Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[d-linked]

Hello, I'm trying to setup a VPN connection using L2TP over ipsec. Basically want to connect from the internet on an XP client into the DIR330 as it'll be my vpn server.

I can get the L2TP to work fine, however I can't seem to get the L2TP over ipsec to work using a preshared key. Key is configured on the router and the xp client VPN connection, but when i connect it does nothing - just sits at trying to connect.

Do I need to create an IPsec policy on the XP client to allow this to get to the router? If so, what should I use as settings in the policy as it prompts me for using algorithims etc in the IP filter (when the DIR-330 doesn't have these options under the L2TP over ipsec settings, all there is are a place to enter the PSK or use 509 certificates).

Is the router missing parameters for this setting? Or are there hidden defaults that you need to use (i.e. 3des/sha etc) for setting this up

I've tried a few settings as well as reading this: http://support.microsoft.com/kb/240262  with no luck.

note: I've heard you can only use L2TP over Ipsec if you have a static IP on the client....is this true? I need to have my clients DHCP as they move around to different networks.

Please let me know what I can do to fix this issue. I'd assume there are more people wanting to know this as well.

thanks:)

[Fatman]

I will answer the easy parts first then I will try to make a more significant effort.

Do I need to create an IPsec policy on the XP client to allow this to get to the router?

No, the default proposals will work fine for you.

Is the router missing parameters for this setting? Or are there hidden defaults that you need to use (i.e. 3des/sha etc) for setting this up

No, all those perameters are listed in the IPsec tunnel page on the DIR-330 (you are going to want to see the below anwsers before questioning this one).

note: I've heard you can only use L2TP over Ipsec if you have a static IP on the client....is this true? I need to have my clients DHCP as they move around to different networks.

That is not true, it works just fine with clients on dynamic IPs.  In fact the most common useage for L2TP over IPsec if for "road warriors" who clearly won't be getting statics anytime soon.


Now on to the hard part, it sounds from your post like you may have created just a L2TP connection.

The process for setting up a L2TP over IPsec connection is to create a IPsec tunnel first.  This IPsec tunnel will have to be of type "Site to Site", I know this sounds contradictory as "Remote Users" sounds like what you are trying to accomplish.  The remote site and remote net needs to be left as 0s as I recall, however I have not set this up in a while.

Then when you go to add another VPN one of the types available will be L2TP over IPsec.  You can fill out this half as per normal.

[d-linked]

I will answer the easy parts first then I will try to make a more significant effort.


No, the default proposals will work fine for you.



No, all those perameters are listed in the IPsec tunnel page on the DIR-330 (you are going to want to see the below anwsers before questioning this one).



That is not true, it works just fine with clients on dynamic IPs.  In fact the most common useage for L2TP over IPsec if for "road warriors" who clearly won't be getting statics anytime soon.


Now on to the hard part, it sounds from your post like you may have created just a L2TP connection.

The process for setting up a L2TP over IPsec connection is to create a IPsec tunnel first.  This IPsec tunnel will have to be of type "Site to Site", I know this sounds contradictory as "Remote Users" sounds like what you are trying to accomplish.  The remote site and remote net needs to be left as 0s as I recall, however I have not set this up in a while.

Then when you go to add another VPN one of the types available will be L2TP over IPsec.  You can fill out this half as per normal.

Thanks fatman for the response. I only had the L2TP over IPsec configured and not the Site-to-Site IPsec profile configured.

After enabling the IpSec S2S profile as well (and deleting the prohibitipsec registry entry) I tried again. No luck. It just hangs and connecting and errors out 789.

If I enable the prohibitipsec=1 value I can connect, but it only uses standard L2TP and not the IPSEC/PSK. (Note I have L2TP over IPSec enabled in the profile, not L2TP)

I'm wondering where I'm getting stuck at this point. It doesn't seem like IpSec is being initiated.

[Fatman]

I have never needed to make an registry changes for L2TP over IPsec to work.

I only had to use a remote dial up connection of type L2TP over IPsec.

