This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPSec behind NAT

Dear experts

I'd like to know it's possible to configure Astaro UTM work behind a NAT firewall and provide L2TP/IPSec remote access.
During the last week I tried serveral configuration and spend hours in reading manuals and forum postings - w/o success. (I'm a IPSec newbie).

My Configuration:
Win Client Router Internet Router Astaro

If the Astaro is behind a NAT router I find following in the log and no connection can be made: "cannot respond to IPsec SA request because no connection is known for...."
It works fine if I remove the router in front of the ASA. But this is not possible in my environment.

My Setup:
- Port Forward 500/4500 UDP. Tried also forwarding whole public IP.
- Set AssumeUDPEncapsulationContextOnSendRule=2 in Windows (Gewusst wie: Konfigurieren Sie einen L2TP/IPSec-Server hinter einem NAT-T-Gerät in Windows Vista und Windows Server 2008)
- Tried different Clients (WinXP, Win7, Android Phone)
- Tried Certificate instead of Pre-shared key
- Tried different Routers (Cisco, Netgear)

Is there a supported way to get it work? If not, I'll use SSL-VPN. But I prefer IPSec because of no need to install additional software.

Thanks, Markus

This thread was automatically locked due to age.

Parents

0 BAlfson over 11 years ago
I don't know of any L2TP/IPsec client that knows how to use a server behind a NATting router. That this is the problem is confirmed by:
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sent MR3, ISAKMP SA established
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: cannot respond to IPsec SA request because no connection is known for 200.0.0.1/32===172.16.0.3:4500[vpn.me.de]:17/1701...100.0.0.1:4500[C=de, L=City, O=Copmany, CN=admin, E=edv@me.de]:17/%any==={192.168.0.85/32}
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 100.0.0.1:4500

When configuring SSL VPN, start by changing the Protocol on the 'Settings' tab from "TCP" to "UDP" - that will make it much faster. If you already have an SSL site-to-site set up, you will need to download the client configuration and install it on the other UTM. If there are any SSL Remote Access users, they will need to download the configuration from the User Portal.

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 11 years ago
I don't know of any L2TP/IPsec client that knows how to use a server behind a NATting router. That this is the problem is confirmed by:
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sent MR3, ISAKMP SA established
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: cannot respond to IPsec SA request because no connection is known for 200.0.0.1/32===172.16.0.3:4500[vpn.me.de]:17/1701...100.0.0.1:4500[C=de, L=City, O=Copmany, CN=admin, E=edv@me.de]:17/%any==={192.168.0.85/32}
2013:09:24-17:18:55 astaro pluto[8944]: "L_for admin"[2] 100.0.0.1:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 100.0.0.1:4500

When configuring SSL VPN, start by changing the Protocol on the 'Settings' tab from "TCP" to "UDP" - that will make it much faster. If you already have an SSL site-to-site set up, you will need to download the client configuration and install it on the other UTM. If there are any SSL Remote Access users, they will need to download the configuration from the User Portal.

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data

L2TP/IPSec behind NAT

Submitted a Tech Support Case lately from the Support Portal?