Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[hanuszewski]

I am trying to setup a L2TP\IPSec Client to gateway VPN. Ive combed the forms and have been Googling solutions for almost 48 hours straight without any luck. So I figured I post this thread and see if any wisdom comes my way.

I have comcast business class internet with 2 static IPs. I'll call them sIP1 and sIP2. The network diagram is as follows:

Gateway has sIP1 as it's wan address and forwards traffic to an internal router 192.168.0.1 through a NAT.
DSR-250 is plugged into the Gateway with sIP2 set as a static wan address, with a comcast subnet, and comcast gateway. The DSR-250 is not behind a NAT.

Comcast Gateway
Cisco DPC3939B hardware revision 1.0

DSR-250 firmware 2.11_ww


DSR Configuration
My IPSec Policy:
Name: IPSecVPN
Policy Type: IPv4
IKE Version: IKEv1
L2TP Mode: Client
IPSec Mode: Transport
Select Local Gateway: Dedicated Wan
Mode Config: off
Rollover: off
Protocol: ESP
Keepalive: off

Phase 1 (IKE SA Parameters)
Exchange Mode: Aggressive
Direction: Responder
Nat-T: on
Nat keep alive freq: 20
Local Identifier Type: FQDN
Local Identifier: 192.168.0.0
Remote Identifier: FQDN
Remote Identifier: 0.0.0.0
Encryption Algorithm: AES-128, AES-256, 3DES
Authentication Algorithm: MD5, SHA-1, SHA-256
Authentication Method: Pre-shared Key
Pre-Shared key: reallyStrongKey
DH Group: Group 2
SA-Lifetime: 28800
Dead Peer: ON
Detection Period: 20
Reconnect after failure: 5
Extended Authentication: None

Phase 2(Auto Policy)
SA lifetime 3600 seconds
Encryption Algorithm 3DES, AES-128, AES-256
Integrity Algorithm MD5, SHA-1, SHA-256
PFS Key Group: off


My L2TP Server settings
Enable L2TP Server: Enable IPv4
L2TP Routing Mode: NAT
Starting IP: 192.168.0.50
Ending IP: 192.168.0.65
Authentication: Local User Database
CHAP, MS-Chap, MS-Chapv2 ON
Secret Key: off
User timeout 800


User Group
name (VPN)
has L2TP and XAuth enabled
set to network level

I have one user that uses the user group VPN



I'm trying to connect to the VPN from an Android device. When I attempt to connect from my device to sIP2 I can see in the DSR-250 VPN Logs:>

Error IPSEC [Identity Protection mode of (invalid)[invalid] is not acceptable
VPN INFORMATION IPSEC Anonymous configuration selected for <mobile device ip>[27082]

Those 2 errors just repeat and then the connection is dropped.

Android VPN Config:
Name: VPN
TYpe: L2TP/IPSEC PSK
Server: sIP2
L2TP secret: not used
IPSec identifier: not used
IPSec pre-shared key: reallyStrongKey



This is a requirement to use L2TP\IPSEC I cannot use OpenVPN or SSLVPN. The remote clients do not have static ips and the DSR-250 has to accept all incoming remote ips and will verify them using the local database and pre-shared key.

Any support would be appreciated.


Updates:
From the comcast gateway I disabled port management and allowed all traffic through. I am now seeing the following:

[Thu Oct  6 16:37:59 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: the packet retransmitted in a short time from 73.81.117.158[27034]]
[Thu Oct  6 16:37:59 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: The packet is retransmitted by 73.81.117.158[27034].]
[Thu Oct  6 16:38:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Phase 1 negotiation failed due to time up for 73.81.117.158[27034]. b88a126f74258911:8a0325f0af6a6c3a]
[Thu Oct  6 16:35:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Anonymous configuration selected for 73.81.117.158[27034].]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received request for new phase 1 negotiation: <sIP2>[500]<=>73.81.117.158[27034]]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Beginning Aggressive mode.]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received unknown Vendor ID]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received Vendor ID: RFC 3947]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received unknown Vendor ID]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received unknown Vendor ID]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Received Vendor ID: DPD]
[Thu Oct  6 16:35:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: For 73.81.117.158[27034], Selected NAT-T version: RFC 394]

[PacketTracer]

Hi,

maybe, the following excerpt of your configuration prevents IKE phase 1 to finish successfully:

Local Identifier Type: FQDN
Local Identifier: 192.168.0.0
Remote Identifier: FQDN
Remote Identifier: 0.0.0.0

First: If you use addresses as Identifiers, you should also use type=Address instead of Type=FQDN.
Second: Please try if setting your Local Identifier to sIP2 (instead of 192.168.0.0) works better.

