This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP VPN not working on UTM interface Outside

I have Sophos UTM SG210 box with fw 9.209-8.
Outside interface has public IP address and PPTP VPN (with RADIUS) is working without any problems.
L2TP over IPsec VPN has settings:
Preshared key: word.pass
Assign IP address by: IP address pool - VPN pool (L2TP) [default one with IP: 10.242.3.0/24]
Authentication via: RADIUS

This L2TP VPN is working only on interface Inside (from inside network).
When I try to use interface Outside it is not working.
Client is Windows 2012 or Windows 8.1 with settings:
IP address: E.F.G.H (primary IP of Outside interface)
type: L2TP
preshared key: word.pass
Optional encryption (I tryied all options)
Allow protocols: CHAP, MS-CHAPv2
Same client options are working from inside.

I tryied to change:
UTM options L2TP Debugging - on/off
IPsec - advanced - Use NAT traversal - on/off
IPsec - advanced - Enable probing of preshared keys - on/off

I think, it is a bug in UTM.
Is there somebody using L2TP VPN on UTM box.

There is IPsec VPN log file:

[SIZE="2"][FONT="System"]
listening for IKE messages
forgetting secrets
loading secrets from "/etc/ipsec.secrets"
loaded PSK secret for E.F.G.H %any
forgetting secrets
loading secrets from "/etc/ipsec.secrets"
loaded PSK secret for E.F.G.H %any
loading ca certificates from '/etc/ipsec.d/cacerts'
loaded ca certificate from '/etc/ipsec.d/cacerts/cert .***xx Verification CA 1.pem'
loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
loaded ca certificate from '/etc/ipsec.d/cacerts/cert ******x Verification CA 1.pem'
loaded ca certificate from '/etc/ipsec.d/cacerts/cert ******x Verification CA 2.pem'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
loading attribute certificates from '/etc/ipsec.d/acerts'
Changing to directory '/etc/ipsec.d/crls'

packet from A.B.C.D:14739: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
packet from A.B.C.D:14739: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
packet from A.B.C.D:14739: received Vendor ID payload [RFC 3947]
packet from A.B.C.D:14739: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from A.B.C.D:14739: ignoring Vendor ID payload [FRAGMENTATION]
packet from A.B.C.D:14739: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
packet from A.B.C.D:14739: ignoring Vendor ID payload [Vid-Initial-Contact]
packet from A.B.C.D:14739: ignoring Vendor ID payload [IKE CGA version 1]
packet from A.B.C.D:14739: initial Main Mode message received on E.F.G.H:500 but no connection has been authorized with policy=PUBKEY

packet from A.B.C.D:14739: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
packet from A.B.C.D:14739: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
packet from A.B.C.D:14739: received Vendor ID payload [RFC 3947]
packet from A.B.C.D:14739: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from A.B.C.D:14739: ignoring Vendor ID payload [FRAGMENTATION]
packet from A.B.C.D:14739: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
packet from A.B.C.D:14739: ignoring Vendor ID payload [Vid-Initial-Contact]
packet from A.B.C.D:14739: ignoring Vendor ID payload [IKE CGA version 1]
packet from A.B.C.D:14739: initial Main Mode message received on E.F.G.H:500 but no connection has been authorized with policy=PUBKEY

[/FONT][/SIZE]

This thread was automatically locked due to age.

Parents

0 MartinBozko over 10 years ago

Hi
Thanks for your answer.
I tryied Local autentication too and it is still not working.
I updated to version 9.210-20 but no change.

There is new condition:
L2TP VPN to UTM is working from Android phone with same settings on Sophos UTM.
(android settings are: type: L2TP/IPsec PSK, IP address of UTM Outside interface, secret key L2TP - empty, IPsec protocol identificator - ampty, Preshared key of L2TP protocol: same as on Windows and UTM)

Windows client still cannot connect.
I have old L2TP VPN server with Microsoft TMG 2010 firewall and I want to replace it with Sophos UTM with no change at clients computers.

My settings:
IPsec - advanced - Use NAT traversal - ON
IPsec - advanced - Enable probing of preshared keys - ON

Log from Sophos when using Windows 2012 VPN client - not working:
[SIZE="2"]2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: received Vendor ID payload [RFC 3947]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [FRAGMENTATION]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [Vid-Initial-Contact]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [IKE CGA version 1]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: initial Main Mode message received on x.x.133.33:500 but no connection has been authorized with policy=PUBKEY[/SIZE]

Last line is interesting. There is policy=PUBKEY but I expected policy=PSK.

