Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[rcamkerr]

Sorry for posting yet another DFL-210 L2TP problem but, I am having a problem getting the L2TP VPN working on our DFL-210. I have followed the configuration article 3248. The firmware is 2.20.03.08-8260. I have looked through the other postings here, but have not found a solution that works. Any help will be appreciated.

If I connect using PPTP there are no problems. However, I would like to disable the PPTP connection and only use the L2TP for VPN connections. I am using PSK and local user authorization. Eventually moving to a RADIUS server for user authorization.

When I follow the article 3248 settings to the letter, I see the following in the logs (order is as they appear in the logs, last thing to happen is at the top of the list):

Info       IPSEC                                                                                                 ike_sa_destroyed
                                                                                                                     ike_sa_killed
  ike_sa=" Initiator SPI ESP=0x51451d5a, AH=0x952b3eec, IPComp=0xff1bb05"
Warning  IPSEC                                                                                                 ike_sa_failed
                                                                                                                     no_ike_sa
  statusmsg="Timeout" local_peer="172.18.1.101 ID No Id" remote_peer="xx.xx.xx.xx ID No Id"
  initiator_spi="ESP=0x51451d5a, AH=0x952b3eec, IPComp=0xff1bb05"
Warning  IPSEC                                                                                                  event_on_ike_sa
  side=Responder msg="failed" int_severity=6
Info       CONN   IPsecBeforeRules   UDP   wan/core  xx.xx.xx.xx/172.18.1.101  500/500 conn_open
  conn=open


Now if I change Interfaces->IPsec->IKE Settings and select OFF for NAT Traversal I get the following in the logs:

Info       IPSEC                                                                                            xauth_exchange_done
  statusmsg="Authentication failed"
Info       IPSEC                                                                                            ipsec_sa_statistics
  done=18 success=0 failed=18
Warning  IPSEC                                                                                            ike_quickmode_failed
  local_ip=172.18.1.101 remote_ip=xx.xx.xx.xx cookies=a8... reason="Timeout"
Warning  IPSEC                                                                                            ipsec_sa_failed
                                                                                                                no_ipsec_sa
  statusmsg="Timeout"
Info        IPSEC                                                                                           ipsec_event
message="Remote Proxy ID 192.168.0.71 udp:1701"
Info        IPSEC                                                                                           ipsec_event
message="Local Proxy ID yy.yy.yy.yy udp:1701"
Info        IPSEC                                                                                 ike_sa_negotiation_completed
                                                                                                      ike_sa_completed
  local_peer="172.18.1.101 ID 172.18.1.101" remote_peer="xx.xx.xx.xx ID 192.168.0.71"
  initiator_spi="3dd70680 135bb844" responder_spi="89e6e494 488fabcc" int_severity=6
Info        IPSEC                                                                                           ipsec_event
  message="IPSec SA [Responder] negotiation failed:"
Info        IPSEC                                                                                 ike_sa_negotiation_completed
                                                                                                      ike_sa_completed
  local_peer="172.18.1.101 ID 172.18.1.101" remote_peer="xx.xx.xx.xx ID 192.168.0.71"
  initiator_spi="3dd70680 135bb844" responder_spi="89e6e494 488fabcc" int_severity=6
Info        IPSEC                                                                                 ike_sa_negotiation_completed
  options=Responder mode="Main Mode" auth="Pre-shared keys" encryption=3des-cbc
  keysize= hash=sha1 dhgroup=2 bits=1024 lifetime=28800
Info       CONN   IPsecBeforeRules   UDP   wan/core  xx.xx.xx.xx/172.18.1.101  500/500 conn_open
  conn=open

RCam

[Fatman]

That FAQ is iron clad, did you follow the accompanying FAQ for setting up your client?
What kind of client are you using?
Did you have to alter any of the steps to match your environment?

[rcamkerr]

I did not see the client FAQ, but looking at it now, I had my client setup the same. I have tried it using the Windows XP client and the Vista client.

The only setting I changed other was the l2tp_client_pool ip address to 10.20.87.50-10.20.87.150

The DFL-210 is setup to listen on multiple IP addresses with entries added to the ARP table.
I do not know if this helps but, this is what I had to do to get a webserver in the dmz visible to the web.

Wan_ip_101 - wan_ip 172.18.1.101
Wan_ip_103 - wan address of the webserver 172.18.1.103

SAT:
  - Name: WWW_SAT
  - Action: SAT
  - Service: http
  - Source: any/all-nets
  - Destination: any/wan_ip_103
  - SAT: Translate the Destination IP Address To New IP Address dmz_ip_103,
All-to-One Mapping

NAT:
  - Name: WWW_NAT
  - Action: NAT
  - Service: http
  - Source: lan/lannet
  - Destination: any/wan_ip_103

Allow:
  - Name: WWW_Allow
  - Action: Allow
  - Service: http
  - Source: any/all-nets
  - Destination: any/wan_ip_103

Out:
  - Name: WWW_Out
  - Action: NAT
  - Service: http-all
  - Source: dmz/dmz_ip_103
  - Destination: wan/all-nets

[Fatman]

I assume that you l2tp_client_pool entry falls within your LAN_Net?

Truthfully L2TP configs tend to be a little touchy, any setting wrong ruins the whole shebang.  It really would be quicker for you to call in to our BCS team and have them log in and take a look.

FYI: You can change your destination interface on those port forwards to core if you make a route which looks like the below.

Interface: Core
Network: WAN_IP_103
Metric 0

That is a little more secure, though that may just be my paranoia talking.  I don't like my rules to include any allowed vectors I haven't specifically considered and listed.

