Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[mackop]

I have spent 2 day configuring L2TP/IPsec VPN for roaming clients on d-link firewall DFL-2500. The firewall keeps DROPping IPsec, please find the log at the end of the post. What am I missing?

I have followed manual on pages 234, 261:
ftp://ftp.dlink.co.uk/dfl_firewall/dfl-2500/NetDefendOS_220_Firewall_User_Manual_v1.06.pdf

and other manual where I ignored certificates, because I am using Pre-Shared-Keys:
ftp://ftp.dlink.co.uk/dfl_firewall/dfl-800/DFL-800_1600_2500-VPNwithCertification.pdf

Before, I successfully configured PPTP vpn following:
ftp://ftp.dlink.co.uk/dfl_firewall/dfl-800/DFL-800_1600_2500-VPN_PPTP_Server_for_remote_access.pdf

Please, help me find out what I am missing with l2tp/ipsec.
Thank you,
Peter

Log:
2009-07-31
10:32:38 Warning RULE
06000051 Default_Access_Rule UDP l2tp_ipsec
190.190.190.111
190.190.190.15 1701
1701 ruleset_drop_packet
drop
rev=1 ipdatalen=107 udptotlen=107

2009-07-31
10:32:37 Warning RULE
06000051 Default_Access_Rule UDP l2tp_ipsec
190.190.190.111
190.190.190.15 1701
1701 ruleset_drop_packet
drop
rev=1 ipdatalen=107 udptotlen=107

2009-07-31
10:32:37 Warning RULE
06000051 Default_Access_Rule UDP l2tp_ipsec
190.190.190.111
190.190.190.15 1701
1701 ruleset_drop_packet
drop
rev=1 ipdatalen=107 udptotlen=107

2009-07-31
10:32:37 Info CONN
00600001 IPsecBeforeRules ESP wan1
core 190.190.190.111
190.190.190.15
conn_open
rev=1 conn=open connsrcid=0 conndestid=0

2009-07-31
10:32:37 Info IPSEC
01803021
ipsec_sa_statistics
rev=1 done=13 success=13 failed=0

2009-07-31
10:32:37 Info IPSEC
01802045
ipsec_sa_lifetime
rev=1 kb=250000 sec=3600

2009-07-31
10:32:37 Info IPSEC
01800102
ipsec_event
rev=1 message=""

2009-07-31
10:32:37 Info IPSEC
01802043
ipsec_sa_informal
rev=1 spiin=2512160560 spiout=549791857 alg=3des-cbc keysize= mac=hmac-md5-96

2009-07-31
10:32:37 Info IPSEC
01802058
ipsec_sa_informal
rev=1 local_id=190.190.190.15 udp:1701 remote_id=190.190.190.111

2009-07-31
10:32:37 Info IPSEC
01802704
ike_sa_negotiation_completed
ike_sa_completed
rev=1 local_peer="190.190.190.15 ID 190.190.190.15" remote_peer="190.190.190.111 ID 190.190.190.111" int_severity=6

2009-07-31
10:32:37 Info IPSEC
01802040
ipsec_sa_negotiation_completed
ipsec_sa_enabled
rev=1 sa=Responder info=

2009-07-31
10:32:37 Info IPSEC
01802703
ike_sa_negotiation_completed
ike_sa_completed
rev=1 local_peer="190.190.190.15 ID 190.190.190.15" remote_peer="190.190.190.111 ID 190.190.190.111" spis="Initiator SPI bb9e51a3
68122d4e Re

2009-07-31
10:32:37 Info IPSEC
01802024
ike_sa_negotiation_completed
rev=1 options=Responder mode=Main Mode auth=Pre-shared keys encryption=3des-cbc keysize= hash=sha1 dhgroup=2 bits=1024
lifetime=28800

2009-07-31
10:32:37 Info IPSEC
01800102
ipsec_event
rev=1 message=""

[Fatman]

default access rule means that the packet doesn't have an applicable route.  I would check out your route creation and metrics.

There is a full write-up on this set-up in the below FAQ that I know is good cause I wrote it myself.

http://www.dlink.com/support/faq/?prod_id=3248

That said if your settings match the above and don't work we are going to have to start by looking at your routing table, given you have a DFL-2500 I can only assume it is a bit hairy.

[mackop]

Thank you again Fatman, I have tried your tutorial and this is what I have find out:
My network setup:
- my home connection 89.100.100.128
- firewall wan1_ip 190.190.190.15, wan1net 190.190.190.0/25
- firewall lan1_ip 10.10.1.5
- pool: 10.10.1.61-10.10.1.63

* If I connect from my home, I connect Ok. I can ping lan1_ip, I can ping other computers on my local network.
   I can ping computers on internet, like www.google.com. But I cannot browse webpages, internet explorer cannot access any webpage,
   and yes, I have the allservices NAT rule to wan1 allnets. In the firewalls log I get messages like:

02:39:25 Warning IP_PROTO
07000014 TTLOnLow ICMP L2TP_Over_IPsec
 10.10.1.61
74.125.77.99
 ttl_low
drop
rev=1 ttl=2 ttlmin=3 ipdatalen=72 icmptype=ECHO_REQUEST echoid=1 echoseq=46

It was from the google ping.
And quite a lot of messages like:
 
2009-08-06
02:39:27 Warning IP_PROTO
07000014 TTLOnLowMulticast UDP L2TP_Over_IPsec
 10.10.1.61
224.0.0.252 53583
5355 ttl_low
drop
rev=1 ttl=1 ttlmin=3 ipdatalen=30 udptotlen=30

* If I connect the same notebook to the switch where the firewal wan1 is connected and I change the
   notebook ip to 190.190.190.111 I receive the same log as I posted before. I cannot connect.

Thanky you again for any help. As I have find out, you are usually right.
Peter

[Fatman]

TTL Low On Multicast is going to happen unendingly unless you set up multicast handlers, all modern OSes are starting to use multicast for local network for discovery now.

The other TTL low does bother me, assuming your network isn't gargantuan and you have sane TTLs coming from your hosts I would look for a routed outbound loop.  This is going to require a rather in-depth look at your entire network.

[mackop]

Finally I got connected from home through VPN and I was able to browse web on internet and
an intranet as well. The successful connection was made from win xp. From win vista I
cannot browse webpages, but I can ping anything. The configuration of the both clients
was the same. Now, I am looking for a difference in the windows configurations.

Thank you,
Peter

[Fatman]

I would start with firewalls, gateways, and DNS (you did not mention if the pings were IPs only or also DNS named entities), beyond that I would have to be troubleshooting there with you.