[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

l2tp vpm

Posted on 2010-09-01
9
Medium Priority
?
647 Views
Last Modified: 2012-05-10
we are not connect l2tp vpn pls help me

config details: This is a config of port forwarding.

-A PREROUTING -d 12.12.12.2 -i eth0 -p udp -m udp --dport 1701 -j DNAT --to-destination 192.168.200.1

-A FORWARD -p esp -j ACCEPT
-A FORWARD -p ah -j ACCEPT
-A FORWARD -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
0
Comment
Question by:gopigops
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 3

Expert Comment

by:gremwell
ID: 33576516
You should describe your setup in more details. The config of iptables you are troubleshooting -- is it on the vpn client host, or an intermediate router?
0
 

Author Comment

by:gopigops
ID: 33576826
we have one server for windows 2003 act as a vpn server
we have one server for redhat act as a firewall
we are unable to connect vpn using l2tp, but pptp vpn works fine

this is a config

-A PREROUTING -d 12.12.12.2 -i eth0 -p udp -m udp --dport 1701 -j DNAT --to-destination 192.168.200.1

-A FORWARD -p esp -j ACCEPT
-A FORWARD -p ah -j ACCEPT
-A FORWARD -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33577942
I would suggest you to sniff the traffic on both interfaces of the firewall and see what packets get blocked when you try to establish the VPN. Check if IKE (UDP 500 or 4500) and IPSEC (ESP).

By the way, UDP 1701 packets travel encapsulated in IPSEC and are invisible to IPTABLES, the corresponding statements in your policy have no effect on L2TP. If you need DNAT, can try to apply it to IKE/ESP traffic.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:gopigops
ID: 33584543


we are unable to connect till now,pls tell me the above config correct or not.If not pls give me a correct config .

And then we have checked the traffic the show ony the isakmp and UDP
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33586317
Please provide more details about your setup.

What OS do you use as a client? Does the L2TP client software support NAT-T (nat traversal)?
What is IP address of your client?
What IP address your client tries to connect to?

What is the IP address of the interface of your router facing L2TP client?
What is the purpose of DNAT statement, what address translation you are trying to achieve?
What is the IP address of the interface of your router facing L2TP server?

What is the IP address of the L2TP server?
0
 

Author Comment

by:gopigops
ID: 33586676
ok i give

1.windows vista
2.public ip (internet work no issues)
3.public ip 12.12.12.2 (example)
4.12.12.12.2
5.
6.12.12.12.2
7.192.168.200.1 (windows 2003 server)
0
 
LVL 3

Accepted Solution

by:
gremwell earned 2000 total points
ID: 33587679
Assuming eth0 is your internet-facing interface, you have to apply the following:
# pass IKE traffic
iptables -t nat -A PREROUTING -i eth0 -p udp -d 12.12.12.2 --dport 500 -j DNAT --to 192.168.200.1
iptables -A FORWARD -i eth0 -p udp -d 12.12.12.2 --dport 500 -j ACCEPT

# pass IPSEC packets encapsulated in UDP datagrams
iptables -t nat -A PREROUTING -i eth0 -p udp -d 12.12.12.2 --dport 4500 -j DNAT --to 192.168.200.1
iptables -A FORWARD -i eth0 -p udp -d 12.12.12.2 --dport 4500 -j ACCEPT

Open in new window

You don't need iptables rules you have posted earlier.

Some people say that running IPSEC servers behind NAT is bad idea http://support.microsoft.com/kb/885348/:

"... the default behavior of Microsoft Windows XP has changed with Service Pack 2 (SP2). IPSec NAT-T security associations to servers that are located behind network address translators are not recommended for Windows XP SP2-based computers. This change means that a Microsoft Windows Server 2003-based virtual private network (VPN) server that uses Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) cannot be deployed behind a network address translator without additional configuration for Windows XP SP2-based VPN clients.

If you require IPSec for communication, we recommend that you use public IP addresses for all servers that you can connect to directly from the Internet. Windows-based client computers that support IPSec NAT-T can be located behind a network address translator. ..."

See http://support.microsoft.com/kb/947234 for instructions how to configure your Vista to allow connections to the VPN server located behind NAT.

0
 

Author Comment

by:gopigops
ID: 33589514
we understand the IPSEC servers behind NAT.thanks..
0
 

Author Closing Comment

by:gopigops
ID: 33589526
thanks..
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question