D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: Lavdd on March 23, 2011, 07:50:56 AM

Title: ipsec l2tp passing through dfl-260
Post by: Lavdd on March 23, 2011, 07:50:56 AM

another problem came out
pc from lan is making ipsec l2tp connection to wan srv (cisco I think)

made such rule especially for the case
3  allow_l2tp  NAT  lan  agoAddress: 192.168.0.103  wan  vpnSRV Address: 195.x  all_services
4  alow_l2tp  NAT  wan  vpnSRV Address: 195.x  lan  agoAddress: 192.168.0.103  all_services

connection goes fine and shows bites outgoing and incoming
but really tunnel is not working as software cant connect through etc (oracle admin stuff etc)

plugging it directly to internet, and all goes fine

help
can someone describe how to configure device to pass through ipsec correctly
didnt find any faq

fw 2.27.03.25-14787

Title: Re: ipsec l2tp passing through dfl-260
Post by: Lavdd on March 24, 2011, 05:31:12 AM

really need help any ideas so far?

Title: Re: ipsec l2tp passing through dfl-260
Post by: silver_surfer30 on March 24, 2011, 10:50:24 AM

Do you have anything special on the log of dfl ?

Any particular configuration requiered on client side ?

Any particular configure requiered on the remote server for the connection to be allow ?

Please give as many information as you can.

Title: Re: ipsec l2tp passing through dfl-260
Post by: Lavdd on March 24, 2011, 11:11:44 AM

are my rules correct for such case?

nothing special seem to log, only regular TCPSequenceNumbers
2011-03-24 21:02:17 Debug TCP_FLAG 3300016 TCPSequenceNumbers TCP wan wan 195.82.146.5 10.10.10.15 80 58614 tcp_seqno_too_low drop

win2008r2 srv regular VPN client is used with certificate for ipsec and just PAP
know nothing about other side cisco

log shows on conn, nothing else
2011-03-24 21:08:05 Info CONN 600004 allow_l2tp UDP lan wan 192.168.0.103 195.X 500 500 conn_open_natsat
conn=open connnewsrcip=82.x connnewsrcport=22511 connnewdestip=195.x connnewdestport=500 

Title: Re: ipsec l2tp passing through dfl-260
Post by: Lavdd on March 26, 2011, 12:34:24 PM

loaded year old similar config with 2.26 fw - tunnel works fine
is there any emul to load config and look it over
which newest version can hold ipsec tunnels
looks fw 2.27.03.25-14787 is junk

Title: Re: ipsec l2tp passing through dfl-260
Post by: silver_surfer30 on April 03, 2011, 12:28:41 PM

As you are using L2TP over IPSec you need also to allow ipsec_suite service to be natted too.

Title: Re: ipsec l2tp passing through dfl-260
Post by: chechito on April 04, 2011, 08:17:30 AM

Ipsec connections behind a NAT router must be nat traversal enabled, encapsulating traffic in a 4500 udp port packet to avoid NAT process corrupting IPSEC packet.

Try enabling nat traversal on the vpn outgoing connection

Title: Re: ipsec l2tp passing through dfl-260
Post by: Lavdd on May 29, 2011, 01:56:51 AM

isnt NATt a option of device itself not a vpn ipsec connection?
where to change such in vpn connection settings in win2008r2?

Title: Re: ipsec l2tp passing through dfl-260
Post by: danilovav on June 11, 2011, 01:23:42 AM

You don't need make return NAT rule (wan > lan), because NAT is stateful action. Remove it
Before NAT lan>wan all_services make rule NAT lan>wan ipsec-suite

During your connection, what happened in logs?