Login fails - L2TP VPN Client Server between ZyWALL USG 100 and Windows 10

AWUSupport
AWUSupport Posts: 43  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
Hi,

Have configured ZyWall USG 100 for L2TP VPN Client-Server as per Zyxel documentation. As per log below all works up to the point of ready to pass VPN username and password, at which point it disconnects. No NAT connected router on the WAN side of ZyWall.

Then we receive this message:
"The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, Router etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem."

Log:
No.  Date/Time           Source                 Destination           
     Priority            Category               Note                  
     Message
1    2018-10-16 19:15:18 103.75.1.2:500     120.146.1.2:500     
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0x6fd26dd05a0dc7fc / 0xb70c8fbbabf10927
2    2018-10-16 19:15:18 103.75.1.2:500     120.146.1.2:500     
     info                ike                    IKE_LOG                                         
     ISAKMP SA [L2TP_VPN_GATEWAY] is disconnected
3    2018-10-16 19:15:22 120.146.1.2:500      103.75.1.2:500    
     notice              firewall               ACCESS FORWARD                                  
     priority:32, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT
4    2018-10-16 19:15:22 120.146.1.2:500      103.75.1.2:500    
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0xec9de64c19f00475 / 0x0000000000000000
5    2018-10-16 19:15:22 120.146.1.2:500      103.75.1.2:500    
     info                ike                    IKE_LOG                                         
     Recv Main Mode request from [120.146.1.2]
6    2018-10-16 19:15:22 120.146.1.2:500      103.75.1.2:500    
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0x5a30a5e4ded98cc2 / 0xec9de64c19f00475 [count=3]
7    2018-10-16 19:15:22 120.146.1.2:500      103.75.1.2:500    
     info                ike                    IKE_LOG                                         
     Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
8    2018-10-16 19:15:22                                              
     info                ipsec                  IPSEC_LOG                                       
     recv sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 [count=3]
9    2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:500     
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2 [count=2]
10   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:500     
     info                ike                    IKE_LOG                                         
     Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
11   2018-10-16 19:15:22 120.146.1.2:500      103.75.1.2:500    
     info                ike                    IKE_LOG                                         
     Recv:[KE][NONCE][PRV][PRV]
12   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:500     
     info                ike                    IKE_LOG                                         
     Send:[KE][NONCE][PRV][PRV]
13   2018-10-16 19:15:22 120.146.1.2:500      103.75.1.2:500    
     info                ike                    IKE_LOG                                         
     Recv:[ID][HASH]
14   2018-10-16 19:15:22 103.75.1.2:4500    120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2 [count=2]
15   2018-10-16 19:15:22 103.75.1.2:4500    120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     Send:[ID][HASH]
16   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2 [count=5]
17   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     Phase 1 IKE SA process done
18   2018-10-16 19:15:22 120.146.1.2:4500     103.75.1.2:4500   
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0x5a30a5e4ded98cc2 / 0xec9de64c19f00475 [count=2]
19   2018-10-16 19:15:22 120.146.1.2:4500     103.75.1.2:4500   
     info                ike                    IKE_LOG                                         
     Recv:[HASH][SA][NONCE][ID][ID][PRV][PRV]
20   2018-10-16 19:15:22 103.75.1.2:4500    120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     Send:[HASH][SA][NONCE][ID][ID][PRV][PRV]
21   2018-10-16 19:15:22 120.146.1.2:4500     103.75.1.2:4500   
     info                ike                    IKE_LOG                                         
     Recv:[HASH]
22   2018-10-16 19:15:22 120.146.1.2:4500     103.75.1.2:4500   
     error               ipsec                  ipsec                                           
     SPI: 0x81bad30b (2176504587) SEQ: 0x1 (1) No rule found, Dropping ESP/NAT-T packet
23   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     [Responder:103.75.1.2][Initiator:120.146.1.2]
24   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     [Policy: ipv4(udp:1701,103.75.1.2)-ipv4(udp:1701,192.168.0.233)]
25   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     [ESP 3des-cbc|hmac-sha1-96][SPI 0x81bad30b|0x7158117c][Lifetime 300000 kilobytes 3620 seconds]
26   2018-10-16 19:15:22 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     Dynamic Tunnel [L2TP_VPN_GATEWAY:L2TP_VPN_CONNECTION:0x7158117c] built successfully
27   2018-10-16 19:15:57 120.146.1.2:4500     103.75.1.2:4500   
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0x5a30a5e4ded98cc2 / 0xec9de64c19f00475 [count=3]
28   2018-10-16 19:15:57 120.146.1.2:4500     103.75.1.2:4500   
     info                ike                    IKE_LOG                                         
     Recv:[HASH][DEL] [count=2]
29   2018-10-16 19:15:57 120.146.1.2:4500     103.75.1.2:4500   
     info                ike                    IKE_LOG                                         
     Received delete notification
30   2018-10-16 19:15:57 103.75.1.2:4500    120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2
31   2018-10-16 19:15:57 103.75.1.2:4500    120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     ISAKMP SA [L2TP_VPN_GATEWAY] is disconnected
32   2018-10-16 19:15:58 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2
33   2018-10-16 19:15:58 103.75.1.2:500     120.146.1.2:4500    
     info                ike                    IKE_LOG                                         
     Tunnel [L2TP_VPN_GATEWAY:L2TP_VPN_CONNECTION:0x7158117c] is disconnected

Anyone have an idea of what the fault could be causing disconnection before authenticating VPN username and password?

Cheers,
Dale.

Comments

  • AWUSupport
    AWUSupport Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Line 28 onwards of log above seems to be where the disconnection happens for our VPN client-server login.

    Do you have any suggestions Charlie? I can certainly send you the firewall config if required to help troubleshoot. 
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @AWUSupport,

     

    I need to check your configuration file so I will send you a private message later.  


  • AWUSupport
    AWUSupport Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hi Emily,

    Minutes after I received your post reply I resolved the L2TP VPN client to site login failure. Let me explain more ...

    We have in place of course the Default Firewall rule for WAN to ZyWALL for IKE, ESP, NATT and also added USP 1701 - login failed under these conditions as stated in my original post.

    We added a new Firewall rule yesterday that allowed login - found this tip here http://www.iholken.com/index.php/2015/07/19/setup-vpn-l2tpipsec-tunnel-between-zywall-usg-and-windows-phone-8-1-or-iphoneipad/ . Could not find any reference to this rule being required in the ZyXel guides.



    Once the L2TP VPN login worked we then found we could not contact any internal IP addresses on the LAN we connected to. So we had to add this route, again from "iholken's" steps:



    Is there a ZyXel document for setting up L2TP VPN Client to Site that details these requirements. Or for some reason is our USG 100 setup somehow unique - I wouldn't have thought so as that "iholken's" article has helped many.

    Regards,
    Dale.
  • AWUSupport
    AWUSupport Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Forgot to mention we also needed to add this Firewall rule to enable contact to internal addresses on LAN:


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @AWUSupport,

     

    You don't need to add extra firewall rules for L2TP clients.

    Just configure Default_L2TP_VPN_GW, Default_L2TP_VPN_Connection and L2TP VPN like the following example.

    Default_L2TP_VPN_GW


    Default_L2TP_VPN_Connection

    The local policy is the wan IP address.


    L2TP VPN

    Assign a pool for L2TP clients. Note that the pool cannot conflict with any other existing subnet even if they are not in use.


    Firewall

    Use the default firewall rules.


    On Windows 10, set the default protocol the setting and select PAP only.


    Result

    L2TP clients are connected successfully.



Security Highlight