Also the reason that you need both a NAT and an Allow is to prevent a short cut routing scenario, if you don't want to have to NAT the LANs traffic you can either have it Fast_FWD or have all your traffic Fast_FWD.  Though setting up the WAN traffic to Fast_FWD will remove all SPI protection from those baddies on your WAN who may get tricky with connection status.

[rcamkerr]

My lan_net is set to 10.19.86.0/24. One of the setups I read said that the l2tp_client_pool should be completely outside of the lannet.
My l2tp_client_pool is 10.20.87.0/24

What should the l2tp_client_pool be set to? My PPTP connection uses the same IP Pool and works.

What is the number for the BCS team?

[Fatman]

If you are not putting your PPP Pool inside your LAN_Net you do not need the Proxy ARP listed in the FAQ.  That should not be a game killer, but I felt it was worth checking on.

BCS Support for the US is 1 877 354 6555.

[rcamkerr]

I removed the LAN from the Proxy ARP. It did not change the results. Is there a BCS support number for Canada?

[Fatman]

Taken from the Canadian support.dlink.com

To Contact D-Link Tech Support by phone, please call:
1-800-361-5265 (option 3)
Monday - Friday:
9:00 am to 9:00 pm EST (English & French)

[rcamkerr]

Fatman,

Thanks for your help. I have not yet had a chance to contact BCS.

I have managed to solve one of the problems. We have two entirely separate internet connections and one of the firewalls was port forwarding port 500. I have disabled the port forwarding on that firewall.
It seems like I am very close to getting this working. Maybe you can point me in the right direction?

Watching the logs now I get part way through the negotiations.

I had ikesnoop running while I watched the connection attempt.

2009-10-27 16:21:14: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
Exchange type  : Quick mode
.
.
.
  NAT-OA (NAT Original Address)
    Payload data length : 8 bytes
    Unknown payload (21)
  NAT-OA (NAT Original Address)
    Payload data length : 8 bytes
    Unknown payload (21)

It gets down to Exchange type: CFG mode.
Then I get:
2009-10-27 16:21:16: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:21:16: IkeSnoop: Other end retransmitted its packet
2009-10-27 16:21:16: IkeSnoop: Cannot resend response; waiting for replyfrom the policy manager
2009-10-27 16:21:19: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:21:19: IkeSnoop: Other end retransmitted its packet
2009-10-27 16:21:19: IkeSnoop: Cannot resend response; waiting for replyfrom the policy manager
2009-10-27 16:21:23: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:21:23: IkeSnoop: Other end retransmitted its packet
2009-10-27 16:21:23: IkeSnoop: Cannot resend response; waiting for replyfrom the policy manager
2009-10-27 16:21:31: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:21:31: IkeSnoop: Other end retransmitted its packet
2009-10-27 16:21:31: IkeSnoop: Cannot resend response; waiting for replyfrom the policy manager
2009-10-27 16:21:35: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:21:35: IkeSnoop: IKE packet belongs to unknown IKE SA
2009-10-27 16:21:48: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:21:48: IkeSnoop: Other end retransmitted its packet
2009-10-27 16:21:48: IkeSnoop: Cannot resend response; waiting for replyfrom the policy manager
2009-10-27 16:21:55: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:21:55: IkeSnoop: IKE packet belongs to unknown IKE SA
2009-10-27 16:22:04: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:22:04: IkeSnoop: Other end retransmitted its packet
2009-10-27 16:22:04: IkeSnoop: Cannot resend response; waiting for replyfrom the policy manager
2009-10-27 16:22:16: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
2009-10-27 16:22:16: IkeSnoop: IKE packet belongs to unknown IKE SA
2009-10-27 16:22:18: IkeSnoop: Received IKE packet from xx.xx.xx.xx:4500
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x43d7252fff6bfa63 -> 0x9034bf8e1ef7d621
Message ID     : 0x4e0a5bae
Packet length  : 80 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 20 bytes
  D (Delete)
    Payload data length : 24 bytes
    Protocol ID : ISAKMP
    Delete SPIs : 0x43d7252fff6bfa639034bf8e1ef7d621

In the http logs I see:
ike_invalid_payload
local_ip=172.18.1.101 remote_ip=xx.xx.xx.xx cookies= reason="UDP packet does not contain enough data for generic ISAKMP packet header"

[Fatman]

Ensure that protocols (not ports) 50 (ESP) and 51 (AH) aren't getting shot down either?

[rcamkerr]

As an update. We had DLink tech support login and check the configuration and found nothing wrong. We also hired a consultant familiar with the DFL-210. The consultant is also responsible for the company internet connection we are attached to. After looking at the connection from both ends he ended up giving up on finding a solution. His response was:

"Looking through the materials provided to me by NCP, the makers of the
DFL-210's IPsec, it appears we've done everything right according to the
documentation (I've given then logs of a conversation from both ends of the
connection).

The DFL210 isn't responding as it should be to the second phase of the IKE
conversation."

We are looking at other secure options for providing VPN services to our company.

I would like to thank everyone for their help and suggestions.

[Fatman]

If you PM me a location where I can download your config file I will take a look at it myself, I don't know why you have had such trouble with it, but I know I can set it straight.

It is also worth noting that I could look into the case ID, as any situation where Tech Support had been unable to help you there would have been other avenues they should have pursued, as such I would be interested in your case ID whether or not you can furnish a config file for me to repair.

[Fatman]

Scratch that second half, I had forgotten you were dealing with Canadian support not US support, I am unfortunately not a member of the Canadian team so that case ID would be useless for me.