This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access behind NAT router

I'm trying to set up a remote VPN connection from a windows 10 machine and an iphone to UTM 9, which is behind a NAT router.

I've tried L2TP over IPsec, IPsec, cisco VPN client... and failed every time.

Does anyone have a how-to for this scenario?



This thread was automatically locked due to age.
Parents
  • do you forward all incoming packets from NAt-Router to utm?

    I use ipsec and SSL-VPN with this scenario. There is no special configuration.

    which NAT Router do you use?

    check firewall-live-log while trying to build connection.

    check vpn-live.log while trying to build connection.

    someting to see?

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Yes - all traffic forwarded to the UTM, with a TP-Link DSL router.

    I've looked at the logs while connecting, and most of the references I find online suggest that NAT is the problem. 

    For instance, trying IPsec, I see 

    2016:11:21-21:00:09 utm pluto[15428]: "D_Default"[3] 1.2.3.4:49809 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc5c6409d (perhaps this is a duplicated packet)
    2016:11:21-21:00:09 utm pluto[15428]: "D_Default"[3] 1.2.3.4:49809 #3: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.4:49809
     
     
    I gather thats because the UTM is behind NAT - but that could be wrong, of course.
Reply
  • Yes - all traffic forwarded to the UTM, with a TP-Link DSL router.

    I've looked at the logs while connecting, and most of the references I find online suggest that NAT is the problem. 

    For instance, trying IPsec, I see 

    2016:11:21-21:00:09 utm pluto[15428]: "D_Default"[3] 1.2.3.4:49809 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc5c6409d (perhaps this is a duplicated packet)
    2016:11:21-21:00:09 utm pluto[15428]: "D_Default"[3] 1.2.3.4:49809 #3: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.4:49809
     
     
    I gather thats because the UTM is behind NAT - but that could be wrong, of course.
Children
  • Further info:

    The first connection attempt after restarting the ipsec service shows:

    2016:11:21-21:13:10 utm pluto[17230]: "D_Default"[2] 1.2.3.4:49809 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.1.2:4500[5.6.7.8]...1.2.3.4:49809[10.3.77.39]===10.242.4.1/32
    2016:11:21-21:13:10 utm pluto[17230]: "D_Default"[2] 1.2.3.4:49809 #1: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.4:49809

    Subsequent attempts get the duplicate message message.