EdgeRouter L2TP VPN can't pass IKE phase 1
-
@romo Have you defined ipsec interfaces with set vpn ipsec ipsec-interfaces interface eth[.]? I don't see it in your VPN config output. Also, If your static IP address gets issued by your ISP via PPPoE, you'll need to change the outside L2TP address to 0.0.0.0.
-
@taurex just added the ipsec-interfaces setting even though it is deprecated according to the documentation and still nothing :disappointed_face:
-
@romo Your site-to-site VPN doesn't work either, correct? Are you sure none of the routers is behind a Carrier Grade NAT (CG-NAT)? Are they all public IPs you have on both ends? L2TP doesn't work if its server is behind a NAT.
When you use a policy based VPN you need to start passing some traffic through the tunnel to bring it up. Have you tried pinging a device on the other router's network tunnelled through the VPN?
What's the output of show log | match 'xl2tpd|pppd'?
-
@taurex Site to site is working properly
-
Downgraded to 1.10.5 and still can't establish a proper connection or get any other type of log.
Version: v1.10.5 Build ID: 5098915 Build on: 06/22/18 13:55 Copyright: 2012-2018 Ubiquiti Networks, Inc. HW model: EdgeRouter Lite 3-Port HW S/N: 788A2041AA25 Uptime: 01:19:49 up 1 day, 4:46, 1 user, load average: 0.23, 0.16, 0.14Could this mean the device is having some sort of problem or could it be Internet Service Provider caused????
-
I would have to go dig around my posts on the UBNT community to find all the various ways I got logs when troubleshooting L2TP 6 months ago.
-
What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.
-
@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:
What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.
That is normal behavior. When you downgrade, it also reverts to the config.boot file that was used. Because obviously new firmware could potentially have config changes required that would not work with older firmware.
-
Yeah, I didn't find strange it reverted to using the old config, what seems strange is that it is not even working on a firmware version it used to work with and with a config that used to work as well.
Really thought the downgrade would have made it work again.
-
A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.
FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!
As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules. -
@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:
A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.
FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!
As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.Also as a remember, don't wait a month before reporting an issue, we weren't looking at rules, as they had not changed for a month!
-
@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:
A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.
FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!
As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.
