DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
L2TP Client Problems
- staple36
- Topic Author
- Offline
- New Member
-
Less
More
- Posts: 6
- Thank you received: 0
09 Jun 2020 02:23 #1
by staple36
L2TP Client Problems was created by staple36
Hi, any help appreciated.
I am trying to use QVPN VPN Client application on a QNAP NAS at primary site to connect to my Draytek Vigor 2830n VPN server at a secondary site but am having issues establishing a L2TP/IPSec client connection and it's unclear to me why.
At secondary site I have a Draytek Vigor 2830n Router (behind another router/modem combo BT SmartHub 5) running firmware 3.8.8.3_sb_232201
I can successfully set up a PPTP connection from QVPN on the NAS at primary site to the router no problem, but I do not want to use PPTP.
I can successfully connect from both Windows and iOS devices at the primary site via L2TP/IPSec to the router.
These are a snippet form the logs from my Draytek router for a successful connection from another device:
...
....
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:73, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:18, Session ID:0, Ns:0, Nr:1
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:20, Tunnel ID:10, Session ID:0, Ns:1, Nr:1
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:10, Session ID:0, Ns:2, Nr:1
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:28, Tunnel ID:18, Session ID:25600, Ns:1, Nr:3
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:40, Tunnel ID:10, Session ID:680, Ns:3, Nr:2
Vigor: PPP Start ()
Vigor: PPP Start ()
Vigor: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##
...and so on where it confirms username/password
These are the end of the logs from when QVPN tries to connect, they are exactly the same as above logs except instead of 'PPP Start()' I get:
....
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:50, Tunnel ID:10, Session ID:686, Ns:3, Nr:2
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:13969, Session ID:3843, Ns:2, Nr:4
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:13969, Session ID:0, Ns:3, Nr:4
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:10, Session ID:686, Ns:4, Nr:3
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:10, Session ID:0, Ns:4, Nr:4
It looks to me that it sets up the session/tunnel and then fails to exchange something (i'm guessing based on googling...) and then closes the sessions/tunnel it set up.
Does anyone have any ideas? I opened a ticket which Draytek support but haven't heard anything back.
Many thanks
I am trying to use QVPN VPN Client application on a QNAP NAS at primary site to connect to my Draytek Vigor 2830n VPN server at a secondary site but am having issues establishing a L2TP/IPSec client connection and it's unclear to me why.
At secondary site I have a Draytek Vigor 2830n Router (behind another router/modem combo BT SmartHub 5) running firmware 3.8.8.3_sb_232201
I can successfully set up a PPTP connection from QVPN on the NAS at primary site to the router no problem, but I do not want to use PPTP.
I can successfully connect from both Windows and iOS devices at the primary site via L2TP/IPSec to the router.
These are a snippet form the logs from my Draytek router for a successful connection from another device:
...
....
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:73, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:18, Session ID:0, Ns:0, Nr:1
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:20, Tunnel ID:10, Session ID:0, Ns:1, Nr:1
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:10, Session ID:0, Ns:2, Nr:1
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:28, Tunnel ID:18, Session ID:25600, Ns:1, Nr:3
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:40, Tunnel ID:10, Session ID:680, Ns:3, Nr:2
Vigor: PPP Start ()
Vigor: PPP Start ()
Vigor: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##
...and so on where it confirms username/password
These are the end of the logs from when QVPN tries to connect, they are exactly the same as above logs except instead of 'PPP Start()' I get:
....
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:50, Tunnel ID:10, Session ID:686, Ns:3, Nr:2
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:13969, Session ID:3843, Ns:2, Nr:4
Vigor: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:13969, Session ID:0, Ns:3, Nr:4
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:10, Session ID:686, Ns:4, Nr:3
Vigor: L2TP <== Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:10, Session ID:0, Ns:4, Nr:4
It looks to me that it sets up the session/tunnel and then fails to exchange something (i'm guessing based on googling...) and then closes the sessions/tunnel it set up.
