Server hinter einem NAT-T-Gerät in Windows Vista und Windows Server 2008." It looks like this might work, but it's not been possible before.

Please start the IPsec Live Log in the UTM and show us the lines from a single connection attempt.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

0 MarkusN over 11 years ago in reply to BAlfson

Hi Bob

Thanks for your reply.
Sorry for the German link. Hope it was displayed in the correct langu for you.

Here is the (I hope relevant) part of the log:
Client: 100.0.0.1
Server: 200.0.0.1


2013:09:20-12:16:16 astaro pluto[7809]: | ******parse ISAKMP Oakley attribute:

2013:09:20-12:16:16 astaro pluto[7809]: | af+type: OAKLEY_LIFE_DURATION (variable length)

2013:09:20-12:16:16 astaro pluto[7809]: | length/value: 4

2013:09:20-12:16:16 astaro pluto[7809]: | preparse_isakmp_policy: peer requests PUBKEY authentication

2013:09:20-12:16:16 astaro pluto[7809]: | instantiated "L_for admin" for 100.0.0.1

2013:09:20-12:16:16 astaro pluto[7809]: | creating state object #1 at 0x9ddf6d8

2013:09:20-12:16:16 astaro pluto[7809]: | state hash entry 2

2013:09:20-12:16:16 astaro pluto[7809]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1

2013:09:20-12:16:16 astaro pluto[7809]: "L_for admin"[1] 100.0.0.1 #1: responding to Main Mode from unknown peer 100.0.0.1

2013:09:20-12:16:16 astaro pluto[7809]: | **emit ISAKMP Message:

2013:09:20-12:16:16 astaro pluto[7809]: | ISAKMP version: ISAKMP Version 1.0

2013:09:20-12:16:16 astaro pluto[7809]: | exchange type: ISAKMP_XCHG_IDPROT

2013:09:20-12:16:16 astaro pluto[7809]: | flags: none

2013:09:20-12:16:16 astaro pluto[7809]: | message ID: 00 00 00 00

2013:09:20-12:16:16 astaro pluto[7809]: "L_for admin"[1] 100.0.0.1 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

2013:09:20-12:16:16 astaro pluto[7809]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 60 seconds

2013:09:20-12:16:16 astaro pluto[7809]: | size of DH secret exponent: 2047 bits

2013:09:20-12:16:16 astaro pluto[7809]: | ***emit ISAKMP Key Exchange Payload:

2013:09:20-12:16:16 astaro pluto[7809]: | next payload type: ISAKMP_NEXT_NONCE

[...]

2013:09:20-12:16:16 astaro pluto[7809]: | emitting length of ISAKMP NAT-D Payload: 24

2013:09:20-12:16:16 astaro pluto[7809]: | emitting length of ISAKMP Message: 356

2013:09:20-12:16:16 astaro pluto[7809]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1

2013:09:20-12:16:16 astaro pluto[7809]: | next event EVENT_RETRANSMIT in 10 seconds for #1

2013:09:20-12:16:16 astaro pluto[7809]: |

2013:09:20-12:16:16 astaro pluto[7809]: | *received 1700 bytes from 100.0.0.1:4500 on eth1.10

2013:09:20-12:16:16 astaro pluto[7809]: | **parse ISAKMP Message:

[...]

2013:09:20-12:16:16 astaro pluto[7809]: | next payload type: ISAKMP_NEXT_NONE

2013:09:20-12:16:16 astaro pluto[7809]: | length: 133

2013:09:20-12:16:16 astaro pluto[7809]: | cert type: CERT_X509_SIGNATURE

2013:09:20-12:16:16 astaro pluto[7809]: | removing 2 bytes of padding

2013:09:20-12:16:16 astaro pluto[7809]: "L_for admin"[1] 100.0.0.1 #1: Peer ID is ID_DER_ASN1_DN: 'C=de, L=..., O=..., CN=admin, E=...@me.de'

[...]