That said the only documentation I am seeing from Microsoft on error 789 is Win2K documentation that mentions that registry entry.  I would try putting the registry back to defaults and creating a simple connection.

It looks like error 789 is a security related error, are you seeing anything in the logs of your DIR?  Can you re-enter your PSK on both sides for me?

[d-linked]

It looks like error 789 is a security related error, are you seeing anything in the logs of your DIR?  Can you re-enter your PSK on both sides for me?

I verified the keys, removed the registry entry and recreated the l2tp over ipsec VPN connection.

I now receive error 792:The L2TP connection attempt failed because security negotiation timed out. From that error it doesn't seem like the request was leaving my xp client.

Keep in mind I'm using the same preshared key (for both DIR330 profiles, and not certificates).

From what I've read, I was under the impression that prohibitipsec must be in the registry because it disables the default IPsec policy of looking for certificates?

I now have the prohibitipsec enabled again, and can connect via the L2TP over IpSec connection....but its only using L2TP and not L2TP/IPsec...I verified this by entering a bogus PSK on the client's VPN connection setting (under IPSEC), and it still connects.

I'm not sure why the DIR330 would accept a standard L2TP connection when L2TP over IPSec is selected as the VPN server type.

Anyhow, it still looks like my XP client isn't initializing the IPSEC connection with the router and then going over L2TP. What else should I try fatman?

[d-linked]

Well I gave tech support a call today, they walked me through setting up the tunnel.

They claimed that you cant use 0.0.0.0 & 0.0.0.0/0 as the S2S and remote IP/mask settings. Then he recommended me getting a DFR 210 instead

Wasn't really helpful, so at this point I have the following enabled on the DIR-330:

IPSEC tunnel with 0.0.0.0 & 0.0.0.0/0 as the S2S and remote IP/mask settings, and preshared key auth.
L2TP over IPSec with preshared key enabled.

XP client VPN connection is setup as L2TP over IPsec with the preshared key entered.

I can connect, but it's only using L2TP an not the Ipsec preshared key to authenticate.

It seems that no IPSec tunnel is being initiated, so I don't know if its a local IPsec policy problem or the router config.

fatman would you be able to give me some ideas to get this figured out? Your help is greatly appreciated. I can post more info if needed.

[Fatman]

PM me the agents name and or case ID on your tech support call, that is inappropriate.

If you can dial L2TP by itself you don't have the connected profiles set up you have 2 separate VPN profiles, not the 1 connected profile.

What type are the profiles listed as?
When you are testing this setup are you on the LAN of the DIR or on the WAN?
If on the WAN are you behind NAT?

[d-linked]

PM me the agents name and or case ID on your tech support call, that is inappropriate

PM sent

If you can dial L2TP by itself you don't have the connected profiles set up you have 2 separate VPN profiles, not the 1 connected profile.

What type are the profiles listed as?

   
testipsec:IPSEC
myvpn: L2TP over IPSec

Does each profile have to have the same name?

When you are testing this setup are you on the LAN of the DIR or on the WAN?

I'm coming in from remote, so the WAN.

If on the WAN are you behind NAT?

I've tested from 2 locations, 1 with NAT the other not.

[Fatman]

PM sent

Thanks for the PM

Does each profile have to have the same name?

No, they should be able to use different names.

Tell you what, I am growing weary of doing this over the forums, and TS failed you so I ask that you PM me with your WAN type, LAN net, LAN IP, and e-mail address.  I will make you a config file and send it to you with a user of admin/admin and a PSK of admin which I advise you to change before use.

[d-linked]

Well at this point I'm stuck, seems to error out when trying to connect. Either 789 or 792.

Using IPSecMon it appears to open IpSec L2TP channels in XP, so maybe its a dir-330 issue? Fatman I look forward to your input. I've PM'd you the details.

[d-linked]

Has anyone else been able to setup L2TP over IPSec with an XP client?

I'm still unable to do so and wondering if its a firmware issue. Fatman has anyone else brought this up? Just wondering if theres a 330 firmware update in the works.