EdgeRouter L2TP VPN can't pass IKE phase 1
-
@taurex here it is
show firewall name WAN_LOCAL default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow iCMP" disable log disable protocol icmp } rule 40 { action accept description "Allow IKE for VPN" destination { port 500 } log disable protocol udp } rule 50 { action accept description "Allow L2TP for VPN" destination { port 1701 } log disable protocol udp } rule 60 { action accept description "Allow ESP for VPN" log disable protocol esp } rule 70 { action accept description "Allow NAT-T for VPN" destination { port 4500 } log disable protocol udp } -
@romo I don't see ipsec match-ipsec set in your L2TP rule.
Do you also have WAN_IN firewall rules set up?
-
@taurex said in EdgeRouter L2TP VPN can't pass IKE phase 1:
@romo I don't see ipsec match-ipsec set in your L2TP rule.
Do you also have WAN_IN firewall rules set up?
WAN_IN
name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 21 { action accept description "Web Traffic to Help Desk" destination { group { address-group Helpdesk_internal port-group HTTP_and_HTTPS } } log disable protocol tcp state { established enable invalid disable new enable related enable } } rule 22 { action accept description "Web Traffic to DevTestWeb" destination { group { address-group DevTestWeb_internal port-group HTTP_and_HTTPS } } log disable protocol tcp state { established enable invalid disable new enable related enable } } rule 23 { action accept description "Web Traffic to Demo" destination { group { address-group Demo_internal port-group HTTP_and_HTTPS } } log disable protocol tcp state { established enable invalid disable new enable related enable } } rule 24 { action accept description "Web Traffic to QB" destination { group { address-group QB_Int port-group RDP } } log disable protocol tcp state { established enable invalid disable new enable related enable } } }Added the ipsec match-ipsec on WAN_LOCAL still nothing.
show firewall name WAN_LOCAL default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow iCMP" disable log disable protocol icmp } rule 40 { action accept description "Allow IKE for VPN" destination { port 500 } log disable protocol udp } rule 50 { action accept description "Allow ESP for VPN" log disable protocol esp } rule 60 { action accept description "Allow NAT-T for VPN" destination { port 4500 } log disable protocol udp } rule 70 { action accept description "Allow L2TP for VPN" destination { port 1701 } ipsec { match-ipsec } log disable protocol udp } -
@romo Have you defined ipsec interfaces with set vpn ipsec ipsec-interfaces interface eth[.]? I don't see it in your VPN config output. Also, If your static IP address gets issued by your ISP via PPPoE, you'll need to change the outside L2TP address to 0.0.0.0.
-
@taurex just added the ipsec-interfaces setting even though it is deprecated according to the documentation and still nothing :disappointed_face:
-
@romo Your site-to-site VPN doesn't work either, correct? Are you sure none of the routers is behind a Carrier Grade NAT (CG-NAT)? Are they all public IPs you have on both ends? L2TP doesn't work if its server is behind a NAT.
When you use a policy based VPN you need to start passing some traffic through the tunnel to bring it up. Have you tried pinging a device on the other router's network tunnelled through the VPN?
What's the output of show log | match 'xl2tpd|pppd'?
-
@taurex Site to site is working properly
-
Downgraded to 1.10.5 and still can't establish a proper connection or get any other type of log.
Version: v1.10.5 Build ID: 5098915 Build on: 06/22/18 13:55 Copyright: 2012-2018 Ubiquiti Networks, Inc. HW model: EdgeRouter Lite 3-Port HW S/N: 788A2041AA25 Uptime: 01:19:49 up 1 day, 4:46, 1 user, load average: 0.23, 0.16, 0.14Could this mean the device is having some sort of problem or could it be Internet Service Provider caused????
-
I would have to go dig around my posts on the UBNT community to find all the various ways I got logs when troubleshooting L2TP 6 months ago.
-
What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.
-
@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:
What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.
That is normal behavior. When you downgrade, it also reverts to the config.boot file that was used. Because obviously new firmware could potentially have config changes required that would not work with older firmware.
-
Yeah, I didn't find strange it reverted to using the old config, what seems strange is that it is not even working on a firmware version it used to work with and with a config that used to work as well.
Really thought the downgrade would have made it work again.
-
A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.
FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!
As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules. -
@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:
A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.
FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!
As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.Also as a remember, don't wait a month before reporting an issue, we weren't looking at rules, as they had not changed for a month!
-
@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:
A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.
FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!
As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.