2013:09:20-12:16:16 astaro pluto[7809]: | offered CA: "C=de, L=..., O=..., CN=... VPN CA, E=...@me.de"

2013:09:20-12:16:16 astaro pluto[7809]: | switched from "L_for admin" to "L_for admin"

2013:09:20-12:16:16 astaro pluto[7809]: | instantiated "L_for admin" for 100.0.0.1

2013:09:20-12:16:16 astaro pluto[7809]: "L_for admin"[2] 100.0.0.1 #1: deleting connection "L_for admin"[1] instance with peer 100.0.0.1 {isakmp=#0/ipsec=#0}

2013:09:20-12:16:16 astaro pluto[7809]: | certs and keys locked by 'delete_connection'

2013:09:20-12:16:16 astaro pluto[7809]: | certs and keys unlocked by 'delete_connection'

2013:09:20-12:16:16 astaro pluto[7809]: | **emit ISAKMP Message:

2013:09:20-12:16:16 astaro pluto[7809]: | initiator cookie:

[...]

2013:09:20-12:16:16 astaro pluto[7809]: | emitting length of ISAKMP Message: 1484

2013:09:20-12:16:16 astaro pluto[7809]: | NAT-T: new mapping 100.0.0.1:500/4500)

2013:09:20-12:16:16 astaro pluto[7809]: | inserting event EVENT_SA_EXPIRE, timeout in 28800 seconds for #1

2013:09:20-12:16:16 astaro pluto[7809]: "L_for admin"[2] 100.0.0.1:4500 #1: sent MR3, ISAKMP SA established

2013:09:20-12:16:16 astaro pluto[7809]: | next event EVENT_NAT_T_KEEPALIVE in 60 seconds

2013:09:20-12:16:17 astaro pluto[7809]: |

2013:09:20-12:16:17 astaro pluto[7809]: | *received 316 bytes from 100.0.0.1:4500 on eth1.10

2013:09:20-12:16:17 astaro pluto[7809]: | **parse ISAKMP Message:

2013:09:20-12:16:17 astaro pluto[7809]: | initiator cookie:

2013:09:20-12:16:17 astaro pluto[7809]: | ID type: ID_IPV4_ADDR

2013:09:20-12:16:17 astaro pluto[7809]: | removing 5 bytes of padding

2013:09:20-12:16:17 astaro pluto[7809]: | our client is 200.0.0.1

2013:09:20-12:16:17 astaro pluto[7809]: | our client protocol/port is 17/1701

2013:09:20-12:16:17 astaro pluto[7809]: | no valid attribute cert found

2013:09:20-12:16:17 astaro pluto[7809]: | find_client_connection starting with L_for admin

2013:09:20-12:16:17 astaro pluto[7809]: | looking for 200.0.0.1/32:17/1701 -> 100.0.0.1/32:17/4500

2013:09:20-12:16:17 astaro pluto[7809]: | concrete checking against sr#0 172.16.0.3/32 -> 0.0.0.0/0

2013:09:20-12:16:17 astaro pluto[7809]: | fc_try concluding with none [0]

2013:09:20-12:16:17 astaro pluto[7809]: | fc_try L_for admin gives none

2013:09:20-12:16:17 astaro pluto[7809]: | checking hostpair 172.16.0.3/32 -> 0.0.0.0/0 is found

2013:09:20-12:16:17 astaro pluto[7809]: | fc_try trying L_for admin:200.0.0.1/32:17/0 -> 100.0.0.1/32:17/0 vs L_for admin:172.16.0.3/32:17/1701 -> 0.0.0.0/0:17/0

2013:09:20-12:16:17 astaro pluto[7809]: | fc_try concluding with none [0]

2013:09:20-12:16:17 astaro pluto[7809]: | fc_try_oppo trying L_for admin:200.0.0.1/32 -> 100.0.0.1/32 vs L_for admin:172.16.0.3/32 -> 0.0.0.0/0

2013:09:20-12:16:17 astaro pluto[7809]: | fc_try_oppo concluding with none [0]

2013:09:20-12:16:17 astaro pluto[7809]: | concluding with d = none

2013:09:20-12:16:17 astaro pluto[7809]: "L_for admin"[2] 100.0.0.1:4500 #1: cannot respond to IPsec SA request because no connection is known for 200.0.0.1/32===172.16.0.3:4500[astaro.me.de]:17/1701...100.0.0.1:4500[C=de, L=..., O=..., CN=admin, E=...@me.de]:17/%any

2013:09:20-12:16:17 astaro pluto[7809]: "L_for admin"[2] 100.0.0.1:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 100.0.0.1:4500

2013:09:20-12:16:17 astaro pluto[7809]: | **emit ISAKMP Message:

2013:09:20-12:16:17 astaro pluto[7809]: | initiator cookie:

[...]

