D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: rfalken on August 13, 2009, 10:52:14 AM

Title: DFL-210 L2TP/PSK Setup
Post by: rfalken on August 13, 2009, 10:52:14 AM

Hi,

I need to setup L2TP/PSK Roaming Clients.

I followed the manual and the configuration example.

But when i configure the IPSec part of the setup and save the config the following happens.

I can connect from my external client to the DFL210, that part is oki. But from the internal side i cannot browse the internet. I can see in the log that all packets are dropped (Default policy).

This is how the IPSec has been configured. (When i disable the rule i can browse the internet again)

1. Go to Interfaces > IPsec > Add > IPsec Tunnel
2. Enter a name for the IPsec tunnel, eg. l2tp_ipsec
3. Now enter:
a. Local Network: wan_ip
b. Remote Network: all-nets
c. Remote Endpoint: none
d. Encapsulation Mode: Transport
e. IKE Proposal List: ike-roamingclients
f. IPsec Proposal List: esp-l2tptunnel
4. Enter 3600 in the IPsec Life Time seconds control
5. Enter 250000 in the IPsec Life Time kilobytes control
6. Under the Authentication tab, select Pre-shared Key
7. Select MyPSK in the Pre-shared Key control
8. Under the Routing tab, check the following controls:
• Allow DHCP over IPsec from single-host clients
• Dynamically add route to the remote network when a tunnel is established
9. Click OK

Title: Re: DFL-210 L2TP/PSK Setup
Post by: NovaE on August 13, 2009, 05:10:32 PM

Please post a copy of the logfile showing the drops.

Title: Re: DFL-210 L2TP/PSK Setup
Post by: rfalken on August 13, 2009, 11:12:31 PM

2009-08-13 16:38:15 Warning RULE 6000051 Default_Rule TCP lan  192.168.0.100 78.84.222.99 58774 80 ruleset_drop_packet drop
ipdatalen=32 tcphdrlen=32 syn=1 

Title: Re: DFL-210 L2TP/PSK Setup
Post by: Fatman on August 14, 2009, 03:16:28 PM

Do you have an IP Rule NATing the outbound traffic from your L2TP hosts?

Title: Re: DFL-210 L2TP/PSK Setup
Post by: rfalken on August 15, 2009, 02:49:08 AM

Yes i have.

But can the L2TP hosts not be a part of the same subnet af the LAN ?

I have a LAN side called 192.168.0.0/24 and then i have defied an IP POOL of 192.168.0.200-192.168.0.210

Title: Re: DFL-210 L2TP/PSK Setup
Post by: Fatman on August 17, 2009, 08:28:22 AM

They can be, though it is not advised.  In order for that to work you will need to enable proxy ARP on your L2TP server for the LAN interface.

Title: Re: DFL-210 L2TP/PSK Setup
Post by: rfalken on August 19, 2009, 10:56:36 PM

And if i have Proxy ARP enable and selected LAN interface ?

Title: Re: DFL-210 L2TP/PSK Setup
Post by: Fatman on August 20, 2009, 08:10:48 AM

Then it should work, did you do that?  Are you still having issues?

Title: Re: DFL-210 L2TP/PSK Setup
Post by: rfalken on August 20, 2009, 11:10:13 PM

Yes i did that, and there is still issues. Does anyone now if it's possible to get support from DLINK on such issues ? I tried mailing them direct but no contact.

Title: Re: DFL-210 L2TP/PSK Setup
Post by: Fatman on August 21, 2009, 08:37:13 AM

Raise the metric on your IPsec tunnel, that might also explain things.  I had read your issues backwards originally.

Yes D-Link should support you, unfortunately I don't think you are in the realm of D-Link US support.  Your local D-Link office should be able to help.

Title: Re: DFL-210 L2TP/PSK Setup
Post by: rfalken on August 26, 2009, 02:40:03 AM

I deleted the config and followed this guide.:

http://www.dlink.com/support/faqDetail/?prod_id=3248&print=1

it worked..

Title: Re: DFL-210 L2TP/PSK Setup
Post by: Fatman on August 26, 2009, 08:19:20 AM

Glad to hear it!