D-Link Forums
D-Link VPN Router => DSR-250 => Topic started by: hanuszewski on October 06, 2016, 01:16:43 PM
-
I am trying to setup a L2TP\IPSec Client to gateway VPN. Ive combed the forms and have been Googling solutions for almost 48 hours straight without any luck. So I figured I post this thread and see if any wisdom comes my way.
I have comcast business class internet with 2 static IPs. I'll call them sIP1 and sIP2. The network diagram is as follows:
Gateway has sIP1 as it's wan address and forwards traffic to an internal router 192.168.0.1 through a NAT.
DSR-250 is plugged into the Gateway with sIP2 set as a static wan address, with a comcast subnet, and comcast gateway. The DSR-250 is not behind a NAT.
Comcast Gateway
Cisco DPC3939B hardware revision 1.0
DSR-250 firmware 2.11_ww
DSR Configuration
My IPSec Policy:
Name: IPSecVPN
Policy Type: IPv4
IKE Version: IKEv1
L2TP Mode: Client
IPSec Mode: Transport
Select Local Gateway: Dedicated Wan
Mode Config: off
Rollover: off
Protocol: ESP
Keepalive: off
Phase 1 (IKE SA Parameters)
Exchange Mode: Aggressive
Direction: Responder
Nat-T: on
Nat keep alive freq: 20
Local Identifier Type: FQDN
Local Identifier: 192.168.0.0
Remote Identifier: FQDN
Remote Identifier: 0.0.0.0
Encryption Algorithm: AES-128, AES-256, 3DES
Authentication Algorithm: MD5, SHA-1, SHA-256
Authentication Method: Pre-shared Key
Pre-Shared key: reallyStrongKey
DH Group: Group 2
SA-Lifetime: 28800
Dead Peer: ON
Detection Period: 20
Reconnect after failure: 5
Extended Authentication: None
Phase 2(Auto Policy)
SA lifetime 3600 seconds
Encryption Algorithm 3DES, AES-128, AES-256
Integrity Algorithm MD5, SHA-1, SHA-256
PFS Key Group: off
My L2TP Server settings
Enable L2TP Server: Enable IPv4
L2TP Routing Mode: NAT
Starting IP: 192.168.0.50
Ending IP: 192.168.0.65
Authentication: Local User Database
CHAP, MS-Chap, MS-Chapv2 ON
Secret Key: off
User timeout 800
User Group
name (VPN)
has L2TP and XAuth enabled
set to network level
I have one user that uses the user group VPN
I'm trying to connect to the VPN from an Android device. When I attempt to connect from my device to sIP2 I can see in the DSR-250 VPN Logs:>
Error IPSEC [Identity Protection mode of (invalid)[invalid] is not acceptable
VPN INFORMATION IPSEC Anonymous configuration selected for <mobile device ip>[27082]
Those 2 errors just repeat and then the connection is dropped.
Android VPN Config:
Name: VPN
TYpe: L2TP/IPSEC PSK
Server: sIP2
L2TP secret: not used
IPSec identifier: not used
IPSec pre-shared key: reallyStrongKey
This is a requirement to use L2TP\IPSEC I cannot use OpenVPN or SSLVPN. The remote clients do not have static ips and the DSR-250 has to accept all incoming remote ips and will verify them using the local database and pre-shared key.
Any support would be appreciated.
Updates:
From the comcast gateway I disabled port management and allowed all traffic through. I am now seeing the following:
[Thu Oct 6 16:37:59 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: the packet retransmitted in a short time from 73.81.117.158[27034]]
[Thu Oct 6 16:37:59 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: The packet is retransmitted by 73.81.117.158[27034].]
[Thu Oct 6 16:38:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Phase 1 negotiation failed due to time up for 73.81.117.158[27034]. b88a126f74258911:8a0325f0af6a6c3a]
[Thu Oct 6 16:35:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Anonymous configuration selected for 73.81.117.158[27034].]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received request for new phase 1 negotiation: <sIP2>[500]<=>73.81.117.158[27034]]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Beginning Aggressive mode.]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received unknown Vendor ID]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received Vendor ID: RFC 3947]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received unknown Vendor ID]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received unknown Vendor ID]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received Vendor ID: DPD]
[Thu Oct 6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: For 73.81.117.158[27034], Selected NAT-T version: RFC 394]
-
Hi,
maybe, the following excerpt of your configuration prevents IKE phase 1 to finish successfully:
Local Identifier Type: FQDN
Local Identifier: 192.168.0.0
Remote Identifier: FQDN
Remote Identifier: 0.0.0.0
First: If you use addresses as Identifiers, you should also use type=Address instead of Type=FQDN.
Second: Please try if setting your Local Identifier to sIP2 (instead of 192.168.0.0) works better.