PT

[hanuszewski]

Hi,

maybe, the following excerpt of your configuration prevents IKE phase 1 to finish successfully:

Local Identifier Type: FQDN
Local Identifier: 192.168.0.0
Remote Identifier: FQDN
Remote Identifier: 0.0.0.0

First: If you use addresses as Identifiers, you should also use type=Address instead of Type=FQDN.
Second: Please try if setting your Local Identifier to sIP2 (instead of 192.168.0.0) works better.

PT

Hey, thanks for getting back to me. I'm pretty new to vpn setups.
Changes:
Local Identifier type: Local Wan IP
As for Remote Identifier type, my options are FQDN, User FQDN, DER ASR1 DN
I saw in one of the guides to set FQDN to 0.0.0.0

After changing the The local Identifier my Errors look like this:

Code: [Select]

[VPN] [Error] [IPSEC] [Phase 1 negotiation failed due to time up for 66.87.81.112[21378]. 0b91e9f45b597c87:0a330c128ca0c89d]
[VPN] [Error] [IPSEC] [Ignore information because ISAKMP-SA has not been established yet.]

[PacketTracer]

Hi again,

maybe your Cisco router in the path to the Internet is filtering incoming traffic?

For IPsec to work properly, the Cisco router must allow forwarding of the following traffic types to sIP2:
500/udp (for IKE),
4500/udp (needed if NAT-Traversal has to be negotiated for remote clients behind NATs),
ESP (in case NAT-Traversal isn't needed).

PT

[hanuszewski]

Hi again,

maybe your Cisco router in the path to the Internet is filtering incoming traffic?

For IPsec to work properly, the Cisco router must allow forwarding of the following traffic types to sIP2:
500/udp (for IKE),
4500/udp (needed if NAT-Traversal has to be negotiated for remote clients behind NATs),
ESP (in case NAT-Traversal isn't needed).

PT

Though the Comcast Gateway -> Advanced -> Port Management : I checked a box that Disables all rules and allows all inbound traffic through.
I also Disabled the Firewall completely for True Static IP subnet Only

Just for the fun of dealing with comcast, I chatted with the tech team and asked about the ESP protocol. here is their response:

Comcast does not block UDP 500 and IPSEC/ESP Protocol 50 on the network.  Applications running on devices behind the Comcast gateway is not accessible to Comcast.  HTTP/HTTPS inbound via the static IP are open and allowed based on rule set of the terminating device.

[PacketTracer]

Hi again,

yet another guess: Maybe, DH Group 2 within your IKEv1 configuration is not regarded strong enough by Android's VPN client. Please check if DH Group 14 works (see e.g. this DH Group survey).

PT

[hanuszewski]

Hi again,

yet another guess: Maybe, DH Group 2 within your IKEv1 configuration is not regarded strong enough by Android's VPN client. Please check if DH Group 14 works (see e.g. this DH Group survey).

PT

I changed the DH Group. Lots of progress made over the weekend. I think we are very close.

Information        [Mon Oct 10 08:35:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Rejected phase 1 proposal as Peer's hashtype "SHA2-256" mismatched with Local "SHA".]
Information        [Mon Oct 10 08:35:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: Rejected phase 1 proposal as Peer's authentication method "pre-shared key" mismatched with Local "XAuth psk server".]

I changed the hashtype to SHA2-256 and turned off XAuth edge device. The logs look great except my Android device still won't connect.
New Logs:

VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: an acceptable proposal found.
: ipsec_doi.c:302:get_ph1approval(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: new cookie:
e268c64a5c6cc53c
: isakmp.c:2650:isakmp_newcookie(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: use ID type of IPv4_address
: ipsec_doi.c:3638:ipsecdoi_setid1(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: compute DH's private.
: oakley.c:368:oakley_dh_generate(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: compute DH's public.
: oakley.c:370:oakley_dh_generate(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: compute DH's shared.
: oakley.c:319:oakley_dh_compute(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: the psk found.
: oakley.c:2889:oakley_skeyid(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: nonce 1: : oakley.c:2904:oakley_skeyid(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: nonce 2: : oakley.c:2910:oakley_skeyid(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID computed:
: oakley.c:2973:oakley_skeyid(]
VPN        Debug        [Mon Oct 10 09:05:07 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN        Debug        [Mon Oct 10 09:05:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID_d computed:
: oakley.c:3030:oakley_skeyid_dae(]
VPN        Debug        [Mon Oct 10 09:05:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN        Debug        [Mon Oct 10 09:05:08 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID_a computed:
: oakley.c:3059:oakley_skeyid_dae(]
VPN        Debug        [Mon Oct 10 09:05:09 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hmac(hmac_sha2_256)
: algorithm.c:471:alg_oakley_hmacdef(]
VPN        Debug        [Mon Oct 10 09:05:09 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: SKEYID_e computed:
: oakley.c:3088:oakley_skeyid_dae(]
VPN        Debug        [Mon Oct 10 09:05:09 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: encryption(aes)
: algorithm.c:576:alg_oakley_encdef(]
VPN        Debug        [Mon Oct 10 09:05:10 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: hash(sha2_256)
: algorithm.c:401:alg_oakley_hashdef(]
VPN        Debug        [Mon Oct 10 09:05:10 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Debugging] [IPSEC] [IKE: final encryption key computed:
: oakley.c:3230:oakley_compute_enckey(]

I have no errors but I do have a few warnings, But looking at the times, they seem to work themselves out and continue:

VPN        Notice        [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]
VPN        Warning        [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [the packet retransmitted in a short time from 73.81.123.89[27980]]
VPN        Notice        [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]
VPN        Warning        [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [the packet retransmitted in a short time from 73.81.123.89[27980]]
VPN        Notice        [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]
VPN        Warning        [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [the packet retransmitted in a short time from 73.81.123.89[27980]]
VPN        Notice        [Mon Oct 10 09:03:00 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Notification] [IPSEC] [The packet is retransmitted by 73.81.123.89[27980].]

[hanuszewski]

After doing some more digging, Looks like the IPSec Identifier that my Note 5 passes has an unreadable character at the end. I looked at the phone and couldn't delete the extra character. Tried to email myself the id and paste it in, still setting the extra character in the log. I'm not sure if this is a DSR-250 firmware issue or an Android issue.

[FurryNutz]

Can you test with a Windows PC or Laptop to see if the problem is seen there? Could be a way to see if this is a DSR or Android issue with this unknown character...

[hanuszewski]

Can you test with a Windows PC or Laptop to see if the problem is seen there? Could be a way to see if this is a DSR or Android issue with this unknown character...

I tried to use a windows laptop. When connecting I get:

[VPN] [Error][IPSEC] [Identity Protection mode of (invalid)[(invalid)] is not acceptable.

Unlike Android, Windows 10 doesn't really have the configuration settings required to connect. Basically can't set the IPSec Identifier in Windows. If there was a way to configure the DSR-250 to accept any identifier, that would be awesome. 

I also tried to connect using my Ubuntu Laptop, got this error on the laptop itself, it never reached the DRS-250:

Code: [Select]

NetworkManager[820]: <warn>  [1476145038.3926] vpn-connection[0x198b1f0,89a4d74a-1408-45d4-b36c-4a3d767c5f96,"Probaris L2TP",0]: VPN connection: failed to connect: 'invalid ipsec-gateway-id 'ipsec-gateway-id''
I tried a few different values but couldn't figure out what the gateway id should be.

[hanuszewski]

After thinking about it, I changed the Identifier type to DER ASN1 DN since its encoded and then decoded later. This got me passed the weird character issue. Looking at the logs I can see everything passes and the remote, Android Phone, is assigned a local ip address of 192.168.1.100. Feeling very close,

Code: [Select]

VPN        Information        [Tue Oct 11 10:07:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [IKE: ISAKMP-SA established for sIP2[4500]-66.87.80.183[11738] with spi:9b2f418cf4ac8095:c9be333b0e261384]
Then I get this:

Code: [Select]

VPN        Error        [Tue Oct 11 09:16:16 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Giving up on 73.81.126.202 to set up IPsec-SA due to time up]
Tried again using a different network and got the same error:

Code: [Select]

VPN        Error        [Tue Oct 11 09:29:23 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Giving up on 66.87.80.183 to set up IPsec-SA due to time up]
I disabled dead peer detection for trial and error but It didn't change anything

[FurryNutz]

Any chance you can try a Windows 7 PC? Windows 10 has some known issues with networking and recent updates are causing problems. I'd try Windows 7 if you get a chance. Seems like your getting closer. I hope PT can help out more. 

Can you test with a Windows PC or Laptop to see if the problem is seen there? Could be a way to see if this is a DSR or Android issue with this unknown character...

I tried to use a windows laptop. When connecting I get:

[VPN] [Error][IPSEC] [Identity Protection mode of (invalid)[(invalid)] is not acceptable.

Unlike Android, Windows 10 doesn't really have the configuration settings required to connect. Basically can't set the IPSec Identifier in Windows. If there was a way to configure the DSR-250 to accept any identifier, that would be awesome. 

I also tried to connect using my Ubuntu Laptop, got this error on the laptop itself, it never reached the DRS-250:

Code: [Select]

NetworkManager[820]: <warn>  [1476145038.3926] vpn-connection[0x198b1f0,89a4d74a-1408-45d4-b36c-4a3d767c5f96,"Probaris L2TP",0]: VPN connection: failed to connect: 'invalid ipsec-gateway-id 'ipsec-gateway-id''
I tried a few different values but couldn't figure out what the gateway id should be.

[PacketTracer]

Please check, if the following configuration will work:

DSR Configuration:
------------------
Local Identifier Type: Local Wan IP
Local Identifier: <sIP2>
Remote Identifier: User FQDN
Remote Identifier: myAndroid


Android VPN Config:
-------------------
Name: VPN
TYpe: L2TP/IPSEC PSK
Server: <sIP2>
L2TP secret: not used
IPSec identifier: myAndroid
IPSec pre-shared key: <reallyStrongKey>

PT

[hanuszewski]

Please check, if the following configuration will work:

DSR Configuration:
------------------
Local Identifier Type: Local Wan IP
Local Identifier: <sIP2>
Remote Identifier: User FQDN
Remote Identifier: myAndroid


Android VPN Config:
-------------------
Name: VPN
TYpe: L2TP/IPSEC PSK
Server: <sIP2>
L2TP secret: not used
IPSec identifier: myAndroid
IPSec pre-shared key: <reallyStrongKey>

PT

Gave it a shot. Got a ID type mismatch.

Code: [Select]

VPN        Information        [Tue Oct 11 20:33:37 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Beginning Aggressive mode.]
VPN        Information        [Tue Oct 11 20:33:37 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received unknown Vendor ID]
VPN        Information        [Tue Oct 11 20:33:37 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received Vendor ID: RFC 3947]
VPN        Information        [Tue Oct 11 20:33:39 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received unknown Vendor ID]
VPN        Information        [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02]
VPN        Information        [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received unknown Vendor ID]
VPN        Information        [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received Vendor ID: DPD]
VPN        Warning        [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Warning] [IPSEC] [ID type mismatched.]
VPN        Error        [Tue Oct 11 20:33:41 2016(GMT-0500)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [invalid ID payload.]
Another quick question, What am I suppose to use for L2TP Mode on the DSR-250? Client, Gateway, or None

Any chance you can try a Windows 7 PC? Windows 10 has some known issues with networking and recent updates are causing problems. I'd try Windows 7 if you get a chance. Seems like your getting closer. I hope PT can help out more. 

I try and build a Windows 7 VM and give that a shot.

[PacketTracer]

What am I suppose to use for L2TP Mode on the DSR-250? Client, Gateway, or None

>Gateway< sounds most plausible to me.