Does anyone have any ideas? I opened a ticket which Draytek support but haven't heard anything back.
Many thanks
Please Log in or Create an account to join the conversation.
- hornbyp
- User
-
Less
More
10 Jun 2020 00:22 #2
by hornbyp
So there's an acknowledgment that the username/password is correct:?:
Something along the lines of :-
In which case, the only thing that remains to be done, is the setting up of the IP addresses...
I'm assuming you didn't change anything in this regard, when switching from PPTP:?:
I'm slightly confused that you can connect from a Windows client ... because that should use a 'Remote Dial-in User
Is it the intention to establish a Site-to-Site VPN, or just a connection to this NAS box? Which did you have working via PPTP:?:
Replied by hornbyp on topic Re: L2TP Client Problems
staple36 wrote:
At secondary site I have a Draytek Vigor 2830n Router (behind another router/modem combo BT SmartHub 5) running firmware 3.8.8.3_sb_232201
I can successfully set up a PPTP connection from QVPN on the NAS at primary site to the router no problem, but I do not want to use PPTP.
I can successfully connect from both Windows and iOS devices at the primary site via L2TP/IPSec to the router.
...
...
...and so on where it confirms username/password
It looks to me that it sets up the session/tunnel and then fails to exchange something (i'm guessing based on googling...) and then closes the sessions/tunnel it set up.
So there's an acknowledgment that the username/password is correct
Something along the lines of :-
Code:
CHAP Login OK (VPN : L2L Dial-in, Profile index = 3, Name = 'somenameorother', ifno = 10)In which case, the only thing that remains to be done, is the setting up of the IP addresses...
I'm assuming you didn't change anything in this regard, when switching from PPTP
I'm slightly confused that you can connect from a Windows client ... because that should use a 'Remote Dial-in User
Is it the intention to establish a Site-to-Site VPN, or just a connection to this NAS box? Which did you have working via PPTP
Please Log in or Create an account to join the conversation.
- staple36
- Topic Author
- Offline
- New Member
-
Less
More
- Posts: 6
- Thank you received: 0
10 Jun 2020 04:05 #3
by staple36
Replied by staple36 on topic Re: L2TP Client Problems
many thanks for your reply, apologies I should have been more clear in original post but I ran out of characters..
This is using remote dial in user. The excerpt of the successful connection logs is from a windows vpn client connecting via remote dial in user.
The full logs show 1) the IKE confirmation, 2) the L2TP set up, 3) the user authentication - I only pasted section 2) in original post.
The unsuccessful connection logs for NAS QVPN client stop at the end of the second section, it does not go on to authenticate user. I tested this both by putting in spurious user info on both the windows client and QVPN client, for the windows client section 1) and 2) are the same but 3) shows user auth errors . For the NAS QVPN client it shows the same logs regardless of user info (i.e. it never gets to the user auth part).
I tried PPTP connection from NAS QVPN client via remote dial in user and it works fine (the logs begin at PPP Start () and go on to user auth)
I also tried setting up as profile in 'LAN to LAN' for both PPTP and L2TP and same situation, PPTP works fine, L2TP logs exactly the same as when using remote dial in user.
The intention is just for this NAS to connect to the remote network (for access to different NAS on remote site for back up jobs etc.).
This is the only error I see in QVPN logs:
This is using remote dial in user. The excerpt of the successful connection logs is from a windows vpn client connecting via remote dial in user.
The full logs show 1) the IKE confirmation, 2) the L2TP set up, 3) the user authentication - I only pasted section 2) in original post.
The unsuccessful connection logs for NAS QVPN client stop at the end of the second section, it does not go on to authenticate user. I tested this both by putting in spurious user info on both the windows client and QVPN client, for the windows client section 1) and 2) are the same but 3) shows user auth errors . For the NAS QVPN client it shows the same logs regardless of user info (i.e. it never gets to the user auth part).
