Login fails - L2TP VPN Client Server between ZyWALL USG 100 and Windows 10
AWUSupport
Posts: 43 Freshman Member
Hi,
Have configured ZyWall USG 100 for L2TP VPN Client-Server as per Zyxel documentation. As per log below all works up to the point of ready to pass VPN username and password, at which point it disconnects. No NAT connected router on the WAN side of ZyWall.
Then we receive this message:
"The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, Router etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem."
Log:
No. Date/Time Source Destination
Have configured ZyWall USG 100 for L2TP VPN Client-Server as per Zyxel documentation. As per log below all works up to the point of ready to pass VPN username and password, at which point it disconnects. No NAT connected router on the WAN side of ZyWall.
Then we receive this message:
"The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, Router etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem."
Log:
No. Date/Time Source Destination
Priority Category Note
Message
1 2018-10-16 19:15:18 103.75.1.2:500 120.146.1.2:500
info ike IKE_LOG
The cookie pair is : 0x6fd26dd05a0dc7fc / 0xb70c8fbbabf10927
2 2018-10-16 19:15:18 103.75.1.2:500 120.146.1.2:500
info ike IKE_LOG
ISAKMP SA [L2TP_VPN_GATEWAY] is disconnected
3 2018-10-16 19:15:22 120.146.1.2:500 103.75.1.2:500
notice firewall ACCESS FORWARD
priority:32, from WAN to ZyWALL, UDP, service Default_Allow_WAN_To_ZyWALL, ACCEPT
4 2018-10-16 19:15:22 120.146.1.2:500 103.75.1.2:500
info ike IKE_LOG
The cookie pair is : 0xec9de64c19f00475 / 0x0000000000000000
5 2018-10-16 19:15:22 120.146.1.2:500 103.75.1.2:500
info ike IKE_LOG
Recv Main Mode request from [120.146.1.2]
6 2018-10-16 19:15:22 120.146.1.2:500 103.75.1.2:500
info ike IKE_LOG
The cookie pair is : 0x5a30a5e4ded98cc2 / 0xec9de64c19f00475 [count=3]
7 2018-10-16 19:15:22 120.146.1.2:500 103.75.1.2:500
info ike IKE_LOG
Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
8 2018-10-16 19:15:22
info ipsec IPSEC_LOG
recv sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 [count=3]
9 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:500
info ike IKE_LOG
The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2 [count=2]
10 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:500
info ike IKE_LOG
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
11 2018-10-16 19:15:22 120.146.1.2:500 103.75.1.2:500
info ike IKE_LOG
Recv:[KE][NONCE][PRV][PRV]
12 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:500
info ike IKE_LOG
Send:[KE][NONCE][PRV][PRV]
13 2018-10-16 19:15:22 120.146.1.2:500 103.75.1.2:500
info ike IKE_LOG
Recv:[ID][HASH]
14 2018-10-16 19:15:22 103.75.1.2:4500 120.146.1.2:4500
info ike IKE_LOG
The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2 [count=2]
15 2018-10-16 19:15:22 103.75.1.2:4500 120.146.1.2:4500
info ike IKE_LOG
Send:[ID][HASH]
16 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2 [count=5]
17 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
Phase 1 IKE SA process done
18 2018-10-16 19:15:22 120.146.1.2:4500 103.75.1.2:4500
info ike IKE_LOG
The cookie pair is : 0x5a30a5e4ded98cc2 / 0xec9de64c19f00475 [count=2]
19 2018-10-16 19:15:22 120.146.1.2:4500 103.75.1.2:4500
info ike IKE_LOG
Recv:[HASH][SA][NONCE][ID][ID][PRV][PRV]
20 2018-10-16 19:15:22 103.75.1.2:4500 120.146.1.2:4500
info ike IKE_LOG
Send:[HASH][SA][NONCE][ID][ID][PRV][PRV]
21 2018-10-16 19:15:22 120.146.1.2:4500 103.75.1.2:4500
info ike IKE_LOG
Recv:[HASH]
22 2018-10-16 19:15:22 120.146.1.2:4500 103.75.1.2:4500
error ipsec ipsec
SPI: 0x81bad30b (2176504587) SEQ: 0x1 (1) No rule found, Dropping ESP/NAT-T packet
