New Member
Posts: 4
Registered: ‎11-06-2017

L2TP IPSec dies after phase1

[ Edited ]

Hello,

 

I'm seeing L2TP/IPSec requests die during an attempt to open the connection.  I've verified everything I can.. maybe someone else has some input?


A little background... this EdgeRouter has two NAT routers above it.  We've configured UDP 1701, 4500, and 500, as well as ESP to forward to the Edge.  We're seeing the initial requests come in on 500, so I'd like to believe port forwarding is okay.  I've disabled UPnP on all upstream routers as I saw multiple posts about Apple devices claiming UDP 4500 for their own use.  Clearly from the outputs below, the initial exchange is coming through and after that, dead.

 

I'm able to replicate this output even if I switch the WAN I'm using to connect to this router, so I'm definitive in ruling out the client side of the connection.  It's something to do with the cascaded NAT routers and the Edge, but I can't put my finger on what.

 

Can someone double-check what I'm seeing here and make sure I have this configured properly, before I start blaming my "upstairs neighbors?" Man Tongue

 

The EdgeRouter X is running 1.10.9, we rolled back to 1.10.8 in an attempt during troubleshooting, to no avail

 

Thank you!

 

 

 

Spoiler
admin@ubnt# show vpn l2tp
remote-access {
authentication {
local-users {
username xx {
password xx
}
username xx {
password xx
}
}
mode local
require mschap-v2
}
client-ip-pool {
start 10.10.10.30
stop 10.10.10.39
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
idle 1800
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret xxx
}
ike-lifetime 3600
lifetime 3600
}
mtu 1492
outside-address 0.0.0.0
}
[edit]

 

Spoiler
admin@ubnt# show vpn ipsec
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
Spoiler
admin@ubnt# sudo swanctl --log
08[NET] received packet: from SANITIZED[1011] to 192.168.3.10[500] (408 bytes)
08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
08[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
08[IKE] received NAT-T (RFC 3947) vendor ID
08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
08[IKE] received FRAGMENTATION vendor ID
08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
08[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
08[IKE] SANITIZED is initiating a Main Mode IKE_SA
08[ENC] generating ID_PROT response 0 [ SA V V V ]
08[NET] sending packet: from 192.168.3.10[500] to SANITIZED[1011] (136 bytes)
07[NET] received packet: from SANITIZED[1011] to 192.168.3.10[500] (228 bytes)
07[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
07[IKE] local host is behind NAT, sending keep alives
07[IKE] remote host is behind NAT
07[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
07[NET] sending packet: from 192.168.3.10[500] to SANITIZED[1011] (212 bytes)
Spoiler
admin@ubnt# show firewall name WAN_LOCAL
default-action drop
description ""
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action accept
description IKE
destination {
port 500
}
log enable
protocol udp
}
rule 40 {
action accept
description ESP
log disable
protocol esp
}
rule 50 {
action accept
description NAT-T
destination {
port 4500
}
log disable
protocol udp
}
rule 60 {
action accept
description L2TP
destination {
port 1701
}
ipsec {
match-ipsec
}
log disable
protocol udp
}
Spoiler

admin@ubnt:~$ sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:58:07.550986 IP SANITIZED.1011 > 192.168.3.10.500: isakmp: phase 1 I ident
22:58:07.601227 IP SANITIZED.1011 > 192.168.3.10.500: isakmp: phase 1 I ident

Ubiquiti Employee
Posts: 3,050
Registered: ‎05-08-2017
Kudos: 542
Solutions: 428

Re: L2TP IPSec dies after phase1

Hi @aschittko1,

 

Is your VPN client a Windows (10) computer by any chance? In this case, you will need to add this registry fix to allow connections to an L2TP server behind NAT.

 

-Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 4
Registered: ‎11-06-2017

Re: L2TP IPSec dies after phase1

Hi Ben,

 

I've used Windows 10 and Mac OS High Sierra as clients.  Windows 10 does have the UDP Encapsulation of NAT-T packets registry key set to "2"

Thanks Man Happy

Ubiquiti Employee
Posts: 3,050
Registered: ‎05-08-2017
Kudos: 542
Solutions: 428

Re: L2TP IPSec dies after phase1

Looking at the packet capture, it doesn't seem that the UDP4500 traffic is arriving at the EdgeRouter's WAN interface. You mentioned that there are two routers in front of the ER. Are they both set to forward UDP500/4500 to the EdgeRouter?

 

-Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 4
Registered: ‎11-06-2017

Re: L2TP IPSec dies after phase1

Yes, all upstreams have:

UDP 4500, 500, 1701

IP 50, 51

 

forwarded to the Edge

I suspect one of the upstreams forwarded 4500 somewhere else via UPnP and isn't showing that on their management interfaces.  I disabled UPnP on both upstreams but that didn't resolve.

 

So it is indeed UDP 4500 traffic not making it to the edge.... Blame the upstream?

Ubiquiti Employee
Posts: 3,050
Registered: ‎05-08-2017
Kudos: 542
Solutions: 428

Re: L2TP IPSec dies after phase1

You should be able to verify if the UDP4500 traffic is forwarded with a packet capture on the LAN and WAN interfaces of the upstream devices. There is no need to forward protocol 50,51 and UDP1701.

 

-Ben

 


 

Ben Pin | Ubiquiti Support

New Member
Posts: 4
Registered: ‎11-06-2017

Re: L2TP IPSec dies after phase1

I contacted the people running my upstream NAT gateways and they found 4500 in use by one of their services.  We're good to go now.

 

Thank you!