I tried PPTP connection from NAS QVPN client via remote dial in user and it works fine (the logs begin at PPP Start () and go on to user auth)
I also tried setting up as profile in 'LAN to LAN' for both PPTP and L2TP and same situation, PPTP works fine, L2TP logs exactly the same as when using remote dial in user.
The intention is just for this NAS to connect to the remote network (for access to different NAS on remote site for back up jobs etc.).
This is the only error I see in QVPN logs:
Code:
30507 [ERROR] config.cc [464] update_connection:update_connection: tx/rx bytes and tx/rx rate are not correct. -1:
Please Log in or Create an account to join the conversation.
- staple36
- Topic Author
- Offline
- New Member
-
Less
More
- Posts: 6
- Thank you received: 0
10 Jun 2020 04:26 #4
by staple36
Replied by staple36 on topic Re: L2TP Client Problems
section 1) connection logs for both clients - nas site public ip 1.2.3.4 router site public ip 6.7.8.9
Code:
IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Responding to Main Mode from 1.2.3.4
Matching General Setup key for dynamic ip client...
Matching General Setup key for dynamic ip client...
IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
NAT-Traversal: Using RFC 3947, both are NATed
Matching General Setup key for dynamic ip client...
IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
sent MR3, ISAKMP SA established with 1.2.3.4. In/Out Index: 34/0
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe50775e
Receive client L2L remote network setting is 6.7.8.9/32
Responding to Quick Mode from 1.2.3.4
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe50775e
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe50775e
IPsec SA #747 will be replaced after 2982 seconds
IPsec SA established with 1.2.3.4. In/Out Index: 34/0
Please Log in or Create an account to join the conversation.
- staple36
- Topic Author
- Offline
- New Member
-
Less
More
- Posts: 6
- Thank you received: 0
10 Jun 2020 04:29 #5
by staple36
Replied by staple36 on topic Re: L2TP Client Problems
section 2)
logs for windows client:
logs for QVPN client:
logs for windows client:
Code:
L2TP <== Control(0xC802)-L-S Ver:2 Len:72, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
L2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:19, Session ID:0, Ns:0, Nr:1
L2TP <== Control(0xC802)-L-S Ver:2 Len:20, Tunnel ID:10, Session ID:0, Ns:1, Nr:1
L2TP <== Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:10, Session ID:0, Ns:2, Nr:1
L2TP ==> Control(0xC802)-L-S Ver:2 Len:28, Tunnel ID:19, Session ID:1987, Ns:1, Nr:3
L2TP <== Control(0xC802)-L-S Ver:2 Len:40, Tunnel ID:10, Session ID:712, Ns:3, Nr:2
logs for QVPN client:
Code:
L2TP <== Control(0xC802)-L-S Ver:2 Len:105, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
L2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:13969, Session ID:0, Ns:0, Nr:1
L2TP <== Control(0xC802)-L-S Ver:2 Len:20, Tunnel ID:10, Session ID:0, Ns:1, Nr:1
L2TP <== Control(0xC802)-L-S Ver:2 Len:48, Tunnel ID:10, Session ID:0, Ns:2, Nr:1
L2TP ==> Control(0xC802)-L-S Ver:2 Len:28, Tunnel ID:13969, Session ID:3843, Ns:1, Nr:3
L2TP <== Control(0xC802)-L-S Ver:2 Len:50, Tunnel ID:10, Session ID:686, Ns:3, Nr:2
L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:13969, Session ID:3843, Ns:2, Nr:4
L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:13969, Session ID:0, Ns:3, Nr:4
L2TP <== Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:10, Session ID:686, Ns:4, Nr:3
L2TP <== Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:10, Session ID:0, Ns:4, Nr:4
Please Log in or Create an account to join the conversation.