PT
-
Hi,
maybe, the following excerpt of your configuration prevents IKE phase 1 to finish successfully:
Local Identifier Type: FQDN
Local Identifier: 192.168.0.0
Remote Identifier: FQDN
Remote Identifier: 0.0.0.0
First: If you use addresses as Identifiers, you should also use type=Address instead of Type=FQDN.
Second: Please try if setting your Local Identifier to sIP2 (instead of 192.168.0.0) works better.
PT
Hey, thanks for getting back to me. I'm pretty new to vpn setups.
Changes:
Local Identifier type: Local Wan IP
As for Remote Identifier type, my options are FQDN, User FQDN, DER ASR1 DN
I saw in one of the guides to set FQDN to 0.0.0.0
After changing the The local Identifier my Errors look like this:
[VPN] [Error] [IPSEC] [Phase 1 negotiation failed due to time up for 66.87.81.112[21378]. 0b91e9f45b597c87:0a330c128ca0c89d]
[VPN] [Error] [IPSEC] [Ignore information because ISAKMP-SA has not been established yet.]
-
Hi again,
maybe your Cisco router in the path to the Internet is filtering incoming traffic?
For IPsec to work properly, the Cisco router must allow forwarding of the following traffic types to sIP2:
500/udp (for IKE),
4500/udp (needed if NAT-Traversal has to be negotiated for remote clients behind NATs),
ESP (in case NAT-Traversal isn't needed).
PT
-
Hi again,
maybe your Cisco router in the path to the Internet is filtering incoming traffic?
For IPsec to work properly, the Cisco router must allow forwarding of the following traffic types to sIP2:
500/udp (for IKE),
4500/udp (needed if NAT-Traversal has to be negotiated for remote clients behind NATs),
ESP (in case NAT-Traversal isn't needed).
PT
Though the Comcast Gateway -> Advanced -> Port Management : I checked a box that Disables all rules and allows all inbound traffic through.
I also Disabled the Firewall completely for True Static IP subnet Only
Just for the fun of dealing with comcast, I chatted with the tech team and asked about the ESP protocol. here is their response:
Comcast does not block UDP 500 and IPSEC/ESP Protocol 50 on the network. Applications running on devices behind the Comcast gateway is not accessible to Comcast. HTTP/HTTPS inbound via the static IP are open and allowed based on rule set of the terminating device.
-
Hi again,
yet another guess: Maybe, DH Group 2 within your IKEv1 configuration is not regarded strong enough by Android's VPN client. Please check if DH Group 14 works (see e.g. this (http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/bovpn/manual/diffie_hellman_c.html) DH Group survey).
PT
-
Hi again,
yet another guess: Maybe, DH Group 2 within your IKEv1 configuration is not regarded strong enough by Android's VPN client. Please check if DH Group 14 works (see e.g. this (http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/bovpn/manual/diffie_hellman_c.html) DH Group survey).
PT
I changed the DH Group. Lots of progress made over the weekend. I think we are very close.
Information [Mon Oct 10 08:35:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Rejected phase 1 proposal as Peer's hashtype "SHA2-256" mismatched with Local "SHA".]
Information [Mon Oct 10 08:35:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Rejected phase 1 proposal as Peer's authentication method "pre-shared key" mismatched with Local "XAuth psk server".]
I changed the hashtype to SHA2-256 and turned off XAuth edge device. The logs look great except my Android device still won't connect.
New Logs:
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: an acceptable proposal found.
: ipsec_doi.c:302:get_ph1approval(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: new cookie:
e268c64a5c6cc53c
: isakmp.c:2650:isakmp_newcookie(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: use ID type of IPv4_address
: ipsec_doi.c:3638:ipsecdoi_setid1(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: compute DH's private.
: oakley.c:368:oakley_dh_generate(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: compute DH's public.
: oakley.c:370:oakley_dh_generate(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: compute DH's shared.
: oakley.c:319:oakley_dh_compute(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: the psk found.
: oakley.c:2889:oakley_skeyid(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: nonce 1: : oakley.c:2904:oakley_skeyid(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: nonce 2: : oakley.c:2910:oakley_skeyid(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID computed:
: oakley.c:2973:oakley_skeyid(]
VPN Debug [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN Debug [Mon Oct 10 09:05:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID_d computed:
: oakley.c:3030:oakley_skeyid_dae(]
VPN Debug [Mon Oct 10 09:05:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN Debug [Mon Oct 10 09:05:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID_a computed:
: oakley.c:3059:oakley_skeyid_dae(]
VPN Debug [Mon Oct 10 09:05:09 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN Debug [Mon Oct 10 09:05:09 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID_e computed:
: oakley.c:3088:oakley_skeyid_dae(]
VPN Debug [Mon Oct 10 09:05:09 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: encryption(aes)
: algorithm.c:576:alg_oakley_encdef(]
VPN Debug [Mon Oct 10 09:05:10 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hash(sha2_256)
: algorithm.c:401:alg_oakley_hashdef(]
VPN Debug [Mon Oct 10 09:05:10 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: final encryption key computed:
: oakley.c:3230:oakley_compute_enckey(]
I have no errors but I do have a few warnings, But looking at the times, they seem to work themselves out and continue:
VPN Notice [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]
VPN Warning [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [the packet retransmitted in a short time from 73.81.123.89[27980]]
VPN Notice [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]
VPN Warning [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [the packet retransmitted in a short time from 73.81.123.89[27980]]
VPN Notice [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]
VPN Warning [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [the packet retransmitted in a short time from 73.81.123.89[27980]]
VPN Notice [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]
-
After doing some more digging, Looks like the IPSec Identifier that my Note 5 passes has an unreadable character at the end. I looked at the phone and couldn't delete the extra character. Tried to email myself the id and paste it in, still setting the extra character in the log. I'm not sure if this is a DSR-250 firmware issue or an Android issue.
(http://i.imgur.com/9fJTzNC.jpg)
-
Can you test with a Windows PC or Laptop to see if the problem is seen there? Could be a way to see if this is a DSR or Android issue with this unknown character...
-
Can you test with a Windows PC or Laptop to see if the problem is seen there? Could be a way to see if this is a DSR or Android issue with this unknown character...
I tried to use a windows laptop. When connecting I get:
[VPN] [Error][IPSEC] [Identity Protection mode of (invalid)[(invalid)] is not acceptable.
Unlike Android, Windows 10 doesn't really have the configuration settings required to connect. Basically can't set the IPSec Identifier in Windows. If there was a way to configure the DSR-250 to accept any identifier, that would be awesome.
I also tried to connect using my Ubuntu Laptop, got this error on the laptop itself, it never reached the DRS-250:
NetworkManager[820]: <warn> [1476145038.3926] vpn-connection[0x198b1f0,89a4d74a-1408-45d4-b36c-4a3d767c5f96,"Probaris L2TP",0]: VPN connection: failed to connect: 'invalid ipsec-gateway-id 'ipsec-gateway-id''
I tried a few different values but couldn't figure out what the gateway id should be.
-
After thinking about it, I changed the Identifier type to DER ASN1 DN since its encoded and then decoded later. This got me passed the weird character issue. Looking at the logs I can see everything passes and the remote, Android Phone, is assigned a local ip address of 192.168.1.100. Feeling very close,
VPN Information [Tue Oct 11 10:07:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: ISAKMP-SA established for sIP2[4500]-66.87.80.183[11738] with spi:9b2f418cf4ac8095:c9be333b0e261384]
Then I get this:
VPN Error [Tue Oct 11 09:16:16 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Giving up on 73.81.126.202 to set up IPsec-SA due to time up]
Tried again using a different network and got the same error:
VPN Error [Tue Oct 11 09:29:23 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Giving up on 66.87.80.183 to set up IPsec-SA due to time up]
I disabled dead peer detection for trial and error but It didn't change anything
-
Any chance you can try a Windows 7 PC? Windows 10 has some known issues with networking and recent updates are causing problems. I'd try Windows 7 if you get a chance. Seems like your getting closer. I hope PT can help out more. ;)
Can you test with a Windows PC or Laptop to see if the problem is seen there? Could be a way to see if this is a DSR or Android issue with this unknown character...
I tried to use a windows laptop. When connecting I get:
[VPN] [Error][IPSEC] [Identity Protection mode of (invalid)[(invalid)] is not acceptable.
Unlike Android, Windows 10 doesn't really have the configuration settings required to connect. Basically can't set the IPSec Identifier in Windows. If there was a way to configure the DSR-250 to accept any identifier, that would be awesome.
I also tried to connect using my Ubuntu Laptop, got this error on the laptop itself, it never reached the DRS-250:
NetworkManager[820]: <warn> [1476145038.3926] vpn-connection[0x198b1f0,89a4d74a-1408-45d4-b36c-4a3d767c5f96,"Probaris L2TP",0]: VPN connection: failed to connect: 'invalid ipsec-gateway-id 'ipsec-gateway-id''
I tried a few different values but couldn't figure out what the gateway id should be.
-
Please check, if the following configuration will work:
DSR Configuration:
------------------
Local Identifier Type: Local Wan IP
Local Identifier: <sIP2>
Remote Identifier: User FQDN
Remote Identifier: myAndroid
Android VPN Config:
-------------------
Name: VPN
TYpe: L2TP/IPSEC PSK
Server: <sIP2>
L2TP secret: not used
IPSec identifier: myAndroid
IPSec pre-shared key: <reallyStrongKey>
PT
-
Please check, if the following configuration will work:
DSR Configuration:
------------------
Local Identifier Type: Local Wan IP
Local Identifier: <sIP2>
Remote Identifier: User FQDN
Remote Identifier: myAndroid
Android VPN Config:
-------------------
Name: VPN
TYpe: L2TP/IPSEC PSK
Server: <sIP2>
L2TP secret: not used
IPSec identifier: myAndroid
IPSec pre-shared key: <reallyStrongKey>
PT
Gave it a shot. Got a ID type mismatch.
VPN Information [Tue Oct 11 20:33:37 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Beginning Aggressive mode.]
VPN Information [Tue Oct 11 20:33:37 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received unknown Vendor ID]
VPN Information [Tue Oct 11 20:33:37 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received Vendor ID: RFC 3947]
VPN Information [Tue Oct 11 20:33:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received unknown Vendor ID]
VPN Information [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02]
VPN Information [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received unknown Vendor ID]
VPN Information [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received Vendor ID: DPD]
VPN Warning [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [ID type mismatched.]
VPN Error [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [invalid ID payload.]
Another quick question, What am I suppose to use for L2TP Mode on the DSR-250? Client, Gateway, or None
Any chance you can try a Windows 7 PC? Windows 10 has some known issues with networking and recent updates are causing problems. I'd try Windows 7 if you get a chance. Seems like your getting closer. I hope PT can help out more. ;)
I try and build a Windows 7 VM and give that a shot.
-
What am I suppose to use for L2TP Mode on the DSR-250? Client, Gateway, or None
>Gateway< sounds most plausible to me.
-
What am I suppose to use for L2TP Mode on the DSR-250? Client, Gateway, or None
>Gateway< sounds most plausible to me.
We are having a planned network outage tonight so I wont be able to try anything until tomorrow. But just so I understand, this is a good learning experience, my phone, computer, tablet, etc. would be clients and the DSR-250 would be the gateway to my network.
I was reading up on mode config, I get that it allows the gateway to push some configuration options to the clients. Should I enable this or is it not necessary because i'm just using IPSec as the tunnel for L2TP. With mode config I have to set the IPs in the 192.168.1.0 range since the DSR-250 is on the 192.168.0.0 range. All the machines on my network are also on the 192.168.0.0 range.
Also I built a Windows 7 VM. Just can't test it yet. :( lol.
Thanks
-
config mode (https://tools.ietf.org/html/draft-dukes-ike-mode-cfg-02) and xauth (https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02) both are proprietary Cisco extension to IKEv1 to compensate for missing features in IKEv1 - but they are de facto standards also implemented by other vendors.
You could use config mode for client-to-site IPsec connections (IPsec in tunnel mode!) without L2TP. With L2TP you will use IPsec in transport mode and L2TP is used to provide the client with IP configuration parameters, hence config mode isn't needed (and wouldn't work in IPsec transport mode)
-
Thanks for all the information. This has been a great learning experience in how complex these systems can be.
I'm at a point where this is the issue:
VPN Information [Thu Oct 13 09:07:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: notify payload[10381]]
VPN Error [Thu Oct 13 09:07:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Giving up on 73.81.124.10 to set up IPsec-SA due to time up]
VPN Information [Thu Oct 13 09:07:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: delete payload[]]
VPN Information [Thu Oct 13 09:08:13 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Failed 1 of 3 times to get DPD R-U-THERE-ACK from peer "73.81.124.10[14794]"]
VPN Information [Thu Oct 13 09:08:13 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: notify payload[10381]]
VPN Information [Thu Oct 13 09:08:33 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Failed 2 of 3 times to get DPD R-U-THERE-ACK from peer "73.81.124.10[14794]"]
VPN Information [Thu Oct 13 09:08:33 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: notify payload[10381]]
VPN Information [Thu Oct 13 09:08:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Failed 3 of 3 times to get DPD R-U-THERE-ACK from peer "73.81.124.10[14794]"]
VPN Information [Thu Oct 13 09:08:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Peer 73.81.124.10 is detected as Dead, Tearing down the connection]
But I feel like there has be be a configuration or something that is mismatched and the phone is hanging up. Nothing in the logs is standing out to me. Here is a full debug level log.
http://pastebin.com/diNraGzp (http://pastebin.com/diNraGzp)
-
Hi again,
what you can see from the debug log: phase 1 is finished successfully, resulting in a working ISAKMP-SA using NAT-T (your peer is behind a NAT):
[Thu Oct 13 09:07:10 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: ISAKMP-SA established for sIP2[4500]-73.81.124.10[14794] with spi:4d01b3cfd176fa77:ddc12e3700a55c22]
Then the first quick mode packet (starting phase 2) is received from the peer:
VPN Debug [Thu Oct 13 09:07:18 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: received IDci2:: isakmp_quick.c:1077:quick_r1recv(]
VPN Debug [Thu Oct 13 09:07:18 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: received IDcr2:: isakmp_quick.c:1081:quick_r1recv(]
Here is what the peer suggests to be negotiated:
VPN Debug [Thu Oct 13 09:07:47 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: peer's single bundle:
: ipsec_doi.c:1082:get_ph2approvalx(]
VPN Debug [Thu Oct 13 09:07:47 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (proto_id=ESP spisize=4 spi=02c697f6 spi_p=00000000 encmode=4 reqid=0:0)
: proposal.c:902:printsaproto(]
VPN Debug [Thu Oct 13 09:07:47 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=RIJNDAEL encklen=256 authtype=hmac-sha2-256)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=RIJNDAEL encklen=256 authtype=hmac-sha)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=RIJNDAEL encklen=256 authtype=hmac-md5)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha2-256)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=RIJNDAEL encklen=128 authtype=hmac-md5)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=3DES encklen=0 authtype=hmac-sha2-256)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=3DES encklen=0 authtype=hmac-sha)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=3DES encklen=0 authtype=hmac-md5)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=DES encklen=0 authtype=hmac-sha2-256)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=DES encklen=0 authtype=hmac-sha)
: proposal.c:936:printsatrns(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=DES encklen=0 authtype=hmac-md5)
: proposal.c:936:printsatrns(]
And this is, what your DSR selects from this set:
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: my single bundle:
: ipsec_doi.c:1085:get_ph2approvalx(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (proto_id=ESP spisize=4 spi=00000000 spi_p=02c697f6 encmode=4 reqid=14794:14794)
: proposal.c:902:printsaproto(]
VPN Debug [Thu Oct 13 09:07:48 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: (trns_id=RIJNDAEL encklen=256 authtype=hmac-md5)
: proposal.c:936:printsatrns(]
Looks like DSR only supports hmac-md5 instead of hmac-sha2-256 (RIJNDAEL is only another term for AES)
In addition DSR suggests an SA lifetime of 28800 seconds ...
VPN Debug [Thu Oct 13 09:07:49 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: type=SA Life Type, flag=0x8000, lorv=seconds
: ipsec_doi.c:2261:check_attr_ipsec(]
VPN Debug [Thu Oct 13 09:07:49 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: type=SA Life Duration, flag=0x8000, lorv=28800
: ipsec_doi.c:2261:check_attr_ipsec(]
... and sends the second quickmode message back to the peer:
VPN Debug [Thu Oct 13 09:07:51 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: sockname sIP2[4500]
: sockmisc.c:468:sendfromto(]
VPN Debug [Thu Oct 13 09:07:51 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: send packet from sIP2[4500]
: sockmisc.c:470:sendfromto(]
VPN Debug [Thu Oct 13 09:07:51 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: send packet to 73.81.124.10[14794]
: sockmisc.c:472:sendfromto(]
VPN Debug [Thu Oct 13 09:07:51 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: 1 times of 176 bytes message will be sent to 73.81.124.10[14794]
: sockmisc.c:632:sendfromto(]
VPN Debug [Thu Oct 13 09:07:51 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: resend phase2 packet 4d01b3cfd176fa77:ddc12e3700a55c22:00008ae5
: isakmp.c:1939:isakmp_ph2resend(]
VPN Debug [Thu Oct 13 09:07:52 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: ===
: isakmp.c:380:isakmp_handler(]
Here is why DSR deletes the SA after 60 seconds:
VPN Information [Thu Oct 13 09:07:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: notify payload[10381]]
VPN Error [Thu Oct 13 09:07:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Giving up on 73.81.124.10 to set up IPsec-SA due to time up]
VPN Information [Thu Oct 13 09:07:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: delete payload[]]
VPN Information [Thu Oct 13 09:08:13 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Failed 1 of 3 times to get DPD R-U-THERE-ACK from peer "73.81.124.10[14794]"]
VPN Information [Thu Oct 13 09:08:13 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: notify payload[10381]]
VPN Information [Thu Oct 13 09:08:33 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Failed 2 of 3 times to get DPD R-U-THERE-ACK from peer "73.81.124.10[14794]"]
VPN Information [Thu Oct 13 09:08:33 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Informational Exchange: notify payload[10381]]
VPN Information [Thu Oct 13 09:08:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Failed 3 of 3 times to get DPD R-U-THERE-ACK from peer "73.81.124.10[14794]"]
VPN Information [Thu Oct 13 09:08:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Peer 73.81.124.10 is detected as Dead, Tearing down the connection]
VPN Information [Thu Oct 13 09:08:53 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Purged ISAKMP-SA with spi=4d01b3cfd176fa77:ddc12e3700a55c22.]
VPN Information [Thu Oct 13 09:08:54 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [ISAKMP-SA deleted for sIP2[4500]-73.81.124.10[14794] with spi:4d01b3cfd176fa77:ddc12e3700a55c22]
VPN Information [Thu Oct 13 09:08:55 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Unable to send SMS]
VPN Information [Thu Oct 13 09:08:55 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Unable to send Trap]
It tries DPD (dead peer detection) by sending DPD hellos every 20 seconds but never gets a DPD ack back from the peer - hence it gives up and deletes the SA.
Hence the question is why does the peer not respond to DPDs?
My idea is: The peer is behind a NAT and sends ESP via UDP/IP to your sIP2 on port 4500/UDP. This creates a UDP NAT session in the remote NAT. I guess the timeout interval for UDP based NAT sessions in the remote NAT device is shorter than 20 seconds, hence the NAT session's state is lost before the first DPD arrives which is then not forwarded by the remote NAT device to your remote peer's private address.
As a counter measure you could reduce the detection period in your DSR's Phase 1 settings from 20 to lower values:
Dead Peer: ON
Detection Period: 20
Alternatively you could switch DPD off, but then, if NAT session is lost, the next time the peer talks to your DSR, IPsec traffic will come from another UDP port due to a newly created UDP NAT session and this could eventually provoke your DSR to stop the IKE SA either.
On the other hand I'm asking myself why after successfully finishing phase 2 nothing happens during the next 20 seconds - I'd expect the peer sending PPP frames via L2TP through the IPsec connection in order to get an IP address and start some communication afterwards. But nothing in the debug log gives a hint that this is happening ???
Maybe this is because you statically configured your peer to have address 172.20.20.20 (can see this as remote ID in debug log)? So I'd suggest you remove this address from the peer's IP configuration, so it will eventually request one via PPP through L2TP.
PT
-
Wow, Thanks for breaking that log down. Really helped out alot. I wish the DSR-250 would log more than 1000 entries. Using debug fills that pretty quickly.
Some changes have been made.
Looks like DSR only supports hmac-md5 instead of hmac-sha2-256 (RIJNDAEL is only another term for AES)
I enabled a lot more options to help the DSR negotiate better.
I enabled Dead Peer detection and set it to 10, the lowest it can go.
NAT Keep Alive has been enabled, Frequency is also 10 seconds
On the other hand I'm asking myself why after successfully finishing phase 2 nothing happens during the next 20 seconds - I'd expect the peer sending PPP frames via L2TP through the IPsec connection in order to get an IP address and start some communication afterwards. But nothing in the debug log gives a hint that this is happening
I noticed that, it confuses the hell out of me also. It is an Android Note 5 on the Sprint network and there are "Road warriors" everywhere and I'm sure some of them use L2TP\IPSec. The phone is stock, not rooted or modified.
Maybe this is because you statically configured your peer to have address 172.20.20.20 (can see this as remote ID in debug log)? So I'd suggest you remove this address from the peer's IP configuration, so it will eventually request one via PPP through L2TP.
As for this, the phone itself doesn't have any static ip's configured. The log I posted for that test had the phone connected to an Xfinity Free wifi hotspot. That access point might do some mac address static mapping. The log that is posted at the end of this reply has the phone using the Sprint Cell network.
This is the log of the Phone while connected to the sprint cell network. http://pastebin.com/jYsRM3bP (http://pastebin.com/jYsRM3bP)
This is the log of the Phone connected to a "DMZ" subnet attempting to vpn into the local network http://pastebin.com/kHVd5JV5 (http://pastebin.com/kHVd5JV5)
This is the log of the Phone connected to a Free Xfinity Hotspot http://pastebin.com/LMz4wFpG (http://pastebin.com/LMz4wFpG)
Still fails to respond to the R-U-THERE message.
Making it this far makes me believe that the Comcast Gateway isn't blocking anything. Plus nothing is logged in the gateway firewall logs. Devices plugged into the DSR250 have internet access and from the Diagnostics page I can ping and perform DNS lookups without issues.
I've also included the ipv4 routing table, This is a gray area for me also.
(http://i.imgur.com/DHGP8TX.png)
*I have no idea what 173.12.28.232 is I dont own that IP, might be the Hotspot gateway.
-
Does the DSR have a syslog feature?
-
Does the DSR have a syslog feature?
Looks like it does, have to figure out how to get them.
-
I know that on home class routers that support syslog, you install syslog capture software on a PC and then input an IP address into the syslog feature and enable it and the router will start sending logs to the PC. I presume maybe the DSR series maybe similar. Might help capture some additional information.
-
I was able to get the syslog working, didn't really show a lot. I decided to bit the bullet and say screw the comcast router functionality. I attempted to set up the Comcast modem in Bridge mode with the DSR-250. I failed, pretty badly lol. Here are the steps I attempted:
1. Log in to the Comcast gateway and turn on bridge mode
2. Restart the Comcast gateway, aka pull the plug and let it fully reboot
3. Plug the DSR-250 into a laptop and manually configure the WAN to my comcast static IP settings, DNS 8.8.8.8, 8.8.4.4
4. Configured the DSR-250 LAN settings to 192.168.1.1, 255.255.255.0, gateway 192.168.1.1, turned LAN proxy off (not sure what that does)
5. Plugged ethernet from Comcast Gateway port 1 into WAN port of DSR-250
6. Went to diagnostic page of DSR-250 and pinged some sites and traced routed some sites
7. Plugged laptop into port 1 of DSR-250 attempted to browse internet, failed
8. released / renewed laptop ip still no internet
9. Turned on LAN Proxy, still no internet on laptop
10. Set DSR-250 max to the same as comcast gateway, No internet
11. rebooted DSR-250, no internet.
12. Gave up, got a beer, rolled everything back. Try again when I have more time.
If anyone has bridged this before, could you let me know how you did it or share some of your insights
-
Any chance of getting the ISP to check this model modem to make sure you can get true bridge mode on it?
Some users say it's kind hard:
https://www.dslreports.com/forum/r29535258-Equip-Placing-DPC3939-in-bridged-mode (https://www.dslreports.com/forum/r29535258-Equip-Placing-DPC3939-in-bridged-mode)
You might want to check out getting into a stand alone modem like a motorola/arris SB 6141 or 6180 series cable modem if you need to get the DSR working as you need it...
-
Any chance of getting the ISP to check this model modem to make sure you can get true bridge mode on it?
Some users say it's kind hard:
https://www.dslreports.com/forum/r29535258-Equip-Placing-DPC3939-in-bridged-mode (https://www.dslreports.com/forum/r29535258-Equip-Placing-DPC3939-in-bridged-mode)
You might want to check out getting into a stand alone modem like a motorola/arris SB 6141 or 6180 series cable modem if you need to get the DSR working as you need it...
Damn, why must life be so difficult.
-
I hear ya. Ya, I don't care much for ISP modem/router combos. If users can avoid these, we recommend using stand alone modems with any external router. Less hassle. ::)
-
6. Went to diagnostic page of DSR-250 and pinged some sites and traced routed some sites
... this indicates that you got it work!
With your clients behind DSR: Looks like it's just a DNS resolution problem. Guess they use your DSR not just as gateway but also as DNS resolver? Did you activate DNS relay function within your DSR? A simple check would have been, to configure a LAN client manually to use Google's DNS server.
PT
-
... this indicates that you got it work!
With your clients behind DSR: Looks like it's just a DNS resolution problem. Guess they use your DSR not just as gateway but also as DNS resolver? Did you activate DNS relay function within your DSR? A simple check would have been, to configure a LAN client manually to use Google's DNS server.
PT
I knew I was pretty close. I set the dns on the lan to be 8.8.8.8, 8.8.4.4. is there a switch or something special I have to do to enable the DNS relay function?
-
Another question about the user group, when doing L2TP\IPSec, should my group have both L2TP and XAuth enabled? Also should I enable extend auth edge device in the IPsec policy or the L2TP server page or both?
-
Look at your client network settings. Is the DNS getting a 192.168.0.1 DNS address or a 8.8.8.8/.4 DNS addresses. If the PC is seeing 192.168.0.1 for DNS then DNS relay is enabled on the router I believe. We see this on home class router. DNS Relay is featured under Setup/Networking on home class routers. Might check the user manual to see where it resides, if any, on the DSR.
... this indicates that you got it work!
With your clients behind DSR: Looks like it's just a DNS resolution problem. Guess they use your DSR not just as gateway but also as DNS resolver? Did you activate DNS relay function within your DSR? A simple check would have been, to configure a LAN client manually to use Google's DNS server.
PT
I knew I was pretty close. I set the dns on the lan to be 8.8.8.8, 8.8.4.4. is there a switch or something special I have to do to enable the DNS relay function?
-
Another question about the user group, when doing L2TP\IPSec, should my group have both L2TP and XAuth enabled?
XAuth is an extension to IKEv1 that allows you to use more authentication methods (e.g. RADIUS) than the few ones supported by IKEv1 itself (PSK, certificates). Hence, if your remote clients don't support/request XAUTH, you don't have to think about XAuth, just use PSK and you are fine :)
Also should I enable extend auth edge device in the IPsec policy or the L2TP server page or both?
"L2TP server" alone should be the option you need, if your remote clients don't support/request XAUTH.
-
Hello,
After weeks of trial and error and all the support form this form, I have finally solved this issue. I am able to use L2TP\IPsec with Android, iOS, OSX, and Windows.
I have comcast Business class internet with static IPs
On the comcast gateway, i disabled the Firewall and allowed all traffic on all ports. LAN 192.168.1.1
Behind the gateway I have an ASUS-3200 that is my DHCP server wan IP 192.168.1.10, gateway 192.168.1.1, DHCP LAN 192.168.0.1
DSR-250 WAN plugs into the comcast gateway. WAN IP is set to one of my statics XXX.YYY.XXX.YYY, LAN DHCP is set to relay with the gateway set to 192.168.0.1
I rolled the DSR-250 Firmware back to version 2.01_WW
IPSec Policy
Policy Name: L2TPVPN
Policy Type: Auto Policy
IP Protocol Version: IKEv1
L2TP Mode: Gateway
IPSec Mode: Transport Mode
Select Local Gateway: Dedicated WAN
Remote Endpoint: FQDN
IP Address / FQDN: 0.0.0.0
Enabled Mode Config: off
Enable RollOver: off
Protocol: ESP
Enable Keepalive: off
Phose 1(IKE SA Prams)
Exchange Mode: Main
Direction\type: Responder
Nat Traversal: on
Nat Keep Alive Frequency: 20 sec
Local Identifier Type: Local WAN IP
Remote Identifier Type: FQDN
Remote Identifier: 0.0.0.0
Encryption Algorithms: AES128, AES256, 3DES
Authentication Algorithms: SHA1, SHA2-256
Authentication Method pre-sharedkey
preshared key: <Really long safe key>
DH Group: Group 2
SA-Lifetime: 28800
Enable Dead peer detection: on
Detection period 20
Reconnect After Failure: 5
Extended Authentication: None
Phase 2
SA Lifetime: 3600 seconds
Encryption Algorithm: 3DES, AES128, AES256
Integrity Algorithm: SHA1, SHA2-256
PFS Key Group: off
VPN -> L2TP Server
Enable L2TP Server: Enabled IPv4
L2TP Routing Mode: Nat
Starting IP Address: 192.168.0.50 (Note: personal preference)
Ending IP Address: 192.168.0.65 (Note: personal preference)
Authentication Database
Authentication: Local User Database
Authentication Supported
CHAP, MS-CHAP, MS-CHAPv2
Encryption
Secret Key: off
Idle Timeout 300seonds
Security -> Internal User database
Groups
Added a group
Group Name L2TP
Description L2TP VPN Users
User type: Network
PPTP User: off
L2TP User: on
Xauth User: off
SSLVPN User: off
idle timeout: 10 minutes
Users
Add user Select group L2TP
Setting up Windows
Create a vpn
Hostname /IP address of destination is my Static IP XXX.YYY.XXX.YYY
On the security tab, set the type to Layer 2 Tunneling Protocol with IPSec
Click advance settings, select use pre-shared key for authentication set it to <pre-shared key from the policy>
Check Allow these protocols
select CHAP and MS-CHAPv2
Login, username and password of the user on the DSR-250 DB
Setting up on iOS
Create a VPN configuration
TYPE: l2TP
Description my vpn
Server: Static IP XXX.YYY.XXX.YYY
account: username and password of the user on the DSR-250 DB
Secret: <pre-shared key from the policy>
Send all traffic: enabled
Android
Add VPN
Name: My VPN
Type: L2TP/IPSec PSK
Server Address: Static IP XXX.YYY.XXX.YYY
L2TP Secret: not used
IPSec Identifier: Not Used
IPSec pre-shared key <pre-shared key from the policy>
Save
Connect, enter your username and password of the user on the DSR-250 DB
-
So using this configuration doesn't work on the most resent version of FW?
-
So using this configuration doesn't work on the most resent version of FW?
I wasn't able to get it to work on the most recent version of the firmware. I found the most recent to be a bit unstable, It was very slow moving between menus. Adding and removing policies eventually caused database errors in the logs about missing identifiers, and the only way to clear them was to factory reset or reflash the firmware.
Other people may not have the same issues I had.
-
Ok, thanks for the information. I'll try and get this to D-Link for review.
Enjoy. ;)
-
The DPC3939B might be your problem. I've heard they have an unsolved bug with IPSEC/GRE. If this is a comcast business account ask if you could swap with an SMC or Netgear business class modem.
M77
-
Thanks for the info. I presume this also needs to be taken into account. There maybe a problem in IPSEC/GRE between this ISP modem and the DSRs newer FW which may have up to date IPSEC code where the ISP modem may have not been updated. Compatibility issue is possible here.
The DPC3939B might be your problem. I've heard they have an unsolved bug with IPSEC/GRE. If this is a comcast business account ask if you could swap with an SMC or Netgear business class modem.
M77