0 BAlfson over 11 years ago

Markus, kein Problem - ich lese gerne Deutsch! [;)]

Please turn off debug and try again. That's about the right number of lines from a single connection attempt with debug off.

From what I see in the above, I wonder if this isn't an issue of IPsec and NAT. Please show a simple diagram with the (obfuscated if you wish) IPs of each device.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

0 MarkusN over 11 years ago in reply to BAlfson

Maybe it's just a silly miss-configuration.
Anyway, if it's not a good idea to use L2TP/IPSec in an NATed environment I stop here and use SSL-VPN. But I prefer L2TP/IPSec.

My Environment:see attachment

Logs without Debug:

2013:09:24-17:18:49 astaro pluto[8944]: added connection description "L_for admin" 

2013:09:24-17:18:55 astaro pluto[8944]: packet from 100.0.0.1:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008] 

2013:09:24-17:18:55 astaro pluto[8944]: packet from 100.0.0.1:500: received Vendor ID payload [RFC 3947] 

2013:09:24-17:18:55 astaro pluto[8944]: packet from 100.0.0.1:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 

2013:09:24-17:18:55 astaro pluto[8944]: packet from 100.0.0.1:500: ignoring Vendor ID payload [FRAGMENTATION] 

2013:09:24-17:18:55 astaro pluto[8944]: packet from 100.0.0.1:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] 

2013:09:24-17:18:55 astaro pluto[8944]: packet from 100.0.0.1:500: ignoring Vendor ID payload [Vid-Initial-Contact] 

2013:09:24-17:18:55 astaro pluto[8944]: packet from 100.0.0.1:500: ignoring Vendor ID payload [IKE CGA version 1] 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[1] 100.0.0.1 #4: responding to Main Mode from unknown peer 100.0.0.1 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[1] 100.0.0.1 #4: ECP_384 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[1] 100.0.0.1 #4: ECP_256 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[1] 100.0.0.1 #4: NAT-Traversal: Result using RFC 3947: both are NATed 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[1] 100.0.0.1 #4: Peer ID is ID_DER_ASN1_DN: 'C=de, L=City, O=MyCompany, CN=admin, E=edv@me.de' 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[1] 100.0.0.1 #4: crl not found 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[1] 100.0.0.1 #4: certificate status unknown 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1 #4: deleting connection "L_for admin"[1] instance with peer 100.0.0.1 {isakmp=#0/ipsec=#0} 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1 #4: we have a cert and are sending it 

2013:09:24-17:18:55 astaro pluto[8944]: | NAT-T: new mapping 100.0.0.1:500/4500) 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sent MR3, ISAKMP SA established 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: cannot respond to IPsec SA request because no connection is known for 200.0.0.1/32===172.16.0.3:4500[vpn.me.de]:17/1701...100.0.0.1:4500[C=de, L=City, O=Copmany, CN=admin, E=edv@me.de]:17/%any==={192.168.0.85/32} 

2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 100.0.0.1:4500 

2013:09:24-17:18:56 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) 

2013:09:24-17:18:56 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 100.0.0.1:4500 

2013:09:24-17:18:58 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) 

2013:09:24-17:18:58 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 100.0.0.1:4500 

2013:09:24-17:19:01 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: received Delete SA payload: deleting ISAKMP State #4 

2013:09:24-17:19:01 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500: deleting connection "L_for admin"[2] instance with peer 100.0.0.1 {isakmp=#0/ipsec=#0}

0 BAlfson over 11 years ago
I don't know of any L2TP/IPsec client that knows how to use a server behind a NATting router. That this is the problem is confirmed by:
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sent MR3, ISAKMP SA established
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: cannot respond to IPsec SA request because no connection is known for 200.0.0.1/32===172.16.0.3:4500[vpn.me.de]:17/1701...100.0.0.1:4500[C=de, L=City, O=Copmany, CN=admin, E=edv@me.de]:17/%any==={192.168.0.85/32}
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 100.0.0.1:4500

When configuring SSL VPN, start by changing the Protocol on the 'Settings' tab from "TCP" to "UDP" - that will make it much faster. If you already have an SSL site-to-site set up, you will need to download the client configuration and install it on the other UTM. If there are any SSL Remote Access users, they will need to download the configuration from the User Portal.

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

L2TP/IPSec behind NAT

Submitted a Tech Support Case lately from the Support Portal?