EdgeRouter L2TP VPN can't pass IKE phase 1
-
I believe you need to define another ESP and IKE group for the site-to-site Tunnel 2. Also, your remote L2TP pool overlaps with one of the existing interface's IP range. It might overlap with the existing DHCP lease or a static address on your 192.168.4.0/24 network. I would make the remote pool totally different.
Do you have static public IPs on both ends? If yes, I'd do route-based site-to-site VPN with VTI interfaces instead. It stays always on as long as there's network connectivity between the peers. No need to define multiple individual policies either.
-
@taurex said in EdgeRouter L2TP VPN can't pass IKE phase 1:
I believe you need to define another ESP and IKE group for the site-to-site Tunnel 2.
You do not. I use a single group for everything.
-
@taurex said in EdgeRouter L2TP VPN can't pass IKE phase 1:
Do you have static public IPs on both ends? If yes, I'd do route-based site-to-site VPN with VTI interfaces instead. It stays always on as long as there's network connectivity between the peers. No need to define multiple individual policies either.
The point of using L2TP is for roving users.
-
This is a working configuration I use on many routers.
L2TP config:
set vpn l2tp remote-access authentication local-users username SomeUsername password 'SomeUserPassword' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 1.1.1.1 set vpn l2tp remote-access dns-servers server-2 8.8.8.8 set vpn l2tp remote-access idle 1800 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeGoodPSK set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access ipsec-settings lifetime 3600 set vpn l2tp remote-access mtu 1492If your WAN port is not DHCP, then you use this line instead of the dhcp-interface line above.
set vpn l2tp remote-access outside-address your.wan.IP.addIPSEC Config:
set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec esp-group bnaesp compression disable set vpn ipsec esp-group bnaesp lifetime 3600 set vpn ipsec esp-group bnaesp mode tunnel set vpn ipsec esp-group bnaesp pfs enable set vpn ipsec esp-group bnaesp proposal 1 encryption aes256 set vpn ipsec esp-group bnaesp proposal 1 hash sha1 set vpn ipsec ike-group bnaike ikev2-reauth no set vpn ipsec ike-group bnaike key-exchange ikev1 set vpn ipsec ike-group bnaike lifetime 28800 set vpn ipsec ike-group bnaike proposal 1 dh-group 19 set vpn ipsec ike-group bnaike proposal 1 encryption aes256 set vpn ipsec ike-group bnaike proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 <snip about 8 tunnels>Firewall Config:
Note, by using this firewall configuration, I do not need any other rules for L2TP. But this could be tighter as noted in the guide you followed.set firewall name WAN_LOCAL rule 40 action accept set firewall name WAN_LOCAL rule 40 description 'Allow IPSEC' set firewall name WAN_LOCAL rule 40 ipsec match-ipsec set firewall name WAN_LOCAL rule 40 log disable set firewall name WAN_LOCAL rule 40 protocol all set firewall name WAN_LOCAL rule 40 state established disable set firewall name WAN_LOCAL rule 40 state invalid disable set firewall name WAN_LOCAL rule 40 state new enable set firewall name WAN_LOCAL rule 40 state related disable -
Thanks for responding @jared
@jaredbusch said in EdgeRouter L2TP VPN can't pass IKE phase 1:
This is a working configuration I use on many routers.
L2TP config:
set vpn l2tp remote-access authentication local-users username SomeUsername password 'SomeUserPassword' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 1.1.1.1 set vpn l2tp remote-access dns-servers server-2 8.8.8.8 set vpn l2tp remote-access idle 1800 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeGoodPSK set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access ipsec-settings lifetime 3600 set vpn l2tp remote-access mtu 1492L2TP config is pretty much the same, I saw your other post and used it as well, I had the MTU set to 1492 before but on your other guide I believe I saw it at 1400 so currently have that.
If your WAN port is not DHCP, then you use this line instead of the dhcp-interface line above.
set vpn l2tp remote-access outside-address your.wan.IP.addStatic ip so outside address set.
outside-address XXX.XXX.XXX.33IPSEC Config:
set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec esp-group bnaesp compression disable set vpn ipsec esp-group bnaesp lifetime 3600 set vpn ipsec esp-group bnaesp mode tunnel set vpn ipsec esp-group bnaesp pfs enable set vpn ipsec esp-group bnaesp proposal 1 encryption aes256 set vpn ipsec esp-group bnaesp proposal 1 hash sha1 set vpn ipsec ike-group bnaike ikev2-reauth no set vpn ipsec ike-group bnaike key-exchange ikev1 set vpn ipsec ike-group bnaike lifetime 28800 set vpn ipsec ike-group bnaike proposal 1 dh-group 19 set vpn ipsec ike-group bnaike proposal 1 encryption aes256 set vpn ipsec ike-group bnaike proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface eth0 <snip about 8 tunnels>IPSEC config the only thing different is I have the DH group set as 14
What seems strange is I can't even get swanctl to show me a connection attempt to see what could be wrong. This appears as if somehow I would be blocking the connection.
-
@jaredbusch Jared, I was talking about @Romo's site-to-site VPN config. He has two tunnels and I suggested to use a route based VPN instead. I also asked if @Romo was using public IPs on both ends or not. Because if he's behind CG-NAT, the current config wouldn't work.
-
@romo Could you show your firewall rules in the config output, please?
-
@taurex here it is
show firewall name WAN_LOCAL default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow iCMP" disable log disable protocol icmp } rule 40 { action accept description "Allow IKE for VPN" destination { port 500 } log disable protocol udp } rule 50 { action accept description "Allow L2TP for VPN" destination { port 1701 } log disable protocol udp } rule 60 { action accept description "Allow ESP for VPN" log disable protocol esp } rule 70 { action accept description "Allow NAT-T for VPN" destination { port 4500 } log disable protocol udp } -
@romo I don't see ipsec match-ipsec set in your L2TP rule.
Do you also have WAN_IN firewall rules set up?
-
@taurex said in EdgeRouter L2TP VPN can't pass IKE phase 1:
@romo I don't see ipsec match-ipsec set in your L2TP rule.
Do you also have WAN_IN firewall rules set up?
WAN_IN
name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 21 { action accept description "Web Traffic to Help Desk" destination { group { address-group Helpdesk_internal port-group HTTP_and_HTTPS } } log disable protocol tcp state { established enable invalid disable new enable related enable } } rule 22 { action accept description "Web Traffic to DevTestWeb" destination { group { address-group DevTestWeb_internal port-group HTTP_and_HTTPS } } log disable protocol tcp state { established enable invalid disable new enable related enable } } rule 23 { action accept description "Web Traffic to Demo" destination { group { address-group Demo_internal port-group HTTP_and_HTTPS } } log disable protocol tcp state { established enable invalid disable new enable related enable } } rule 24 { action accept description "Web Traffic to QB" destination { group { address-group QB_Int port-group RDP } } log disable protocol tcp state { established enable invalid disable new enable related enable } } }Added the ipsec match-ipsec on WAN_LOCAL still nothing.
show firewall name WAN_LOCAL default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow iCMP" disable log disable protocol icmp } rule 40 { action accept description "Allow IKE for VPN" destination { port 500 } log disable protocol udp } rule 50 { action accept description "Allow ESP for VPN" log disable protocol esp } rule 60 { action accept description "Allow NAT-T for VPN" destination { port 4500 } log disable protocol udp } rule 70 { action accept description "Allow L2TP for VPN" destination { port 1701 } ipsec { match-ipsec } log disable protocol udp } -
@romo Have you defined ipsec interfaces with set vpn ipsec ipsec-interfaces interface eth[.]? I don't see it in your VPN config output. Also, If your static IP address gets issued by your ISP via PPPoE, you'll need to change the outside L2TP address to 0.0.0.0.
-
@taurex just added the ipsec-interfaces setting even though it is deprecated according to the documentation and still nothing :disappointed_face:
-
@romo Your site-to-site VPN doesn't work either, correct? Are you sure none of the routers is behind a Carrier Grade NAT (CG-NAT)? Are they all public IPs you have on both ends? L2TP doesn't work if its server is behind a NAT.
When you use a policy based VPN you need to start passing some traffic through the tunnel to bring it up. Have you tried pinging a device on the other router's network tunnelled through the VPN?
What's the output of show log | match 'xl2tpd|pppd'?
-
@taurex Site to site is working properly
-
Downgraded to 1.10.5 and still can't establish a proper connection or get any other type of log.
Version: v1.10.5 Build ID: 5098915 Build on: 06/22/18 13:55 Copyright: 2012-2018 Ubiquiti Networks, Inc. HW model: EdgeRouter Lite 3-Port HW S/N: 788A2041AA25 Uptime: 01:19:49 up 1 day, 4:46, 1 user, load average: 0.23, 0.16, 0.14Could this mean the device is having some sort of problem or could it be Internet Service Provider caused????
-
I would have to go dig around my posts on the UBNT community to find all the various ways I got logs when troubleshooting L2TP 6 months ago.
-
What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.
-
@romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:
What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.
That is normal behavior. When you downgrade, it also reverts to the config.boot file that was used. Because obviously new firmware could potentially have config changes required that would not work with older firmware.
-
Yeah, I didn't find strange it reverted to using the old config, what seems strange is that it is not even working on a firmware version it used to work with and with a config that used to work as well.
Really thought the downgrade would have made it work again.
-
A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.
FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!
As reminder for anyone that could encounter a similar issue:
DNAT rules are evaluated before firewall rules.