- staple36
- Topic Author
- Offline
- New Member
-
Less
More
- Posts: 6
- Thank you received: 0
10 Jun 2020 04:38 #6
by staple36
Replied by staple36 on topic Re: L2TP Client Problems
section 3) window client only (QVPN fails at end of section 2) - I replaced some entries with ... due to character limit
Code:
PPP Start ()
PPP Start ()
L2TP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x00 Authentication Type: CHAP 81 Magic Number: ... ##
L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x01 ACCM: 0x0 Magic Number: ... Protocol Field Compression Address/Control Field Compression ##
L2TP (VPN-0) ==> Protocol:LCP(c021) ConfRej Identifier:0x01 ACCM: 0x0 Protocol Field Compression Address/Control Field Compression ##
L2TP (VPN-0) <== Protocol:LCP(c021) ConfAck Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##
L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x02 Magic Number: ... ##
L2TP (VPN-0) ==> Protocol:LCP(c021) ConfAck Identifier:0x02 Magic Number: ... ##
L2TP (VPN-0) ==> Protocol:CHAP(c223) Challenge Identifier:0x01 ...
L2TP (VPN-0) <== Protocol:LCP(c021) EchoReq Identifier:0x00 Magic Number: ... ##
L2TP (VPN-0) ==> Protocol:LCP(c021) EchoRep Identifier:0x00 Magic Number: ... ##
L2TP (VPN-0) <== Protocol:CHAP(c223) Response Identifier:0x01 ...
L2TP (VPN-0, username) ==> Protocol:CHAP(c223) Success Identifier:0x01 S=... M=Welcome to Vigor2830 Series. ##
L2TP (VPN-0, username) ==> Protocol:IPCP(8021) ConfReq Identifier:0x00 Vendor Specific: ... Compression Type: Van Jacobson Compressed TCP/IP 0f 00 IP Address: 192 168 1 1 ##
CHAP Login OK (VPN : Remote Dial-in User, Profile index = 2, Name = username, ifno=10)
L2TP (VPN-0, username) <== Protocol:IPCP(8021) ConfReq Identifier:0x01 IP Address: 0 0 0 0 Primary Domain Name Server: 0 0 0 0 Secondary Domain Name Server: 0 0 0 0 ##
L2TP (VPN-0, username) ==> Protocol:IPCP(8021) ConfNak Identifier:0x01 IP Address: 192 168 1 222 Primary Domain Name Server: 8 8 8 8 Secondary Domain Name Server: 8 8 4 4 ##
L2TP (VPN-0, username) <== Protocol:IPv6CP(8057) ConfReq Identifier:0x01 Interface Identifier: ... ##
L2TP (VPN-0, username) ==> Protocol:LCP(c021) ProtRej Identifier:0x01 Rejected Protocol: ... ##
L2TP (VPN-0, username) <== Protocol:IPCP(8021) ConfRej Identifier:0x00 Vendor Specific: ... Compression Type: Van Jacobson Compressed TCP/IP 0f 00 ##
L2TP (VPN-0, username) ==> Protocol:IPCP(8021) ConfReq Identifier:0x01 IP Address: 192 168 1 1 ##
L2TP (VPN-0, username) <== Protocol:IPCP(8021) ConfReq Identifier:0x02 IP Address: 192 168 1 222 Primary Domain Name Server: 8 8 8 8 Secondary Domain Name Server: 8 8 4 4 ##
L2TP (VPN-0, username) ==> Protocol:IPCP(8021) ConfAck Identifier:0x02 IP Address: 192 168 1 222 Primary Domain Name Server: 8 8 8 8 Secondary Domain Name Server: 8 8 4 4 ##
L2TP (VPN-0, username) <== Protocol:IPCP(8021) ConfAck Identifier:0x01 IP Address: 192 168 1 1 ##
IPCP Opening (VPN : Remote Dial-in User, Profile index = 2, Name = username, ifno=10); Own IP Address : 192.168.1.1 Peer IP Address : 192.168.1.222
[H2L][UP][L2TP/IPSec][@2:username]
Please Log in or Create an account to join the conversation.
Copyright © 2024 DrayTek