Log from Sophos when using Android 4.4 VPN client - it is working:
[SIZE="2"]2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: received Vendor ID payload [RFC 3947]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: received Vendor ID payload [Dead Peer Detection]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116 #1: responding to Main Mode from unknown peer x.y.5.116
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116 #1: Peer ID is ID_IPV4_ADDR: '10.81.116.117'
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116 #1: deleting connection "L_for matob"[1] instance with peer x.y.5.116 {isakmp=#0/ipsec=#0}
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116 #1: Dead Peer Detection (RFC 3706) enabled
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: | NAT-T: new mapping x.y.5.116:500/4500)
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116:4500 #1: sent MR3, ISAKMP SA established
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116:4500 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2014:12:04-14:59:07 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116:4500 #2: responding to Quick Mode
2014:12:04-14:59:07 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116:4500 #2: IPsec SA established {ESP=>0x0c24d6a8
2014:12:04-14:59:10 BB-FW01-1 pppd-l2tp[13089]: Overriding mtu 1500 to 1380
2014:12:04-14:59:10 BB-FW01-1 pppd-l2tp[13089]: Overriding mru 1500 to mtu value 1380
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: Overriding mtu 1400 to 1380
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: Cannot determine ethernet address for proxy ARP
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: local IP address 10.242.3.1
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: remote IP address 10.242.3.2
2014:12:04-14:59:14 BB-FW01-1 pppd-l2tp[13089]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="MYCOMPANY\matob2" variant="l2tp" srcip="x.y.5.116" virtual_ip="10.242.3.2"
[/SIZE]

So I think, there is compatibility problem between Sophos UTM L2TP server and Windows L2TP VPN client.
Is there somebody successfully using L2TP VPN with preshared key to UTM box from standard Windows (7,8.1,server 2012) VPN client?

Thanks for any answer
- sophos1.jpg
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 MartinBozko over 10 years ago

Hi
Thanks for your answer.
I tryied Local autentication too and it is still not working.
I updated to version 9.210-20 but no change.

There is new condition:
L2TP VPN to UTM is working from Android phone with same settings on Sophos UTM.
(android settings are: type: L2TP/IPsec PSK, IP address of UTM Outside interface, secret key L2TP - empty, IPsec protocol identificator - ampty, Preshared key of L2TP protocol: same as on Windows and UTM)

Windows client still cannot connect.
I have old L2TP VPN server with Microsoft TMG 2010 firewall and I want to replace it with Sophos UTM with no change at clients computers.

My settings:
IPsec - advanced - Use NAT traversal - ON
IPsec - advanced - Enable probing of preshared keys - ON

Log from Sophos when using Windows 2012 VPN client - not working:
[SIZE="2"]2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: received Vendor ID payload [RFC 3947]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [FRAGMENTATION]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [Vid-Initial-Contact]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: ignoring Vendor ID payload [IKE CGA version 1]
2014:12:04-14:35:49 BB-FW01-1 pluto[8937]: packet from y.y.165.3:20289: initial Main Mode message received on x.x.133.33:500 but no connection has been authorized with policy=PUBKEY[/SIZE]

Last line is interesting. There is policy=PUBKEY but I expected policy=PSK.

Log from Sophos when using Android 4.4 VPN client - it is working:
[SIZE="2"]2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: received Vendor ID payload [RFC 3947]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: packet from x.y.5.116:500: received Vendor ID payload [Dead Peer Detection]
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116 #1: responding to Main Mode from unknown peer x.y.5.116
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116 #1: Peer ID is ID_IPV4_ADDR: '10.81.116.117'
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116 #1: deleting connection "L_for matob"[1] instance with peer x.y.5.116 {isakmp=#0/ipsec=#0}
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116 #1: Dead Peer Detection (RFC 3706) enabled
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: | NAT-T: new mapping x.y.5.116:500/4500)
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116:4500 #1: sent MR3, ISAKMP SA established
2014:12:04-14:59:06 BB-FW01-1 pluto[8937]: "L_for matob"[2] x.y.5.116:4500 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2014:12:04-14:59:07 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116:4500 #2: responding to Quick Mode
2014:12:04-14:59:07 BB-FW01-1 pluto[8937]: "L_for matob"[1] x.y.5.116:4500 #2: IPsec SA established {ESP=>0x0c24d6a8
2014:12:04-14:59:10 BB-FW01-1 pppd-l2tp[13089]: Overriding mtu 1500 to 1380
2014:12:04-14:59:10 BB-FW01-1 pppd-l2tp[13089]: Overriding mru 1500 to mtu value 1380
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: Overriding mtu 1400 to 1380
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: Cannot determine ethernet address for proxy ARP
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: local IP address 10.242.3.1
2014:12:04-14:59:13 BB-FW01-1 pppd-l2tp[13089]: remote IP address 10.242.3.2
2014:12:04-14:59:14 BB-FW01-1 pppd-l2tp[13089]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="MYCOMPANY\matob2" variant="l2tp" srcip="x.y.5.116" virtual_ip="10.242.3.2"
[/SIZE]

So I think, there is compatibility problem between Sophos UTM L2TP server and Windows L2TP VPN client.
Is there somebody successfully using L2TP VPN with preshared key to UTM box from standard Windows (7,8.1,server 2012) VPN client?

Thanks for any answer
- sophos1.jpg
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data