• February 23, 2025, 10:39:16 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: ipsec l2tp passing through dfl-260  (Read 7241 times)

Lavdd

  • Level 1 Member
  • *
  • Posts: 21
ipsec l2tp passing through dfl-260
« on: March 23, 2011, 07:50:56 AM »
another problem came out
pc from lan is making ipsec l2tp connection to wan srv (cisco I think)

made such rule especially for the case
3  allow_l2tp  NAT  lan  agoAddress: 192.168.0.103  wan  vpnSRV Address: 195.x  all_services
4  alow_l2tp  NAT  wan  vpnSRV Address: 195.x  lan  agoAddress: 192.168.0.103  all_services

connection goes fine and shows bites outgoing and incoming
but really tunnel is not working as software cant connect through etc (oracle admin stuff etc)

plugging it directly to internet, and all goes fine

help
can someone describe how to configure device to pass through ipsec correctly
didnt find any faq

fw 2.27.03.25-14787
Logged

Lavdd

  • Level 1 Member
  • *
  • Posts: 21
Re: ipsec l2tp passing through dfl-260
« Reply #1 on: March 24, 2011, 05:31:12 AM »
really need help any ideas so far?
Logged

silver_surfer30

  • Level 3 Member
  • ***
  • Posts: 107
Re: ipsec l2tp passing through dfl-260
« Reply #2 on: March 24, 2011, 10:50:24 AM »
Do you have anything special on the log of dfl ?

Any particular configuration requiered on client side ?

Any particular configure requiered on the remote server for the connection to be allow ?

Please give as many information as you can.
Logged

Lavdd

  • Level 1 Member
  • *
  • Posts: 21
Re: ipsec l2tp passing through dfl-260
« Reply #3 on: March 24, 2011, 11:11:44 AM »
are my rules correct for such case?

nothing special seem to log, only regular TCPSequenceNumbers
2011-03-24 21:02:17 Debug TCP_FLAG 3300016 TCPSequenceNumbers TCP wan wan 195.82.146.5 10.10.10.15 80 58614 tcp_seqno_too_low drop

win2008r2 srv regular VPN client is used with certificate for ipsec and just PAP
know nothing about other side cisco

log shows on conn, nothing else
2011-03-24 21:08:05 Info CONN 600004 allow_l2tp UDP lan wan 192.168.0.103 195.X 500 500 conn_open_natsat
conn=open connnewsrcip=82.x connnewsrcport=22511 connnewdestip=195.x connnewdestport=500 
Logged

Lavdd

  • Level 1 Member
  • *
  • Posts: 21
Re: ipsec l2tp passing through dfl-260
« Reply #4 on: March 26, 2011, 12:34:24 PM »
loaded year old similar config with 2.26 fw - tunnel works fine
is there any emul to load config and look it over
which newest version can hold ipsec tunnels
looks fw 2.27.03.25-14787 is junk
Logged

silver_surfer30

  • Level 3 Member
  • ***
  • Posts: 107
Re: ipsec l2tp passing through dfl-260
« Reply #5 on: April 03, 2011, 12:28:41 PM »
As you are using L2TP over IPSec you need also to allow ipsec_suite service to be natted too.
Logged

chechito

  • Level 3 Member
  • ***
  • Posts: 193
Re: ipsec l2tp passing through dfl-260
« Reply #6 on: April 04, 2011, 08:17:30 AM »
Ipsec connections behind a NAT router must be nat traversal enabled, encapsulating traffic in a 4500 udp port packet to avoid NAT process corrupting IPSEC packet.

Try enabling nat traversal on the vpn outgoing connection

Logged

Lavdd

  • Level 1 Member
  • *
  • Posts: 21
Re: ipsec l2tp passing through dfl-260
« Reply #7 on: May 29, 2011, 01:56:51 AM »
isnt NATt a option of device itself not a vpn ipsec connection?
where to change such in vpn connection settings in win2008r2?
Logged

danilovav

  • Level 4 Member
  • ****
  • Posts: 424
  • Alexandr Danilov
Re: ipsec l2tp passing through dfl-260
« Reply #8 on: June 11, 2011, 01:23:42 AM »
You don't need make return NAT rule (wan > lan), because NAT is stateful action. Remove it
Before NAT lan>wan all_services make rule NAT lan>wan ipsec-suite

During your connection, what happened in logs?
Logged
BR, Alexandr Danilov