Reply
New Member
Posts: 5
Registered: ‎09-06-2017
Kudos: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

I'm having the same issues. Contacted support about it. They say on 12-9-2017 it's a know issue: "I will forward this feedback to my team, however the fix for the USG will be implemented only once the edgeOS firmware for edgerouter is fixed. I checked with the development team and was told that it will be fixed in version2.0, this is an issue with the VPN modules used in vyatta."

 

I think it's a shame they take so long to fix this issue....... 

New Member
Posts: 1
Registered: ‎12-22-2016

Re: L2TP VPN - Multiple connections from same NAT'd location

Just wanted to say that I too am having this issue with two Windows 10 clients behind the same Router/NAT/Location/IP. If I connect one of the systems it is fine, but as soon as I try to connect the other it fails. I need to disconnect the other to allow the other client to connect. It is a very frustrating issue that is not an issue for my Synology Diskstation which I was wanting to replace with the Edge Router Pro I have. Hopefully this will be fixed soon. Thanks.

New Member
Posts: 5
Registered: ‎09-06-2017
Kudos: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

Hi All,

 

Ik got a update form Ubnt:

 

Hello,

I'm the UniFi Routing and Switching Support lead and will be assisting you with this issue. I apologize for the delay as we've had a very high number of escalations recently.

I understand you have issues with connecting multiple Windows clients to the L2TP server hosted by the USG. Our L2TP uses L2TP/IPsec (strongswan 5.2.2 behind the scenes), and there's a known issue in strongswan where multiple windows clients behind the same public IP can't make simultaneous connections because they're :
https://wiki.strongswan.org/issues/365
https://wiki.strongswan.org/issues/712

They pretty much blow off the bug suggesting to use IKEv2 remote access VPN instead. Here's the quotes from the strongswan developer:

"This setup is not supported without special consideration. It actually never was, but it didn't produce an error message before.
The problem is that two clients behind the same NAT that both use transport mode can't be distinguished in many situations. In the L2TP case both clients will try to install the same IPsec policy <public NAT IP>[udp/l2tp] === <server IP>[udp/l2tp].
In 5.1.0 updating policies, while they are still actively used by another connection, is prevented and now results in the error message you posted. In earlier releases the server simply updated the policy with the reqid of the second SA. But that just masked the issue as traffic to the first client was then sent to the second one, which is clearly not the intention.
If you can't change the client configuration so that each client uses a distinct source port for L2TP (instead of 1701) your options are limited to implementing some kind of mapping on the server. Since each client probably gets its own NAT mapping on the NAT device (in your case 4500 and 1024) you might be able to NAT each to a separate virtual IP, or map those to a distinct policy by using XFRM marks (duplicate policies can be installed if their XFRM marks are different). Not sure about the details as I've never tried this.
Anyway, with Windows 7 clients your best option is to use IKEv2." - by developer

But is there any other way except IEKv2? - by requester

"Not really. If you can't get your clients to get your clients to use different source ports for L2TP your only option might be to implement some kind of mapping on the server..." - by developer

UBNT plans on implementing IKEv2 PSK remote access (which will be a significant improvement over L2TP) in our 5.7.x controller. There's no ETA for that at this time.

Our edgemax developers also plan on implementing a fix for the L2TP portion too in EdgeOS 2.0 (which I also do not have an ETA for):
https://community.ubnt.com/t5/EdgeMAX/Mulitple-remote-access-L2TP-ipsec-VPN-client-behind-the-same-N...

 

Brandon Jaffe
Ubiquiti Networks

 

So still nog fix. Same on you UBNT.

Can you please all create casses with UBNT so they know this is a very fustrating issue for us.

New Member
Posts: 37
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

I tried to open a case but they just don't care.  They said, "We are working on it but unfortunately, there is no ETA for the fix."

 

It's been an issues for years.  Home equipment like Netgear and D-Link can handle this but it's seems too complicated for Ubiquiti.

 

 

New Member
Posts: 29
Registered: ‎04-01-2013
Kudos: 2

Re: L2TP VPN - Multiple connections from same NAT'd location

Hi,

How is it with this? still no updates from UBNT? 

i have consultants at a customer and its quite bad that only one at the time can vpn to check out licensefiles and so on.

 

Please any ETA?

New Member
Posts: 4
Registered: ‎07-07-2017

Re: L2TP VPN - Multiple connections from same NAT'd location

Is there an update on this?

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

Use PPTP then and pray that your traffic is not captured and decrypted.

 

This is not anything that UBNT can actually solve without changing the design. It is simply how L2TP/IPSEC works, as noted in one of the earlier posts.

 

UBNT has stated it is on the roadmap for 2.0, be happy.

 

New Member
Posts: 37
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location


@sorvani wrote:

Use PPTP then and pray that your traffic is not captured and decrypted.

 

This is not anything that UBNT can actually solve without changing the design. It is simply how L2TP/IPSEC works, as noted in one of the earlier posts.

 

UBNT has stated it is on the roadmap for 2.0, be happy.

 


Well unfortunately it's not that simple.  PPTP is blocked by many HotSpot devices.  Try using your iPhone as a hotspot and you'll see PPTP fails but L2TP works

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: L2TP VPN - Multiple connections from same NAT'd location

Well those are your choices. L2TP/IPSEC has limitations regarding remote networks behind NAT, always has. PPTP does not.
It is not a function that UBNT can wave a magic wand and solve. It is a significant change in how L2TP has been commonly used over the years, and not something to just plop into a hotfix.
New Member
Posts: 37
Registered: ‎08-03-2014
Kudos: 3
Solutions: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

No one asked for magic wand waving or plopping in a fix.

 

 

 


@sorvani wrote:
Well those are your choices. L2TP/IPSEC has limitations regarding remote networks behind NAT, always has. PPTP does not.
It is not a function that UBNT can wave a magic wand and solve. It is a significant change in how L2TP has been commonly used over the years, and not something to just plop into a hotfix.

 

 

Emerging Member
Posts: 51
Registered: ‎05-22-2017
Kudos: 18

Re: L2TP VPN - Multiple connections from same NAT'd location

Hi guys. 

 

PPTP also does not let you connect multiple users behaind the same NAT. I habe asked this qeustion so many times before. L2TP and PPTP doesn not let you do multiple connections. I do like UBNT products and have my entire ISP fitted qith UBNT products but this VPN is a major let down from UBNT. This issue has been around for years and UBNT hasnt done anything to change it. Its not a new problem. 

Sweat is weakness leaving the body
New Member
Posts: 2
Registered: ‎04-29-2016

Re: L2TP VPN - Multiple connections from same NAT'd location

Is this fixed on USG yet? I have two l2tp clients at same location, but only one can connect. I need them to be able to connect simulataneously.

New Member
Posts: 4
Registered: ‎07-07-2017

Re: L2TP VPN - Multiple connections from same NAT'd location

So as you probably read this not a usg issue but an l2tp issue. My workaround is only use l2tp when appropriate and use pptp for everyone else until another option becomes available.

New Member
Posts: 2
Registered: ‎04-29-2016

Re: L2TP VPN - Multiple connections from same NAT'd location

Thanks for the reply. I will do that.

New Member
Posts: 5
Registered: ‎09-06-2017
Kudos: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

Noooo don't ever use PPTP to connect to your local networks.

PPTP is not a option there is no encryption with it. So even VPN login credentials are sent plain text. If you are a EU business user PPTP is not compliant with GPDR. As logging username and passwords are personal information. It's not allowed to send personal data unencrypted.

My opinion as a network engineer they should not even support PPTP now days. And if UBNT takes security serious they should strip it from there products.


New Member
Posts: 4
Registered: ‎10-16-2016
Kudos: 4

Re: L2TP VPN - Multiple connections from same NAT'd location

" It is simply how L2TP/IPSEC works, as noted in one of the earlier posts."

