Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[FurryNutz]

Look at your client network settings. Is the DNS getting a 192.168.0.1 DNS address or a 8.8.8.8/.4 DNS addresses. If the PC is seeing 192.168.0.1 for DNS then DNS relay is enabled on the router I believe. We see this on home class router. DNS Relay is featured under Setup/Networking on home class routers. Might check the user manual to see where it resides, if any, on the DSR.

... this indicates that you got it work!

With your clients behind DSR: Looks like it's just a DNS resolution problem. Guess they use your DSR not just as gateway but also as DNS resolver? Did you activate DNS relay function within your DSR? A simple check would have been, to configure a LAN client manually to use Google's DNS server.

PT

I knew I was pretty close. I set the dns on the lan to be 8.8.8.8, 8.8.4.4. is there a switch or something special I have to do to enable the DNS relay function?

[PacketTracer]

Another question about the user group, when doing L2TP\IPSec, should my group have both L2TP and XAuth enabled?

XAuth is an extension to IKEv1 that allows you to use more authentication methods (e.g. RADIUS) than the few ones supported by IKEv1 itself (PSK, certificates). Hence, if your remote clients don't support/request XAUTH, you don't have to think about XAuth, just use PSK and you are fine 

Also should I enable extend auth edge device in the IPsec policy or the L2TP server page or both?

"L2TP server" alone should be the option you need, if your remote clients don't support/request XAUTH.

[hanuszewski]

Hello,
After weeks of trial and error and all the support form this form, I have finally solved this issue. I am able to use L2TP\IPsec with Android, iOS, OSX, and Windows.

I have comcast Business class internet with static IPs
On the comcast gateway, i disabled the Firewall and allowed all traffic on all ports. LAN 192.168.1.1
Behind the gateway I have an ASUS-3200 that is my DHCP server wan IP 192.168.1.10, gateway 192.168.1.1, DHCP LAN 192.168.0.1
DSR-250 WAN plugs into the comcast gateway. WAN IP is set to one of my statics XXX.YYY.XXX.YYY, LAN DHCP is set to relay with the gateway set to 192.168.0.1

I rolled the DSR-250 Firmware back to version 2.01_WW

IPSec Policy
Policy Name: L2TPVPN
Policy Type: Auto Policy
IP Protocol Version: IKEv1
L2TP Mode: Gateway
IPSec Mode: Transport Mode
Select Local Gateway: Dedicated WAN
Remote Endpoint: FQDN
IP Address / FQDN: 0.0.0.0
Enabled Mode Config: off
Enable RollOver: off
Protocol: ESP
Enable Keepalive: off

Phose 1(IKE SA Prams)
Exchange Mode: Main
Direction\type: Responder
Nat Traversal: on
Nat Keep Alive Frequency: 20 sec
Local Identifier Type: Local WAN IP
Remote Identifier Type: FQDN
Remote Identifier: 0.0.0.0
Encryption Algorithms: AES128, AES256, 3DES
Authentication Algorithms: SHA1, SHA2-256
Authentication Method pre-sharedkey
preshared key: <Really long safe key>
DH Group: Group 2
SA-Lifetime: 28800
Enable Dead peer detection: on
Detection period 20
Reconnect After Failure: 5
Extended Authentication: None

Phase 2
SA Lifetime: 3600 seconds
Encryption Algorithm: 3DES, AES128, AES256
Integrity Algorithm: SHA1, SHA2-256

PFS Key Group: off


VPN -> L2TP Server
Enable L2TP Server: Enabled IPv4
L2TP Routing Mode: Nat
Starting IP Address: 192.168.0.50 (Note: personal preference)
Ending IP Address: 192.168.0.65 (Note: personal preference)
Authentication Database
Authentication: Local User Database
Authentication Supported
CHAP, MS-CHAP, MS-CHAPv2
Encryption
Secret Key: off
Idle Timeout 300seonds

Security -> Internal User database
Groups
Added a group
Group Name L2TP
Description L2TP VPN Users
User type: Network
PPTP User: off
L2TP User: on
Xauth User: off
SSLVPN User: off
idle timeout: 10 minutes

Users
Add user Select group L2TP


Setting up Windows
Create a vpn
Hostname /IP address of destination is my Static IP XXX.YYY.XXX.YYY
On the security tab, set the type to Layer 2 Tunneling Protocol with IPSec
Click advance settings, select use pre-shared key for authentication set it to <pre-shared key from the policy>
Check Allow these protocols
select CHAP and MS-CHAPv2
Login, username and password of the user on the DSR-250 DB

Setting up on iOS
Create a VPN configuration
TYPE: l2TP
Description my vpn
Server: Static IP XXX.YYY.XXX.YYY
account: username and password of the user on the DSR-250 DB
Secret: <pre-shared key from the policy>
Send all traffic: enabled


Android
Add VPN
Name: My VPN
Type: L2TP/IPSec PSK
Server Address: Static IP XXX.YYY.XXX.YYY
L2TP Secret: not used
IPSec Identifier: Not Used
IPSec pre-shared key <pre-shared key from the policy>
Save
Connect, enter your username and password of the user on the DSR-250 DB

[FurryNutz]

So using this configuration doesn't work on the most resent version of FW?

[hanuszewski]

So using this configuration doesn't work on the most resent version of FW?

I wasn't able to get it to work on the most recent version of the firmware. I found the most recent to be a bit unstable, It was very slow moving between menus. Adding and removing policies eventually caused database errors in the logs about missing identifiers, and the only way to clear them was to factory reset or reflash the firmware.
Other people may not have the same issues I had.

[FurryNutz]

Ok, thanks for the information. I'll try and get this to D-Link for review.

Enjoy. 

[Moshster77]

The DPC3939B might be your problem. I've heard they have an unsolved bug with IPSEC/GRE. If this is a comcast business account ask if you could swap with an SMC or Netgear business class modem.

M77

[FurryNutz]

Thanks for the info. I presume this also needs to be taken into account. There maybe a problem in IPSEC/GRE between this ISP modem and the DSRs newer FW which may have up to date IPSEC code where the ISP modem may have not been updated. Compatibility issue is possible here.

The DPC3939B might be your problem. I've heard they have an unsolved bug with IPSEC/GRE. If this is a comcast business account ask if you could swap with an SMC or Netgear business class modem.

M77