New Member
Posts: 6
Registered: ‎02-12-2018
Solutions: 1
Accepted Solution

L2TP Clients can't connect - Multi WAN IP

[ Edited ]

Hello,

 

  • I've got an ERL configured for L2TP user to site VPN's, built following this tutorial https://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-L2TP-Server
  • Users use an FQDN as the target for connecting however neither it nor the IP address work, resulting in error 789 from Windows clients and a generic failure message from iOS 11.
  • WAN is 50/50 fibre with static IP (refered to as WAN_IP_A) and is a /31
    • There is also a /30 assigned to the service, refered to as WAN_IP_B / WAN_IP_C

 

I've also tried the below on a previous (original, near identical config) but it didn't make a difference.

 

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

I've since factory reset the device and configured it again but still no luck.

 

I've also tried the below command to see what was going on but it didn't progress past displaying the first message relating to port 500 UDP (IKE).

 

sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
IP REMOTE_IP > WAN_IP_A.500: isakmp: phase 1 I ident

From memory I also don't recall seeing any counters against any of the inbound VPN rules.

 

I'm completely at a loss as to what could be wrong. I've built L2TP VPN's on EdgeRouters probably 10-15 times, all without issue but this is the first to have multiple WAN IP's for a single connection.

 

Any suggestions?

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name ETH1_IN {
        default-action accept
        description ""
        rule 1 {
            action accept
            description "Allow Chris"
            destination {
                address 10.10.10.0/24
            }
            log enable
            protocol all
            source {
                address 192.168.21.222
            }
        }
        rule 2 {
            action drop
            description "Drop to LAN2"
            destination {
                address 10.10.10.0/24
            }
            log enable
            protocol all
            source {
                address 192.168.21.0/24
            }
        }
    }
    name ETH2_IN {
        default-action accept
        description ""
        rule 1 {
            action accept
            description "Allow Chris"
            destination {
                address 192.168.21.222
            }
            log disable
            protocol all
            source {
                address 10.10.10.0/24
            }
        }
        rule 2 {
            action drop
            description "DROP to LAN1"
            destination {
                address 192.168.21.0/24
            }
            log disable
            protocol all
            source {
                address 10.10.10.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description REDACTED
            destination {
                port REDACTED
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description REDACTED
            destination {
                port REDACTED
            }
            log disable
            protocol tcp_udp
        }
        rule 40 {
            action accept
            description REDACTED
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
        rule 50 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description IKE
            destination {
                port 500
            }
            log disable
            protocol udp
        }
        rule 40 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description NAT-T
            destination {
                port 4500
            }
            log disable
            protocol udp
        }
        rule 60 {
            action accept
            description L2TP
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address WAN_IP_A/31
        address WAN_IP_B/30
        address WAN_IP_C/30
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.21.10/24
        description Local
        duplex auto
        firewall {
            in {
                name ETH1_IN
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 10.10.10.10/24
        description "Local 2"
        duplex auto
        firewall {
            in {
                name ETH2_IN
            }
        }
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.21.0/24 {
                default-router 192.168.21.10
                dns-server 192.168.21.10
                lease 86400
                start 192.168.21.100 {
                    stop 192.168.21.240
                }
                static-mapping REDACTED {
                    ip-address 192.168.21.222
                    mac-address REDACTED
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 10.10.10.0/24 {
                default-router 10.10.10.10
                dns-server 10.10.10.10
                lease 86400
                start 10.10.10.38 {
                    stop 10.10.10.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description Helpdesk
            destination {
                address WAN_IP_A
                port 443
            }
            inbound-interface eth0
            inside-address {
                address 192.168.21.141
                port 443
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description "UniFi Controller"
            destination {
                address WAN_IP_A
                port 8443
            }
            inbound-interface eth0
            inside-address {
                address 192.168.21.240
                port 8443
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 3 {
            description REDACTED
            destination {
                address WAN_IP_B
                port REDACTED
            }
            inbound-interface eth0
            inside-address {
                address 10.10.10.41
                port 32400
            }
            log disable
            protocol tcp_udp
            type destination
        }
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5011 {
            description Eth2WANIP
            log disable
            outbound-interface eth0
            outside-address {
                address WAN_IP_B
            }
            protocol all
            source {
                address 10.10.10.10/24
            }
            type source
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        connection REDACTED
    }
}
system {
    gateway-address REDACTED
    host-name REDACTED
    login {
        user routeradmin {
            authentication {
                encrypted-password REDACTED
                plaintext-password ""
            }
            level admin
        }
    }
    name-server REDACTED
    name-server REDACTED
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Australia/Melbourne
    traffic-analysis {
        dpi disable
        export enable
    }
}
traffic-control {
    smart-queue WAN1QOS {
        download {
            burst 63000b
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 49mbit
        }
        upload {
            burst 63000b
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 49mbit
        }
        wan-interface eth0
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth0
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username REDACTED {
                        password REDACTED
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.21.30
                stop 192.168.21.50
            }
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret REDACTED
                }
                ike-lifetime 3600
            }
            outside-address WAN_IP_A
        }
    }
}

 

 


Accepted Solutions
Highlighted
New Member
Posts: 6
Registered: ‎02-12-2018
Solutions: 1

Re: L2TP Clients can't connect - Multi WAN IP

So for anyone who stumbles across this tread looking for answers, I ended up wiping and setting up the ERL from scratch for a 2nd time. Once I setup the basic config wizard, I created the VPN server and went from there, reguarly testing that I still had connectivity. Ended up working.

View solution in original post


All Replies
New Member
Posts: 6
Registered: ‎02-12-2018
Solutions: 1

Re: L2TP Clients can't connect - Multi WAN IP

Anyone got any ideas? Did a bit more testing and the firewall logs aren't showing any hits on them.

Ubiquiti Employee
Posts: 2,900
Registered: ‎05-08-2017
Kudos: 517
Solutions: 415

Re: L2TP Clients can't connect - Multi WAN IP

If there is no ESP or UDP4500 traffic arriving on your WAN interface, the traffic is probably being blocked upstream. Is this EdgeRouter using a GCNAT external IP address by any chance (100.64.x.x)?

 

Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 6
Registered: ‎02-12-2018
Solutions: 1

Re: L2TP Clients can't connect - Multi WAN IP

So I've just rebooted the device to clear all logging then tried to connect with the below logs. IP doesn't fall in the 100.64 range. Still worth looking upstream for an issue?

 

3.PNG

 

routeradmin@ROUTER:~$ sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp                                                                                                                                                      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:14:25.225521 IP 1.136.120.26.500 > WAN_IP_A.500: isakmp: phase 1 I ident
10:14:25.248575 IP WAN_IP_A.500 > 1.136.120.26.500: isakmp: phase 2/others R inf
10:14:28.406214 IP 1.136.120.26.500 > WAN_IP_A.500: isakmp: phase 1 I ident
10:14:28.409470 IP WAN_IP_A.500 > 1.136.120.26.500: isakmp: phase 2/others R inf
10:14:31.687374 IP 1.136.120.26.500 > WAN_IP_A.500: isakmp: phase 1 I ident
10:14:31.691152 IP WAN_IP_A.500 > 1.136.120.26.500: isakmp: phase 2/others R inf
10:14:34.703230 IP 1.136.120.26.500 > WAN_IP_A.500: isakmp: phase 1 I ident
10:14:34.706373 IP WAN_IP_A.500 > 1.136.120.26.500: isakmp: phase 2/others R inf
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
Ubiquiti Employee
Posts: 2,900
Registered: ‎05-08-2017
Kudos: 517
Solutions: 415

Re: L2TP Clients can't connect - Multi WAN IP

Yes, if ESP is not arriving at all then it is very likely that the traffic is filtered upstream.

 

Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 6
Registered: ‎02-12-2018
Solutions: 1

Re: L2TP Clients can't connect - Multi WAN IP

So just spoke with the ISP (who is onselling wholesale Telstra) and they're saying no traffic is blocked.

 

I'm gonna try again after hours tonight and set it up in a very basic config with no SNAT or additonal /30 attached and see how I go unless you've got any other suggestions?

New Member
Posts: 6
Registered: ‎02-12-2018
Solutions: 1

Re: L2TP Clients can't connect - Multi WAN IP


wrote:

Yes, if ESP is not arriving at all then it is very likely that the traffic is filtered upstream.

 

Ben


So I've run sudo swanot1 --log and it's coming back saying no IKE config found, sending no proposal chosen when I try to connect?

Highlighted
New Member
Posts: 6
Registered: ‎02-12-2018
Solutions: 1

Re: L2TP Clients can't connect - Multi WAN IP

So for anyone who stumbles across this tread looking for answers, I ended up wiping and setting up the ERL from scratch for a 2nd time. Once I setup the basic config wizard, I created the VPN server and went from there, reguarly testing that I still had connectivity. Ended up working.