DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

L2TP: what is missing?

  • giacecco
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
21 Feb 2017 21:10 #88344 by giacecco
L2TP: what is missing? was created by giacecco
I am trying using https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/how-to-establish-l2tp-tunnel-from-iphone-to-vigor-router/ as a starting point to understand what the minimum settings are to setup a L2TP VPN between my Vigor and - as clients, my Fedora Linux and my Android 7.x phone, but there is no way I can get it to work with either device.

Of the settings that are not listed in the guide mentioned above, I am using:

- Maximum MPPE (128 bit)
- No mutual authentication
- Remote dial-in as the only PPP authentication method
- No PPTP LDAP profile
- Both "Medium" and all "High" IP Security Methods ticked
... and nothing ticked across the other several dozen settings

The settings are matched on Linux and Android wherever they exist there, too. On Android, for example, most of this detail is completely missing. Screenshots of the settings on the Draytek are below.

- https://doc-0s-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/dq733gp04dfo30638iqjge8ovnbich93/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAeVpDVkNKMWJlbHc?e=view&h=05516109048717929186&nonce=tsq1lea6o6s2u&user=15757117163700496642&hash=bmrvpor8l1c20pi0brl5s5d8pq47lt6j
- https://doc-0c-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/bc2kam6vko9gglssmsqm3b37a86ctdde/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAUHhWb2dzX3FDcW8?h=05516109048717929186&e=view
- https://doc-14-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/effeb47emjh146mq9dsun4lv9etaqkkd/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzANnFOTDBGckJwMGM?h=05516109048717929186&e=view
- https://doc-14-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/njr7h2s48rfgs3a7ji4ub2qgitvfa8fn/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzATno2c0ZIU3MwX0U?h=05516109048717929186&e=view
- https://doc-04-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/1kc0nfhg0smj8s4hvb02ka4ubvfitk5f/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAZ3RZRnJVWGtWQ1U?h=05516109048717929186&e=view
- https://doc-0k-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/8vf2rurrj7unosudbtllohj0t798b9hg/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAdE13VExEbWFOYmM?h=05516109048717929186&e=view

What could I be missing, and what is the best place to debug what's happening, on either the Vigor side or the Fedora side? Surprisingly, Linux does not give any explanation of the failure, unless I probably need to look deeper into some logs through the console.

Thank you in advance,

Giacecco

Please Log in or Create an account to join the conversation.

  • giacecco
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
01 Mar 2017 13:57 #88411 by giacecco
Replied by giacecco on topic Re: L2TP: what is missing?
A quick update. I've given up on Fedora, as a prosumer OS of course has many more movable parts that can be potentially an issue. I've started focusing only on Android and also started collecting syslogs on a USB stick connected to the router.

The first thing I noticed is how few messages are recorded, despite ticking all syslog services. Anybody reading this has an example of how the syslog should look like when a L2TP connection is attempted and - potentially - initiated?

Thanks.

Please Log in or Create an account to join the conversation.

More
13 Apr 2017 09:57 #88691 by fryr
Replied by fryr on topic Re: L2TP: what is missing?
Your google links are not public - so getting access denied.

I used to run l2tp VPN and connect in from Windows, Andoid and IOS

From memory I enabled both l2tp and ipsec in the VPN services. I configured a certificate on the Draytek and assigned it to the VPN. I configured a shared secret to be used. I created a dial in user and allocated them access to l2tp and ipsec and configured them accordingly.

Please Log in or Create an account to join the conversation.

More
26 Apr 2017 11:47 #88776 by jasonrafferty
Replied by jasonrafferty on topic Re: L2TP: what is missing?
I also run L2TP over IPSEC - you must have IPSEC ticked as well as L2TP in the service types. This threw me for a while although it is obvious when you think about it!
Currently connecting via OSx and iOS.

Please Log in or Create an account to join the conversation.

  • giacecco
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
01 May 2017 14:51 #88812 by giacecco
Replied by giacecco on topic Re: L2TP: what is missing?
@fryr @jasonrafferty thank you for your advice and sorry for not getting back to you sooner.

I've tried enabling both IPSec and L2TP but that did not solve the problem.

@fryr I did not configure a certificate, I thought it was optional, is that correct? Moreover, on Android, I am trying using L2TP/IPSec PSK, not RSA.

Moreover, can you confirm that I don't need to open any ports on the router (in NAT > Port Redirection or NAT > Open Ports), as if the VPN server was a separate device somewhere on the internal network?

I made new screenshot of what I think are the relevant configuration settings here https://photos.google.com/share/AF1QipM4dzE6G_mtuPQjsHLS5GOpmeltBcSQhvrMeRtH5UfpaaX_4jV7QKsQXLm_dfzTBA?key=U2U4ZkQwWnpQZ2pkMC1RZ05nV2hMSU1uQVVsdjRn .

Thank you for any hint. I am tempted to sell the Draytek at this point and downgrade to something more user friendly.

Please Log in or Create an account to join the conversation.

More
01 May 2017 15:26 #88814 by gsb1
Replied by gsb1 on topic Re: L2TP: what is missing?
Hi,

Relatively few steps to make this work, I'll cover what I know in case it jogs something for you.

VPN and Remote Access > Remote Access Control

Enable IPSec VPN Service - checked
Enable L2TP VPN Service - checked


VPN and Remote Access > IPsec General Setup

Certificate for Dial-in - None (default)

Pre-Shared Key - set to something and confirm (use whatever you want for testing, after initial setup make nice and strong)

IPsec Security Method - just the High options ticked

VPN and Remote Access >  Remote Dial-in User

Ensure you have remote user created and enabled (as I see you do). The only settings I configured were:

Allowed Dial-In Type
IPsec Tunnel
L2TP with IPsec Policy "must"

Username and password

IPsec Security Method

Again just the high options ticked.


That's it.

So client side you are using the native Android VPN settings? You want an "L2TP/IPsec PSK" connection type. Connection just needs a name (anything), the connection type (L2TP/IPsec PSK), the internet address of your router, the IPsec pre-shared key (the key you entered on the router), then the username and password you set.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami