• March 28, 2024, 11:12:17 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: L2TP/IPSec remote user connection  (Read 30159 times)

mcpierce

  • Level 1 Member
  • *
  • Posts: 3
L2TP/IPSec remote user connection
« on: October 30, 2012, 07:59:11 AM »

Before I purchased our DSR-250N, I asked what client software I would need for remote users to VPN into the router.  I was told the Windows built-in client would work, and was directed to the following Windows 7 setup instructions.  Perfect!
  http://www.dlink.com/us/en/support/faqs/firewall/dfl-series/how-do-i-configure-my-windows-vista-windows-7-computer-to-connect-to-a-l2tp-over-ipsec-tunnel-on-my

Now that I have the router, I can't get it to work.  >:(  Has ANYBODY established a successful Windows 7 L2TP over IPSec connection with the DSR series using a PSK???

I have tried to gather some information from this document, but it is for a different router GUI, and some of the critical images are missing (are you there D-Link support?):
http://www.dlink.com/us/en/support/faqs/firewall/dfl-series/dfl-1600/how-do-i-add-a-l2tp-over-ipsec-server-using-psk-and-local-user-authentication

I've tried talking to support twice (about 2 hours total time), but they weren't able to help.  One rep escalated the issue, but I never received the Level 2 call that was promised.  The other rep just told me it couldn't be done, and said I should use PPTP. (We couldn't get PPTP to work either.)

I do see activity in the VPN logs, and can get past Phase 1 IKE negotiation, but it won't go past Phase 2.  So I really suspect I am just not setting the correct IPSec parameters to successfully connect to a Windows 7 client.  As far as I know, the provider's firewall is passing everything right now.

So I'd really like to see what others have set for all the IPSec parameters.  Any help is appreciated!

Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: L2TP/IPSec remote user connection
« Reply #1 on: October 30, 2012, 08:16:22 AM »

Link>Welcome!
What Hardware version is your router? Look at sticker under router.
Link>What Firmware version is currently loaded? Found on routers web page under status.
What region are you located?

What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

mcpierce

  • Level 1 Member
  • *
  • Posts: 3
Re: L2TP/IPSec remote user connection
« Reply #2 on: October 30, 2012, 09:09:27 AM »

The router is Hardware Version: A1  Firmware Version: 1.05B20_WW
It's the only firmware version available.

The router is in Dallas, TX.  The building we are leasing from provides internet access via CAT5.  We have a static IP with them, and we also have a static external IP.  For now the NAT translation is direct - everything is forwarded to/from internal to external IP.  I don't know if the building is using DSL or T1.

Depending on the settings I have in the DSR-250N, I either see Error 789 or Error 807 in Windows.  Anything else to help diagnose the problem?

Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: L2TP/IPSec remote user connection
« Reply #3 on: October 31, 2012, 06:52:36 AM »

I will be interested in seeing what the public IP says when he goes to whatismyip.com from a computer behind the DSR and compare to the public IP seen in the WAN configuration of the unit...

I been told that Error 789 could be any of these:

- L2TP based VPN client (or VPN server) is behind NAT. (I think this is his problem)

- Wrong certificate or pre-shared key is set on the VPN server or client

- Machine certificate or trusted root machine certificate is not present on the VPN server.

- Machine Certificate on VPN Server does not have 'Server Authentication' as the EKU

Error 807 usually indicates a firewall blocking the traffic. if this is seen at the client side of the vpn.. it could be any local firewall software, like the windows firewall or AVG antivirus  or any other security utility. Are you running any of these programs?

"VPNs configuration are cut really clear... They require a WAN port that is truly connected to the internet via a direct modem connection... that public route-able IP must be set on on the WAN port. VPN and NAT are not friends... even with NAT Transversal features... which allows the server to accept connection from clients that are behind NAT gateways, some servers strangle maintaining a connection through NAT."

Let us know...

Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

mcpierce

  • Level 1 Member
  • *
  • Posts: 3
Re: L2TP/IPSec remote user connection
« Reply #4 on: October 31, 2012, 03:44:08 PM »

FN,

Thanks for the ideas to consider.  Here are my responses:

- I had wondered about the IP issue.  The client is attempting to contact 12.133.x.x, but the DSR-250N has a WAN IP of 10.1.x.x because it is connected to another network switch.  Does that mean it will never work?

- Yes, the server is behind NAT, with everything forwarded.  That's what the NAT-T setting (on both server and client) is for, right?  The client is not behind NAT.

- I verified the PSK.  I don't have any certificates.

- I did set it to use ESP, not SA.  I had tried SA in the past but some other settings were different.  So this is something to try again.

- I did try without any firewalls, but that didn't change anything.

So I guess the concern is: can we ever have clients connecting over VPN if the WAN IP on the VPN server is not the same as the external (inbound) static IP (i.e. when we are using NAT)?

BUT, unfortunately this is all moot now, since the DSR-250N fried this afternoon.  It's the second one in two weeks to do that, so it's going back to be replaced by something else.  We'll still want to use VPN, so I have definitely learned a lot that I can try in the future.  But it will be with different hardware.

Please do let me know if you think VPN won't be possible with our current setup (through another network).  But for now I'll consider this case closed because I can't test anything else.

Thanks!
-M
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: L2TP/IPSec remote user connection (UNRESOLVED)
« Reply #5 on: November 05, 2012, 07:16:49 AM »

Good Luck.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

modeef

  • Level 1 Member
  • *
  • Posts: 1
Re: L2TP/IPSec remote user connection
« Reply #6 on: June 12, 2013, 06:07:18 PM »

Hi mcpierce,

Not sure if you're still reading this or if you've moved on to a different router -- sounds as though you were done with the DSR-250N -- but I just wanted to say, yes, it's possible to use Windows 7's built-in VPN client to connect to the DSR-250 with IPSec / L2TP. 

I've configured the router today -- quite a lot of hair-pulling, but got there in the end.  TBH, I'd wanted to go the SSLVPN route, but I couldn't get that to work.  Instead, I've gone this way and it's working pretty nicely.   Shout back if you're still looking.
Logged

mblonde12

  • Level 1 Member
  • *
  • Posts: 2
Re: L2TP/IPSec remote user connection
« Reply #7 on: September 09, 2013, 09:34:52 PM »

Hello Modeef,

Are there any specific steps that you had to take to get this to work?  I'VE been trying to get l2tp to work using a Windows 7 client to no avail.
,thanks,
Mark
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: L2TP/IPSec remote user connection
« Reply #8 on: September 19, 2013, 07:07:17 AM »

I recommend that you phone contact your regional D-Link support office and get help for this.


Let us know how it goes.

Hi mcpierce,

Not sure if you're still reading this or if you've moved on to a different router -- sounds as though you were done with the DSR-250N -- but I just wanted to say, yes, it's possible to use Windows 7's built-in VPN client to connect to the DSR-250 with IPSec / L2TP. 

I've configured the router today -- quite a lot of hair-pulling, but got there in the end.  TBH, I'd wanted to go the SSLVPN route, but I couldn't get that to work.  Instead, I've gone this way and it's working pretty nicely.   Shout back if you're still looking.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

BountyHunter

  • Level 1 Member
  • *
  • Posts: 3
Re: L2TP/IPSec remote user connection
« Reply #9 on: July 25, 2016, 07:14:37 PM »

I know this is over 3 years old post but even after this long people are experiencing the same issue D-link hasn't made it easy for people.

I'm trying to setup L2TP but could not get it to work without hiccups basically it works randomly. In few tries it connect once and then it does not work I sometimes get Error 789. I've tried to contact D-link Tech support but it wasn't much help so I thought why not to try this route and found this old post.

Any help it appreciated.
Logged

ZaphoidYK

  • Level 1 Member
  • *
  • Posts: 7
Re: L2TP/IPSec remote user connection
« Reply #10 on: August 07, 2016, 07:42:00 AM »

For something that is marketed and sold as a VPN Router, I  finding the VPN implementation really lacking and the documentation very sparse.

I am not really happy with being told that I have to use a product like GreenBow, which I have to pay licensing for when my Windows device comes with a standards compliant VPN client built in. The lack of people posting successful stories or configurations here is telling.

I do like the product, it replaced a client bought Cisco router, and is performing very well as  a router and firewall, but the VPN aspect is critical, and after three weeks of banging my head against the wall and one less than useful call to support, I am running out of options and time.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: L2TP/IPSec remote user connection
« Reply #11 on: September 07, 2016, 07:08:54 AM »

Any progress on this?

Not many users come to the forum and post. Kind of sparse here.

For something that is marketed and sold as a VPN Router, I  finding the VPN implementation really lacking and the documentation very sparse.

I am not really happy with being told that I have to use a product like GreenBow, which I have to pay licensing for when my Windows device comes with a standards compliant VPN client built in. The lack of people posting successful stories or configurations here is telling.

I do like the product, it replaced a client bought Cisco router, and is performing very well as  a router and firewall, but the VPN aspect is critical, and after three weeks of banging my head against the wall and one less than useful call to support, I am running out of options and time.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.