How to set up USG40 as VPN behind another router (FritzBox)

lion · November 2018

Dear all,

I have been trying to set up the USG40 as the VPN for my environment behind a Fritzbox router but I am currently stuck with an Match default rule, DROP. The VPN is actually accessible through the WAN IP when I am connected to the Fritzbox router, but I cannot access the VPN when connected to another wifi connection or mobile hotspot data. I have been looking around from other QnAs and it seems that I have to configure the NAT in order to connect to the VPN from other wifi connections. Would anyone be able to shed some light for this matter? I am not so sure whether I should pick Virtual Server, or 1:1 NAT. Furthermore I am not so sure what exactly should the Internal IP be.

Thanks in advance!

Alfonso · November 2018

Hi @lion

L2TP IPSec on Windows 10 problems are known.

Quick solution is to execute, and reboot the pc

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

But I suggest to read the following links:

https://superuser.com/questions/1298513/l2tp-ipsec-vpn-fails-to-connect-on-windows-10-works-fine-on-ios
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows

I hope it helps you.

Best regards

Alfonso · November 2018

Hi @lion

I suppose you are trying to establish a VPN from anywhere outside your network to the USG40, but the USG is behind a Fritzbox router (and I suppose your public ip address is on the wan interface of the Fritzbox).

In that scenario, NAT rules must be configured on the Fritzbox, it depends on the VPN but in most of the cases the following NAT 1:1 should be configured:

- Port 500 udp (ISAKMP)
- ESP (ip protocol 50) and AH (ip protocol 51)
- Port 4500 udp (IKEv2)

lion · November 2018

Hi @Alfonso

thank you for your answer. Unfortunately that does not solve the problem.
The port forwarding for UDP 500, UDP 4500 and ESP is enabled, but it is not possible to forward AH in the Fritzbox.

After enabling logging for some more rule I'm getting the follwing message which seems to be the problem:

[ID] : Tunnel [WIZ_L2TP_VPN] Phase 2 Local policy mismatch

I also tried to change the local policy but no luck.

Do you have any further suggestions?
Thanks in advance.

Alfonso · November 2018

Hi @lion

So the issue is related to Phase 2.

Phase 1 is IKE where you start things out... Diffie-Hellman is used to set up your negotiation and setup of your traffic-encryption keys to get started. Your IKE SA will be completed here.

Phase 2 is IPSec (ISAKMP) where you get into what specifics you set up in your policies to have your keys set. This is the traffic keys themselves. And the traffic is getting encrypted here. IPSec SA is present if everything goes well.

Phase 2 is already expecting the key information but it comes FROM phase 1.

Which clients are trying to connect? Android phones? IOS phones?

lion · November 2018

Hi @Alfonso

I tried to connect PCs with Windows 10 using the built in VPN client.

Phase 1 seems to work fine since I'm getting a message, stating that it was completed.

Alfonso · November 2018

Hi @lion

L2TP IPSec on Windows 10 problems are known.

Quick solution is to execute, and reboot the pc

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

But I suggest to read the following links:

https://superuser.com/questions/1298513/l2tp-ipsec-vpn-fails-to-connect-on-windows-10-works-fine-on-ios
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows

I hope it helps you.

Best regards

lion · November 2018

Hi @Alfonso

thank you so much! It finally works

Alfonso · November 2018

Hi @lion

It sounds great. Nice to help you.

How to set up USG40 as VPN behind another router (FritzBox)

Accepted Solution

All Replies

Categories

Security Highlight

Security Help Center