23 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
[Responder:103.75.1.2][Initiator:120.146.1.2]
24 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
[Policy: ipv4(udp:1701,103.75.1.2)-ipv4(udp:1701,192.168.0.233)]
25 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
[ESP 3des-cbc|hmac-sha1-96][SPI 0x81bad30b|0x7158117c][Lifetime 300000 kilobytes 3620 seconds]
26 2018-10-16 19:15:22 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
Dynamic Tunnel [L2TP_VPN_GATEWAY:L2TP_VPN_CONNECTION:0x7158117c] built successfully
27 2018-10-16 19:15:57 120.146.1.2:4500 103.75.1.2:4500
info ike IKE_LOG
The cookie pair is : 0x5a30a5e4ded98cc2 / 0xec9de64c19f00475 [count=3]
28 2018-10-16 19:15:57 120.146.1.2:4500 103.75.1.2:4500
info ike IKE_LOG
Recv:[HASH][DEL] [count=2]
29 2018-10-16 19:15:57 120.146.1.2:4500 103.75.1.2:4500
info ike IKE_LOG
Received delete notification
30 2018-10-16 19:15:57 103.75.1.2:4500 120.146.1.2:4500
info ike IKE_LOG
The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2
31 2018-10-16 19:15:57 103.75.1.2:4500 120.146.1.2:4500
info ike IKE_LOG
ISAKMP SA [L2TP_VPN_GATEWAY] is disconnected
32 2018-10-16 19:15:58 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
The cookie pair is : 0xec9de64c19f00475 / 0x5a30a5e4ded98cc2
33 2018-10-16 19:15:58 103.75.1.2:500 120.146.1.2:4500
info ike IKE_LOG
Tunnel [L2TP_VPN_GATEWAY:L2TP_VPN_CONNECTION:0x7158117c] is disconnected
Anyone have an idea of what the fault could be causing disconnection before authenticating VPN username and password?
Cheers,
Dale.
0
Comments
-
Line 28 onwards of log above seems to be where the disconnection happens for our VPN client-server login.
Do you have any suggestions Charlie? I can certainly send you the firewall config if required to help troubleshoot.0 -
0
-
Hi Emily,
Minutes after I received your post reply I resolved the L2TP VPN client to site login failure. Let me explain more ...
We have in place of course the Default Firewall rule for WAN to ZyWALL for IKE, ESP, NATT and also added USP 1701 - login failed under these conditions as stated in my original post.
We added a new Firewall rule yesterday that allowed login - found this tip here http://www.iholken.com/index.php/2015/07/19/setup-vpn-l2tpipsec-tunnel-between-zywall-usg-and-windows-phone-8-1-or-iphoneipad/ . Could not find any reference to this rule being required in the ZyXel guides.
Once the L2TP VPN login worked we then found we could not contact any internal IP addresses on the LAN we connected to. So we had to add this route, again from "iholken's" steps:
Is there a ZyXel document for setting up L2TP VPN Client to Site that details these requirements. Or for some reason is our USG 100 setup somehow unique - I wouldn't have thought so as that "iholken's" article has helped many.
Regards,
Dale.0 -
Forgot to mention we also needed to add this Firewall rule to enable contact to internal addresses on LAN:
0 -
Hi @AWUSupport,
You don't need to add extra firewall rules for L2TP clients.
Just configure Default_L2TP_VPN_GW, Default_L2TP_VPN_Connection and L2TP VPN like the following example.
Default_L2TP_VPN_GW
Default_L2TP_VPN_Connection
The local policy is the wan IP address.
L2TP VPN
Assign a pool for L2TP clients. Note that the pool cannot conflict with any other existing subnet even if they are not in use.
Firewall
Use the default firewall rules.
On Windows 10, set the default protocol the setting and select PAP only.
Result
L2TP clients are connected successfully.
0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 65 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight