DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
LAN to LAN IPsec No NAT Detected Error
- akwe-xavante
- Topic Author
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
14 Mar 2018 07:59 #91066
by akwe-xavante
LAN to LAN IPsec No NAT Detected Error was created by akwe-xavante
Hoping somebody can help.
Some Info to get stated:
HOME
Model: Draytek 2860n
Firmware: 3.8.6_BT 576D17_A/B/C HW: A
Service: VDSL 38 meg
WAN IP Address: 123.456.789.10
LAN IP Address: 10.1.1.1
VPN
LAN to LAN
Common Settings
Profile Name: COTTAGE
Call Direction: Dial in
Dial in Settings
Type Of Server: Ipsec Tunnel
IKE Auth Method: IKE Pre Shared Key
Specify Remote VPN Peer ID: ABCDE
TCP/IP Network
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 192.168.1.0
Network Mask: 255.255.255.0
Local Network IP: 10.1.1.0
Network Mask: 255.255.255.0
COTTAGE
Model: Draytek 2820n
Firmware: 3.9.9_232201 Annex A
Service: ADSL 20 Meg
WAN IP Address: Dynamic
LAN IP Address: 192.168.1.1
VPN
Common Settings
Profile Name: HOME
Call Direction: Dial Out, Always On
Dial out Settings
Type Of Server: IPsec
Server IP Address: 123.456.789.10
IKE Auth Method: IKE Pre Shared Key
IKE Security Method: High (ESP) Des Without Auth
Advanced: Aggressive Mode with Peer ID: ABCDE
TCP/IP Network
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 10.1.1.1
Network Mask: 255.255.255.0
Local Network IP: 192.168.1.1
Network Mask: 255.255.255.0
LAN to LAN VPN tunnel establishes itself and data is encrypted.
However i cannot access resources at HOME from the COTTAGE, basically a networked hard drive (Mapped Drive). I can't ping either (ping not disabled).
Some Info to get stated:
HOME
Model: Draytek 2860n
Firmware: 3.8.6_BT 576D17_A/B/C HW: A
Service: VDSL 38 meg
WAN IP Address: 123.456.789.10
LAN IP Address: 10.1.1.1
VPN
LAN to LAN
Common Settings
Profile Name: COTTAGE
Call Direction: Dial in
Dial in Settings
Type Of Server: Ipsec Tunnel
IKE Auth Method: IKE Pre Shared Key
Specify Remote VPN Peer ID: ABCDE
TCP/IP Network
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 192.168.1.0
Network Mask: 255.255.255.0
Local Network IP: 10.1.1.0
Network Mask: 255.255.255.0
COTTAGE
Model: Draytek 2820n
Firmware: 3.9.9_232201 Annex A
Service: ADSL 20 Meg
WAN IP Address: Dynamic
LAN IP Address: 192.168.1.1
VPN
Common Settings
Profile Name: HOME
Call Direction: Dial Out, Always On
Dial out Settings
Type Of Server: IPsec
Server IP Address: 123.456.789.10
IKE Auth Method: IKE Pre Shared Key
IKE Security Method: High (ESP) Des Without Auth
Advanced: Aggressive Mode with Peer ID: ABCDE
TCP/IP Network
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 10.1.1.1
Network Mask: 255.255.255.0
Local Network IP: 192.168.1.1
Network Mask: 255.255.255.0
LAN to LAN VPN tunnel establishes itself and data is encrypted.
However i cannot access resources at HOME from the COTTAGE, basically a networked hard drive (Mapped Drive). I can't ping either (ping not disabled).
Please Log in or Create an account to join the conversation.
- akwe-xavante
- Topic Author
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
14 Mar 2018 08:00 #91067
by akwe-xavante
Replied by akwe-xavante on topic Re: LAN to LAN IPsec No NAT Detected Error
Looking in the logs i get the following:
<141>Jan 1 00:01:12 COTTAGE: Dialing Node1 (HOME) : 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: Initiating IKE Aggressive Mode to 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: NAT-Traversal: Using RFC 3947, no NAT detected
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: sent AI2, ISAKMP SA established with 123.456.789.10. In/Out Index: 0/-1
<141>Jan 1 00:01:12 COTTAGE: Start IKE Quick Mode to 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: Cleint L2L remote network setting is 10.1.1.0/24
<141>Jan 1 00:01:12 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: sent QI2, IPsec SA established with 123.456.789.10. In/Out Index: 0/-1
<141>Jan 1 00:01:12 COTTAGE: [L2L][UP][IPSec][@1:HOME]
<166>Mar 14 06:53:43 COTTAGE: WAN1 PPPoE ==> Protocol:LCP(c021) EchoReq Identifier:0x02Magic Number: 0x0 00 00 ##
<166>Mar 14 06:53:43 COTTAGE: WAN1 PPPoE <== Protocol:LCP(c021) EchoRep Identifier:0x02Magic Number: 0x2ccf 94 c6 ##
<141>Mar 14 06:53:43 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xe43be7bd
<141>Mar 14 06:53:43 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x6d0b993f
<141>Mar 14 06:53:58 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xc54beb44
<141>Mar 14 06:53:58 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x3be9416d
<141>Mar 14 06:54:13 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x8d959a1d
Fifth line down says: no NAT detected!
What am i doing wrong please?
<141>Jan 1 00:01:12 COTTAGE: Dialing Node1 (HOME) : 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: Initiating IKE Aggressive Mode to 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: NAT-Traversal: Using RFC 3947, no NAT detected
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: sent AI2, ISAKMP SA established with 123.456.789.10. In/Out Index: 0/-1
<141>Jan 1 00:01:12 COTTAGE: Start IKE Quick Mode to 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: Cleint L2L remote network setting is 10.1.1.0/24
<141>Jan 1 00:01:12 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: sent QI2, IPsec SA established with 123.456.789.10. In/Out Index: 0/-1
<141>Jan 1 00:01:12 COTTAGE: [L2L][UP][IPSec][@1:HOME]
<166>Mar 14 06:53:43 COTTAGE: WAN1 PPPoE ==> Protocol:LCP(c021) EchoReq Identifier:0x02Magic Number: 0x0 00 00 ##
<166>Mar 14 06:53:43 COTTAGE: WAN1 PPPoE <== Protocol:LCP(c021) EchoRep Identifier:0x02Magic Number: 0x2ccf 94 c6 ##
<141>Mar 14 06:53:43 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xe43be7bd
<141>Mar 14 06:53:43 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x6d0b993f
<141>Mar 14 06:53:58 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xc54beb44
<141>Mar 14 06:53:58 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x3be9416d
<141>Mar 14 06:54:13 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x8d959a1d
Fifth line down says: no NAT detected!
What am i doing wrong please?
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
14 Mar 2018 14:18 #91072
by hornbyp
Replied by hornbyp on topic Re: LAN to LAN IPsec No NAT Detected Error
My guess is that this is probably a Routing issue. Try using Tracert/Traceroute to see how far you get. Remember that there needs to be routing information in both directions.
If there's more than one subnet, at either end the router needs to be told about it - or else traffic will be sent to your ISP instead (using the Default Gateway). This is what the "MORE" setting in the VPN entry does. The Route Policy tool on the 2860 is quite a useful diagnostic aid, to see where traffic will go.
Accessing File and Print sharing across subnets always used to be awkward (hence the historical use of WINS servers etc). In my (similar) setup these issues don't seem to exist any more - (though that could be because I have an Active Directory configuration, complete with internal DNS servers.)
I think the entry in the log about NAT is just an observation - it's just telling you that it didn't go through the router, using NAT, to get to a VPN server (because the router is the VPN server).
If there's more than one subnet, at either end the router needs to be told about it - or else traffic will be sent to your ISP instead (using the Default Gateway). This is what the "MORE" setting in the VPN entry does. The Route Policy tool on the 2860 is quite a useful diagnostic aid, to see where traffic will go.
Accessing File and Print sharing across subnets always used to be awkward (hence the historical use of WINS servers etc). In my (similar) setup these issues don't seem to exist any more - (though that could be because I have an Active Directory configuration, complete with internal DNS servers.)
I think the entry in the log about NAT is just an observation - it's just telling you that it didn't go through
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
14 Mar 2018 14:42 #91073
by hornbyp
Replied by hornbyp on topic Re: LAN to LAN IPsec No NAT Detected Error
Actually - looking a bit closer, there are things in the configuration that might need attention...
Please Log in or Create an account to join the conversation.
- akwe-xavante
- Topic Author
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
14 Mar 2018 15:36 #91075
by akwe-xavante
Replied by akwe-xavante on topic Re: LAN to LAN IPsec No NAT Detected Error
Thank you for your help much appreciated.
"On the (OUT) side, the Remote Network is specified as 10.1.1.1, when it should be 10.1.1.0" This ones my fault as a typo but not within the routers settings though. I typed it incorrectly within this topic.
Tried setting the Remote Gateway IP addresses and that didn't help, tried changing the Network mask from, 255.255.255.0 to 255.0.0.0 and it hasn't worked either i'm afraid.
Tried altering one and not the other, vice versa and both without the other and this didn't help either unfortunately.
At the dial out side what should i try entering under the TCT/IP More option?
There are no 2nd subnets at either end.
I do have two VLAN's (VLAN0: P2 & P3 with SSID1) and (VLAN1: P1 & P4 with SSID2, SSID3 & SSID4) on the Dial Out side, will this cause a problem, it didn't before. My MS Win7 Laptop is on VLAN1.
GOT IT............. Although i'm puzzled, my VLAN1 was ticked as "Isolate VPN" i'm sure that this was supposed to be correct!! but clearly not.
I want VLAN2 to have secure and isolated use of ports P1, P4, SSID2 and the VPN. I don't want those on VLAN1 using P2, P3 and SSID1 to get at devices on P1, P4, SSID2 or access down the VPN.
Do i isolate VLAN1 from the VPN by ticking the option "Isolate VPN" for VLAN1 rather than my VLAN2?
After all that i'm now lost and confused!
"On the (OUT) side, the Remote Network is specified as 10.1.1.1, when it should be 10.1.1.0" This ones my fault as a typo but not within the routers settings though. I typed it incorrectly within this topic.
Tried setting the Remote Gateway IP addresses and that didn't help, tried changing the Network mask from, 255.255.255.0 to 255.0.0.0 and it hasn't worked either i'm afraid.
Tried altering one and not the other, vice versa and both without the other and this didn't help either unfortunately.
At the dial out side what should i try entering under the TCT/IP More option?
There are no 2nd subnets at either end.
I do have two VLAN's (VLAN0: P2 & P3 with SSID1) and (VLAN1: P1 & P4 with SSID2, SSID3 & SSID4) on the Dial Out side, will this cause a problem, it didn't before. My MS Win7 Laptop is on VLAN1.
GOT IT............. Although i'm puzzled, my VLAN1 was ticked as "Isolate VPN" i'm sure that this was supposed to be correct!! but clearly not.
I want VLAN2 to have secure and isolated use of ports P1, P4, SSID2 and the VPN. I don't want those on VLAN1 using P2, P3 and SSID1 to get at devices on P1, P4, SSID2 or access down the VPN.
Do i isolate VLAN1 from the VPN by ticking the option "Isolate VPN" for VLAN1 rather than my VLAN2?
After all that i'm now lost and confused!
Please Log in or Create an account to join the conversation.
- akwe-xavante
- Topic Author
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
14 Mar 2018 16:21 #91077
by akwe-xavante
Replied by akwe-xavante on topic Re: LAN to LAN IPsec No NAT Detected Error
On the dial out side looking at my two VLAN's I have the options:
Isolate Member: Wireless clients (stations) with the same SSID cannot access for each other.
Isolate VPN: isolate wireless with remote dial-in and LAN to LAN VPN.
Connected to the router on SSID2 with Isolate VPN ticked I cannot access my VPN, but words say "isolate wireless WITH remote dial-in and LAN to LAN VPN"
Connected to the router on SSID1 with Isolate VPN ticked OR NOT I can access my VPN either way. This is not good at all!
Or am I doing something wrong here?
Can you only access a VPN from the first SSID only and have the option to deny access to it from SSID2 onwards? If this correct i'll have to change my SSID's around.
Isolate Member: Wireless clients (stations) with the same SSID cannot access for each other.
Isolate VPN: isolate wireless with remote dial-in and LAN to LAN VPN.
Connected to the router on SSID2 with Isolate VPN ticked I cannot access my VPN, but words say "isolate wireless WITH remote dial-in and LAN to LAN VPN"
Connected to the router on SSID1 with Isolate VPN ticked OR NOT I can access my VPN either way. This is not good at all!
Or am I doing something wrong here?
Can you only access a VPN from the first SSID only and have the option to deny access to it from SSID2 onwards? If this correct i'll have to change my SSID's around.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek