DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

L2TP - is it the router at fault?

  • paul.clark
  • Topic Author
  • Offline
  • New Member
  • New Member
More
22 Feb 2018 15:28 #1 by paul.clark
L2TP - is it the router at fault? was created by paul.clark
Hi Everyone

I'm stumped.

Here's my basic topology

LAN (192.168.*.*) - Server 2016 with 2 network cards running RRAS (192.168.1.1 and 10.0.0.2) - Vigor 2925 (10.0.0.1 and Internet address)

From the internet a client can connect to the RRAS VPN using SSPT fine. But I need Apple devices to connect so I'm also using L2TP (preshared key). These also connect fine.

However, Windows clients won't connect using L2TP (Preshared key) through the internet.

If I connect one of these Windows devices into the router using a 10.*.*.* address, it connects fine with L2TP or SSTP.

This leads me to think the router is somehow blocking the authentication.

On the router;
In VPN and Remote Access - Remote Access Control, none of the services are ticked.

NAT - Open Ports, ports 500(TCP/UDP), 4500(TCP/UDP) and I've even tried 1701 (TCP/UDP) are open to the servers 10.*.*.* address

Firewall - I've tried turning off Strict Security and Enabled 'Pass inbound fragmented large packets'. I've also tried disabling the call and data filters.

When I've checked the logs on the server, L2TP seems to authenticate but the username and password doesn't.

Any ideas???

Please Log in or Create an account to join the conversation.

  • paul.clark
  • Topic Author
  • Offline
  • New Member
  • New Member
More
22 Feb 2018 15:33 #2 by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
PS.

I've also added a registry key change on the server to allow NAT-T. It makes no difference.

The LAN network card on the server doesn't have a Default Gateway but the external network card has the Default Gateway set to the router (10.0.0.1).

Please Log in or Create an account to join the conversation.

  • paul.clark
  • Topic Author
  • Offline
  • New Member
  • New Member
More
22 Feb 2018 16:17 #3 by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
PPS

Alto tried disabling DoS on the router. Still no luck.

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
22 Feb 2018 16:21 #4 by hornbyp
Replied by hornbyp on topic Re: L2TP - is it the router at fault?
There's a Draytek article here: https://www.draytek.com/en/faq/faq-vpn/vpn.others/how-to-set-up-vigor-router-to-pass-through-vpn-tunnel/

and something I recently stumbled upon in my 2860's Telnet interface ...

Code:
Valhalla> srv nat ipsecpass ? %% srv nat ipsecpass [options] %% on : Enabled IPSec ESP tunnel pass-thru and IKE src_port:500 preservation. %% off : Disabled IPSec ESP tunnel pass-thru and IKE src_port:500 preservation. %% status : Check status. Valhalla> srv nat ipsecpass status %% Status: IPsec ESP pass-thru and IKE src_port:500 preservation is OFF. Valhalla>

Please Log in or Create an account to join the conversation.

  • paul.clark
  • Topic Author
  • Offline
  • New Member
  • New Member
More
27 Feb 2018 11:19 #5 by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
Here's the current value;

GEV_Hull> srv nat ipsecpass status
%% Status: IPsec ESP pass-thru and IKE src_port:500 preservation is ON.

GEV_Hull>

I'm pulling my hair out!!!

Please Log in or Create an account to join the conversation.

  • paul.clark
  • Topic Author
  • Offline
  • New Member
  • New Member
More
27 Feb 2018 11:20 #6 by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
I've also updated the firmware on the router to the latest version.

Please Log in or Create an account to join the conversation.