Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP vpn allowed from local interface but not from internet

nidim

Hello. I made a L2TP over IPSEC vpn configuration with preshared keys.

I am able to connect to vpn through my external interface (inside router).

But when I try to connect from internet then I get the error "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."

I do port forward: udp 500, udp 4500, udp1701 and tcp 1723.

Also i have tried with DMZ zone and all the traffic is going to utm direct. I can't figure out what is going on. 

Any ideas? Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Geiasou and welcome to the UTM Community!

    It's not possible to do what you want with L2TP/IPsec unless you have a public IP on the External interface of your UTM.  In L2TP/IPsec, initial messages from the server are "signed" with the IP of the External interface.  If that IP is different from the one the client "called," you will experience the failure you're seeing.

    It might be easier to use the SSL VPN.  Here in the USA, I usually recommend changing the service from TCP 443 to UDP 1443.  In Europe, I recommend changing to UDP 443 to avoid potential conflicts with hotels' routers blocking other UDP ports.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Are you sure for this? The payload is encrypted and is not possible for router to "read" this. The router forward the packets to UTM. The UTM accept the packet since the came from "external" interface.

    I can't understand the why. So when I will be able to use IPsec VPN? Do I need to to "re-write the packet" with NAT tactic?

    Thanks for your response.

  • 0 in reply to nidim

    We can see in the IPec log what is happening in the UTM:

              1. Confirm that Debug is not enabled.
              2. Start the IPsec Live Log and wait for it to begin to populate.
              3  Try to establish an L2TP/IPsec connection from outside..
              4. Copy here about 60 lines from the IPsec log from trying to connect through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to nidim

    We can see in the IPec log what is happening in the UTM:

              1. Confirm that Debug is not enabled.
              2. Start the IPsec Live Log and wait for it to begin to populate.
              3  Try to establish an L2TP/IPsec connection from outside..
              4. Copy here about 60 lines from the IPsec log from trying to connect through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML