Jump to content


Photo

Trouble with L2TP / IPSec client to site vpn

client to site ipsec vpn l2tp

  • Please log in to reply
No replies to this topic

#1 bpoindexter

bpoindexter
  • Members
  • 4 posts

Posted 11 August 2017 - 03:42 PM

Here is my current setup (not real ip addresses, obviously):

 

 

Interface 2: LAN: 192.168.1.0/24

Interface 3: WAN1: 1.1.1.1/30

Interface 4: WAN2: 2.2.2.2/30

Management Tunnel network: 172.16.16.0/24

IKEv1 client to site VPN network: 172.16.32.0/24

 

 

My IKEv1 client to site vpn is for mobile devices, iphones mostly.  It works perfectly.  I configured the L2TP / IPsec vpn according to the instructions on Barracuda Campus's website (for some reason I can't paste into the forum editor or I would provide a direct link).  I set the L2TP vpn initially to use 172.16.32.100 as the local tunnel IP and .101 as the first available client IP.  I am aware that this is in the IKEv1's network range, so that might be a no no.  This did not work, however.  I additionally tried setting my L2TP local tunnel ip to 172.16.33.100 with  .101 being the first client IP and got the same result.

 

In both of these cases, my remote client was able to authenticate and connect to the VPN, but had no access to hosts inside LAN.  I started a continuous ping from the vpn client to a host inside the LAN, and the firewall didn't even record the packets arriving.  This is particularly odd because I configured the L2TP to authenticate against a domain controller inside the LAN, which is working fine.  On the windows client, I noted that my VPN adapter had 172.16.32.101 as its ip address, as expected.  Default gateway was blank and net mask was 255.255.255.0, which seem somewhat off but may be ok.

 

I also tried setting the L2TP's local tunnel address to be inside the LAN (I used 192.168.1.100 as the ip address with .101 as being the first client address).  This was more interesting.  The firewall recorded receiving packets sent from the vpn client system to a host inside the LAN, and even passed the packets along without blocking them....but still no access for the client (in this test I tried to RDC a server in the LAN, I saw packets on the correct port hitting the firewall and being passed through).

 

That last bit really has me confused.  The packets were received by the firewall and happily passed along but they never arrived at their destination.  I checked the Windows firewall of the destination server and it didn't log any packets arriving, not even to block them.

 

I am new to administering a router but I've done well so far...until now.  This one has me stumped.