EdgeRouter L2TP VPN can't pass IKE phase 1



  • Trying to setup an L2TP VPN on a EdgeRouter Lite v 1.10.6. been following this guide https://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-servidor-L2TP. For extra information, the same router has also an IPsec site to site VPN working properly.

    I have even rebuilt the config a couple of times but still nothing.

    sudo swanctl --log  
    

    Is not showing anything at all.

    The only thing I get is this:

    sudo tcpdump -npi eth0 port 500 or port 4500 or port 1701
    
    20:34:08.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident
    20:34:11.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident
    20:34:14.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident
    20:34:17.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident
    

    That is all I get on the server side and the client throws an error. I have tried connecting from an iPhone as well as different Windows 10 machines.

    Statistics for the firewall rules which show 0 packets

    rule  packets     bytes       action  description
    ----  -------     -----       ------  -----------
    10    5373        747906      ACCEPT  Allow established/related
    20    215         14863       DROP    Drop invalid state
    23    <disabled>  <disabled>  ACCEPT  Allow iCMP
    24    0           0           ACCEPT  Allow IKE for VPN
    25    0           0           ACCEPT  Allow L2TP for VPN
    26    0           0           ACCEPT  Allow ESP for VPN
    27    0           0           ACCEPT  Allow NAT-T for VPN
    10000 44          1584        DROP    DEFAULT ACTION
    

    Any other thing I can do to troubleshoot this?

    This is the full vpn config if it helps:

    ipsec {
         auto-firewall-nat-exclude enable
         esp-group FOO0 {
             compression disable
             lifetime 3600
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes256
                 hash sha1
             }
         }
         ike-group FOO0 {
             ikev2-reauth no
             key-exchange ikev1
             lifetime 28800
             proposal 1 {
                 dh-group 14
                 encryption aes256
                 hash sha1
             }
         }
         nat-traversal enable
         site-to-site {
             peer XXX.XXX.XXX.84 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret  %SECRET%
                 }
                 connection-type initiate
                 description "REMOTE"
                 ike-group FOO0
                 ikev2-reauth inherit
                 local-address XXX.XXX.XXX.33
                 tunnel 1 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     esp-group FOO0
                     local {
                         prefix 192.168.5.0/24
                     }
                     remote {
                         prefix 192.168.6.0/24
                     }
                 }
                 tunnel 2 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     esp-group FOO0
                     local {
                         prefix 192.168.4.0/24
                     }
                     remote {
                         prefix 192.168.6.0/24
                     }
                 }
             }
         }
     }
     l2tp {
         remote-access {
             authentication {
                 local-users {
                     username romo {
                         password TestPass#2018
                     }
                 }
                 mode local
             }
             client-ip-pool {
                 start 192.168.4.10
                 stop 192.168.4.30
             }
             dns-servers {
                 server-1 192.168.5.3
             }
             idle 1800
             ipsec-settings {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret ANOTHER-SECRET-4
                 }
                 ike-lifetime 3600
                 lifetime 3600
             }
             mtu 1400
             outside-address XXX.XXX.XXX.33
         }
     }
    


  • I believe you need to define another ESP and IKE group for the site-to-site Tunnel 2. Also, your remote L2TP pool overlaps with one of the existing interface's IP range. It might overlap with the existing DHCP lease or a static address on your 192.168.4.0/24 network. I would make the remote pool totally different.

    Do you have static public IPs on both ends? If yes, I'd do route-based site-to-site VPN with VTI interfaces instead. It stays always on as long as there's network connectivity between the peers. No need to define multiple individual policies either.


  • Service Provider

    @taurex said in EdgeRouter L2TP VPN can't pass IKE phase 1:

    I believe you need to define another ESP and IKE group for the site-to-site Tunnel 2.

    You do not. I use a single group for everything.


  • Service Provider

    @taurex said in EdgeRouter L2TP VPN can't pass IKE phase 1:

    Do you have static public IPs on both ends? If yes, I'd do route-based site-to-site VPN with VTI interfaces instead. It stays always on as long as there's network connectivity between the peers. No need to define multiple individual policies either.

    The point of using L2TP is for roving users.


  • Service Provider

    This is a working configuration I use on many routers.

    L2TP config:

    set vpn l2tp remote-access authentication local-users username SomeUsername password 'SomeUserPassword'
    set vpn l2tp remote-access authentication mode local
    set vpn l2tp remote-access client-ip-pool start 10.254.203.2
    set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
    set vpn l2tp remote-access dhcp-interface eth0
    set vpn l2tp remote-access dns-servers server-1 1.1.1.1
    set vpn l2tp remote-access dns-servers server-2 8.8.8.8
    set vpn l2tp remote-access idle 1800
    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeGoodPSK
    set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
    set vpn l2tp remote-access ipsec-settings lifetime 3600
    set vpn l2tp remote-access mtu 1492
    

    If your WAN port is not DHCP, then you use this line instead of the dhcp-interface line above.

    set vpn l2tp remote-access outside-address your.wan.IP.add
    

    IPSEC Config:

    set vpn ipsec auto-firewall-nat-exclude enable
    set vpn ipsec esp-group bnaesp compression disable
    set vpn ipsec esp-group bnaesp lifetime 3600
    set vpn ipsec esp-group bnaesp mode tunnel
    set vpn ipsec esp-group bnaesp pfs enable
    set vpn ipsec esp-group bnaesp proposal 1 encryption aes256
    set vpn ipsec esp-group bnaesp proposal 1 hash sha1
    set vpn ipsec ike-group bnaike ikev2-reauth no
    set vpn ipsec ike-group bnaike key-exchange ikev1
    set vpn ipsec ike-group bnaike lifetime 28800
    set vpn ipsec ike-group bnaike proposal 1 dh-group 19
    set vpn ipsec ike-group bnaike proposal 1 encryption aes256
    set vpn ipsec ike-group bnaike proposal 1 hash sha1
    set vpn ipsec ipsec-interfaces interface eth0
    <snip about 8 tunnels>
    

    Firewall Config:
    Note, by using this firewall configuration, I do not need any other rules for L2TP. But this could be tighter as noted in the guide you followed.

    set firewall name WAN_LOCAL rule 40 action accept
    set firewall name WAN_LOCAL rule 40 description 'Allow IPSEC'
    set firewall name WAN_LOCAL rule 40 ipsec match-ipsec
    set firewall name WAN_LOCAL rule 40 log disable
    set firewall name WAN_LOCAL rule 40 protocol all
    set firewall name WAN_LOCAL rule 40 state established disable
    set firewall name WAN_LOCAL rule 40 state invalid disable
    set firewall name WAN_LOCAL rule 40 state new enable
    set firewall name WAN_LOCAL rule 40 state related disable
    


  • Thanks for responding @jared

    @jaredbusch said in EdgeRouter L2TP VPN can't pass IKE phase 1:

    This is a working configuration I use on many routers.

    L2TP config:

    set vpn l2tp remote-access authentication local-users username SomeUsername password 'SomeUserPassword'
    set vpn l2tp remote-access authentication mode local
    set vpn l2tp remote-access client-ip-pool start 10.254.203.2
    set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
    set vpn l2tp remote-access dhcp-interface eth0
    set vpn l2tp remote-access dns-servers server-1 1.1.1.1
    set vpn l2tp remote-access dns-servers server-2 8.8.8.8
    set vpn l2tp remote-access idle 1800
    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeGoodPSK
    set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
    set vpn l2tp remote-access ipsec-settings lifetime 3600
    set vpn l2tp remote-access mtu 1492
    

    L2TP config is pretty much the same, I saw your other post and used it as well, I had the MTU set to 1492 before but on your other guide I believe I saw it at 1400 so currently have that.

    If your WAN port is not DHCP, then you use this line instead of the dhcp-interface line above.

    set vpn l2tp remote-access outside-address your.wan.IP.add
    

    Static ip so outside address set.
    outside-address XXX.XXX.XXX.33

    IPSEC Config:

    set vpn ipsec auto-firewall-nat-exclude enable
    set vpn ipsec esp-group bnaesp compression disable
    set vpn ipsec esp-group bnaesp lifetime 3600
    set vpn ipsec esp-group bnaesp mode tunnel
    set vpn ipsec esp-group bnaesp pfs enable
    set vpn ipsec esp-group bnaesp proposal 1 encryption aes256
    set vpn ipsec esp-group bnaesp proposal 1 hash sha1
    set vpn ipsec ike-group bnaike ikev2-reauth no
    set vpn ipsec ike-group bnaike key-exchange ikev1
    set vpn ipsec ike-group bnaike lifetime 28800
    set vpn ipsec ike-group bnaike proposal 1 dh-group 19
    set vpn ipsec ike-group bnaike proposal 1 encryption aes256
    set vpn ipsec ike-group bnaike proposal 1 hash sha1
    set vpn ipsec ipsec-interfaces interface eth0
    <snip about 8 tunnels>
    

    IPSEC config the only thing different is I have the DH group set as 14

    What seems strange is I can't even get swanctl to show me a connection attempt to see what could be wrong. This appears as if somehow I would be blocking the connection.



  • @jaredbusch Jared, I was talking about @Romo's site-to-site VPN config. He has two tunnels and I suggested to use a route based VPN instead. I also asked if @Romo was using public IPs on both ends or not. Because if he's behind CG-NAT, the current config wouldn't work.



  • @romo Could you show your firewall rules in the config output, please?



  • @taurex here it is

    show firewall name WAN_LOCAL
     default-action drop
     description "WAN to router"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         description "Allow iCMP"
         disable
         log disable
         protocol icmp
     }
     rule 40 {
         action accept
         description "Allow IKE for VPN"
         destination {
             port 500
         }
         log disable
         protocol udp
     }
     rule 50 {
         action accept
         description "Allow L2TP for VPN"
         destination {
             port 1701
         }
         log disable
         protocol udp
     }
     rule 60 {
         action accept
         description "Allow ESP for VPN"
         log disable
         protocol esp
     }
     rule 70 {
         action accept
         description "Allow NAT-T for VPN"
         destination {
             port 4500
         }
         log disable
         protocol udp
     }
    
    


  • @romo I don't see ipsec match-ipsec set in your L2TP rule.

    Do you also have WAN_IN firewall rules set up?



  • @taurex said in EdgeRouter L2TP VPN can't pass IKE phase 1:

    @romo I don't see ipsec match-ipsec set in your L2TP rule.

    Do you also have WAN_IN firewall rules set up?

    WAN_IN

    name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 21 {
             action accept
             description "Web Traffic to Help Desk"
             destination {
                 group {
                     address-group Helpdesk_internal
                     port-group HTTP_and_HTTPS
                 }
             }
             log disable
             protocol tcp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 22 {
             action accept
             description "Web Traffic to DevTestWeb"
             destination {
                 group {
                     address-group DevTestWeb_internal
                     port-group HTTP_and_HTTPS
                 }
             }
             log disable
             protocol tcp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 23 {
             action accept
             description "Web Traffic to Demo"
             destination {
                 group {
                     address-group Demo_internal
                     port-group HTTP_and_HTTPS
                 }
             }
             log disable
             protocol tcp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 24 {
             action accept
             description "Web Traffic to QB"
             destination {
                 group {
                     address-group QB_Int
                     port-group RDP
                 }
             }
             log disable
             protocol tcp
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
     }
    

    Added the ipsec match-ipsec on WAN_LOCAL still nothing.

    show firewall name WAN_LOCAL
     default-action drop
     description "WAN to router"
     rule 10 {
         action accept
         description "Allow established/related"
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action drop
         description "Drop invalid state"
         state {
             invalid enable
         }
     }
     rule 30 {
         action accept
         description "Allow iCMP"
         disable
         log disable
         protocol icmp
     }
     rule 40 {
         action accept
         description "Allow IKE for VPN"
         destination {
             port 500
         }
         log disable
         protocol udp
     }
     rule 50 {
         action accept
         description "Allow ESP for VPN"
         log disable
         protocol esp
     }
     rule 60 {
         action accept
         description "Allow NAT-T for VPN"
         destination {
             port 4500
         }
         log disable
         protocol udp
     }
     rule 70 {
         action accept
         description "Allow L2TP for VPN"
         destination {
             port 1701
         }
         ipsec {
             match-ipsec
         }
         log disable
         protocol udp
     }
    


  • @romo Have you defined ipsec interfaces with set vpn ipsec ipsec-interfaces interface eth[.]? I don't see it in your VPN config output. Also, If your static IP address gets issued by your ISP via PPPoE, you'll need to change the outside L2TP address to 0.0.0.0.



  • @taurex just added the ipsec-interfaces setting even though it is deprecated according to the documentation and still nothing 😞



  • @romo Your site-to-site VPN doesn't work either, correct? Are you sure none of the routers is behind a Carrier Grade NAT (CG-NAT)? Are they all public IPs you have on both ends? L2TP doesn't work if its server is behind a NAT.

    When you use a policy based VPN you need to start passing some traffic through the tunnel to bring it up. Have you tried pinging a device on the other router's network tunnelled through the VPN?

    What's the output of show log | match 'xl2tpd|pppd'?



  • @taurex Site to site is working properly



  • Downgraded to 1.10.5 and still can't establish a proper connection or get any other type of log.

    Version:      v1.10.5
    Build ID:     5098915
    Build on:     06/22/18 13:55
    Copyright:    2012-2018 Ubiquiti Networks, Inc.
    HW model:     EdgeRouter Lite 3-Port
    HW S/N:       788A2041AA25
    Uptime:       01:19:49 up 1 day,  4:46,  1 user,  load average: 0.23, 0.16, 0.14
    

    Could this mean the device is having some sort of problem or could it be Internet Service Provider caused????


  • Service Provider

    I would have to go dig around my posts on the UBNT community to find all the various ways I got logs when troubleshooting L2TP 6 months ago.



  • What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.


  • Service Provider

    @romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:

    What's really strange is that with the downgrade, it even returned to the original configuration the one that was properly working before and still nothing.

    That is normal behavior. When you downgrade, it also reverts to the config.boot file that was used. Because obviously new firmware could potentially have config changes required that would not work with older firmware.



  • Yeah, I didn't find strange it reverted to using the old config, what seems strange is that it is not even working on a firmware version it used to work with and with a config that used to work as well.

    Really thought the downgrade would have made it work again.



  • A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.

    FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!


    As reminder for anyone that could encounter a similar issue:
    DNAT rules are evaluated before firewall rules.


  • Service Provider

    @romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:

    A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.

    FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!


    As reminder for anyone that could encounter a similar issue:
    DNAT rules are evaluated before firewall rules.

    Also as a remember, don't wait a month before reporting an issue, we weren't looking at rules, as they had not changed for a month!


  • Service Provider

    @romo said in EdgeRouter L2TP VPN can't pass IKE phase 1:

    A DNAT rule was the culprit of everything, it was redirecting the traffic and not letting it reach WAN_LOCAL.

    FINALLY SOLVED!!!!!!!!!!!!!!!!!!!!!!!!!


    As reminder for anyone that could encounter a similar issue:
    DNAT rules are evaluated before firewall rules.

    Yes, this is a known function of VyOS/EdgeOS. But nothing was ever posted baout DNAT rules in use, so I assumed there were none. There are not by default.