 

I'm not convinced this is how L2TP/IPSEC works. I am running L2TP/IPSEC on a ZyWALL USG-50 with 15 between 10-15 simaltaneous users connecting from a single IP using a combination of Windows 7/10 and Ubuntu. We do not have a single issue with this other than the Zywall is limited to 100 Mbps.

 

When I try to move to the UBNT L2TP/IPSEC VPN (identical network - just replace it with the UBNT Gateway) I am never able to have more than one developer behing the remote IP connect to the VPN. Why?

New Member
Posts: 22
Registered: ‎10-28-2016
Kudos: 21
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

I've just upgraded firmware on my ER-4 and still having problems to connect more than one Windows (native) clients to my VPN from behind the same NAT.

New stable 2.0.0 firmware:

But I found out that when one Windows machine is connected to VPN and other Windows machine is trying to connect to VPN the first one is being disconnected for couple seconds.

 

Second one is stuck on Verifing your sign-in info... and then Can't connect to VPN.

New Member
Posts: 4
Registered: ‎10-16-2016
Kudos: 4

Re: L2TP VPN - Multiple connections from same NAT'd location

After more than one year on this and getting back non-sense responses from Ubiquiti support I've found a solution...

 

Remove EdgeRouter from network.

Throw EdgeRouter in trash or sell on eBay

Replace with PFsense box

Problem solved and now you have a better and more secure Router / Gateway / VPN solution that does support multiple Windows clients.

 

Very dissapointing.

Emerging Member
Posts: 58
Registered: ‎02-06-2015
Kudos: 47
Solutions: 4

Re: L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

This is just silly. I can't beleive the 'can't be done' responses in regard to L2TP/PSK and multiple sources behind the same WAN IP. 

 

I don't use a wide variety of firewall/routing gear, but I know for a fact that Fortigate can both pass L2TP and act as a server without this limitation. Windows Server's built-in Routing and Remote Access service multiple incoming connections from the source WAN IP as well. Shame that I can't actually pass L2TP on to RRAS if the USG is configured for s2s (which wouldn't be a big deal if it could *properly* handle multiple L2TP connections).

 

The linked Strongswan article points to this being resolved 4 years ago; unless I'm reading the following wrong they updated their conntrack module connmark plugin to address this:

https://wiki.strongswan.org/issues/365

"Updated by Martin Willi almost 4 years ago

  • Tracker changed from Issue to Feature
  • Category set to libcharon
  • Status changed from Feedback to Closed
  • Assignee changed from Tobias Brunner to Martin Willi
  • Target version set to 5.3.0
  • Resolution set to Fixed

I've just merged the new connmark plugin to the master branch. That plugin allows you install identical transport mode policies and use Netfilter conntrack marks to distinguish multiple connection flows. This can be used for L2TP sessions or any other traffic that conntrack can track. Refer to the provided test case for an example configuration."

 

 

 

New Member
Posts: 4
Registered: ‎10-16-2016
Kudos: 4

Re: L2TP VPN - Multiple connections from same NAT'd location

Yes! I agree.

 

Here is my response to support after they have provided numerous links to https://wiki.strongswan.org 

1) all of which are 4 years old and

2) all of which are an open source project - I paid for my router...

 

Please close this ticket.
 
I have removed my USG-4P from my network and replaced it with another firewall that works just fine with an L2TP/IPsec VPN and multiple Windows and Linux clients. I am deeply disappointed in Ubiquiti’s lack of interest to address this problem in your products and am even further disappointed in Ubiquiti’s position to push this off on the open source community.
 
Ubiquiti is selling hardware products with integrated software, such as VPN solutions. Ubiquiti has an obligation to provide working solutions and not excuses. This is quite disappointing and I will be moving away from your products and in doing so encouraging others as it has cost me time, money and a business impact to me.
 
-Brady
Reply