DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
2860n+ VPN L2TP/IPsec problem
- pilgrim1
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
01 May 2016 10:53 #86034
by pilgrim1
2860n+ VPN L2TP/IPsec problem was created by pilgrim1
Hi, I'm wondering if anyone can help. I'm trying to setup a VPN on a 2860n+ (FW versio 3.8.2.2_VT3) from a Windows 10 client. I followed the instructions here :-
http://www.draytek.com/index.php?option=com_k2&view=item&id=5847&Itemid=293&lang=en
On the local LAN (192.x.x.x) this works beautifully so I know the PSK key/user and password are fine.
However when attempting to connect on the external IP address 88.xx.xx.xx (the physical address as shown in WAN2 on the router) fails. I get the following error on the Windows 10 client :- "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"
The 88.xx.xx.xx is the static IP provided by my ISP, I assumed it may be blocked, however (when enabled on the 2860) both PING and management both work.
Over to the 2860, looking at the system logs attempting the connection from the external IP address we see :-
2016-05-01 09:39:46 Matching General Setup key for dynamic ip client...
2016-05-01 09:39:46 Responding to Main Mode from 88.xx.xx.xx
And nothing more.....ever. No clue as to what happened.
From the local LAN where the connection is successful we see :-
2016-05-01 09:35:34 [H2L][UP][L2TP/IPSec][@1:Chris]
2016-05-01 09:35:31 IPsec SA established with 192.168.1.14. In/Out Index: 34/0
2016-05-01 09:35:31 IPsec SA #23 will be replaced after 2991 seconds
2016-05-01 09:35:31 Responding to Quick Mode from 192.168.1.14
2016-05-01 09:35:31 Receive client L2L remote network setting is 192.168.1.254/32
2016-05-01 09:35:31 sent MR3, ISAKMP SA established with 192.168.1.14. In/Out Index: 34/0
2016-05-01 09:35:31 Matching General Setup key for dynamic ip client...
2016-05-01 09:35:31 NAT-Traversal: Using RFC 3947, no NAT detected
2016-05-01 09:35:31 Matching General Setup key for dynamic ip client...
2016-05-01 09:35:31 Responding to Main Mode from 192.168.1.14
Any thoughts please, it is driving me nuts. I suspect it is related to the fact the 2860 config is Ethernet/PPPoE connected to the BT modem (faster and more reliable than the inbuilt one from my own tests) but nothing springs to mind.
Thanks in advance,
Regards
ChrisC.
On the local LAN (192.x.x.x) this works beautifully so I know the PSK key/user and password are fine.
However when attempting to connect on the external IP address 88.xx.xx.xx (the physical address as shown in WAN2 on the router) fails. I get the following error on the Windows 10 client :- "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"
The 88.xx.xx.xx is the static IP provided by my ISP, I assumed it may be blocked, however (when enabled on the 2860) both PING and management both work.
Over to the 2860, looking at the system logs attempting the connection from the external IP address we see :-
2016-05-01 09:39:46 Matching General Setup key for dynamic ip client...
2016-05-01 09:39:46 Responding to Main Mode from 88.xx.xx.xx
And nothing more.....ever. No clue as to what happened.
From the local LAN where the connection is successful we see :-
2016-05-01 09:35:34 [H2L][UP][L2TP/IPSec][@1:Chris]
2016-05-01 09:35:31 IPsec SA established with 192.168.1.14. In/Out Index: 34/0
2016-05-01 09:35:31 IPsec SA #23 will be replaced after 2991 seconds
2016-05-01 09:35:31 Responding to Quick Mode from 192.168.1.14
2016-05-01 09:35:31 Receive client L2L remote network setting is 192.168.1.254/32
2016-05-01 09:35:31 sent MR3, ISAKMP SA established with 192.168.1.14. In/Out Index: 34/0
2016-05-01 09:35:31 Matching General Setup key for dynamic ip client...
2016-05-01 09:35:31 NAT-Traversal: Using RFC 3947, no NAT detected
2016-05-01 09:35:31 Matching General Setup key for dynamic ip client...
2016-05-01 09:35:31 Responding to Main Mode from 192.168.1.14
Any thoughts please, it is driving me nuts. I suspect it is related to the fact the 2860 config is Ethernet/PPPoE connected to the BT modem (faster and more reliable than the inbuilt one from my own tests) but nothing springs to mind.
Thanks in advance,
Regards
ChrisC.
Please Log in or Create an account to join the conversation.
- paulb513
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
06 Aug 2016 14:18 #86578
by paulb513
Replied by paulb513 on topic Re: 2860n+ VPN L2TP/IPsec problem
This problem occurs because you have a router (NAT device) between the Vigor and the public internet. For L2TP/IPSec to function, that device needs to support a feature called edge traversal and most (like the virgin superhub) do not.
You can get PPTP VPN working by setting up port forwarding.
If you want to use IPSec, you need to set your other router to modem only mode or otherwise ensure that you Vigor has a public IP address. The VPN tunnel will then work.
You can get PPTP VPN working by setting up port forwarding.
If you want to use IPSec, you need to set your other router to modem only mode or otherwise ensure that you Vigor has a public IP address. The VPN tunnel will then work.
Please Log in or Create an account to join the conversation.
- silverstreak_2006
- Offline
- Member
Less
More
- Posts: 145
- Thank you received: 0
06 Jan 2017 18:20 #87693
by silverstreak_2006
Paul
I take it forwarding the ports would not cure this? I have a 2925Ln, and have tried to forward ports on a 2860n-plus. Strangely, an IOS device will connect to the 2025Ln. Also using a SIM card with a public IP in the 2925LN, apple devices can connect. It is only Windows devices (8.1, 10, 2008 server etc).
Using the client tool, the connection is made, then drops, I am not sure if it is not getting its network / gateway connections in a timely manner.
Note using the 2860n-plus, allows all devices to connect using L2TP / IPsec.
Is there a known issues page, or somewhere reputable I can report this too? I have had firmware pages side by side and cross referenced everything, like I say IOS devices connect with no problems at all, PPTP is the work around / test on the 2925Ln, and that works. I also notice there has not been a realease of firmware for a while.
Any suggestions gratefully received, however I am guessing it is an issue with the firmware the amount of time i have spent looking at this.
Thanks
Pete'.
Replied by silverstreak_2006 on topic Re: 2860n+ VPN L2TP/IPsec problem
This problem occurs because you have a router (NAT device) between the Vigor and the public internet. For L2TP/IPSec to function, that device needs to support a feature called edge traversal and most (like the virgin superhub) do not.PaulB513 wrote:
You can get PPTP VPN working by setting up port forwarding.
If you want to use IPSec, you need to set your other router to modem only mode or otherwise ensure that you Vigor has a public IP address. The VPN tunnel will then work.
Paul
I take it forwarding the ports would not cure this? I have a 2925Ln, and have tried to forward ports on a 2860n-plus. Strangely, an IOS device will connect to the 2025Ln. Also using a SIM card with a public IP in the 2925LN, apple devices can connect. It is only Windows devices (8.1, 10, 2008 server etc).
Using the client tool, the connection is made, then drops, I am not sure if it is not getting its network / gateway connections in a timely manner.
Note using the 2860n-plus, allows all devices to connect using L2TP / IPsec.
Is there a known issues page, or somewhere reputable I can report this too? I have had firmware pages side by side and cross referenced everything, like I say IOS devices connect with no problems at all, PPTP is the work around / test on the 2925Ln, and that works. I also notice there has not been a realease of firmware for a while.
Any suggestions gratefully received, however I am guessing it is an issue with the firmware the amount of time i have spent looking at this.
Thanks
Pete'.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek