Networking
--
Questions
--
Followers
Top Experts
Configuring L2TP/IPSec passthrough on Juniper SSG5.
I am attempting to configure a policy to allow L2TP traffic through our SSG5 to an internal VPN server (RRAS on Windows Server 2003). I have PPTP successfully passing through, but L2TP seems to stop at the firewall. What ports and protocols need to be added to the policy on the Juniper to allow L2TP/IPSec traffic through to the internal VPN?
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Does the IPSEC terminate on your SSG5?
The likely issue is that the ipsec is being negotiated with the SSG5 and is failing.
L2TP is UDP 1701, but since you are using l2TP over IPSEC, there is no need to open up ports, since the IPSEC policy should provide the path to the internal Server as part of the configuration.
i.e. ipsec policy allows the remote user to connect to the Internal Windows 2003 server where RRAS is running.
The likely issue is that the ipsec is being negotiated with the SSG5 and is failing.
L2TP is UDP 1701, but since you are using l2TP over IPSEC, there is no need to open up ports, since the IPSEC policy should provide the path to the internal Server as part of the configuration.
i.e. ipsec policy allows the remote user to connect to the Internal Windows 2003 server where RRAS is running.
The IPSec shouldn't, to my knowledge, be terminating on the SSG5. It should presumably be passing through to the internal RRAS server. Having said that, I could be wrong; not sure if it needs to terminate on the SSG5 or not.
Here is my current policy configuration on the SSG5 from untrust to trust to the internal RRAS server:
9 Untrust  NAMEOFPOLICY Any      MIP(XXX.XXX.XXX.XXX)
                          GRE          Permit enabled ---X-X
                          L2TP    Â
                          L2TP-UDP1701
                          L2TP-UDP4500
                          L2TP-UDP500
                          PING    Â
                          PPTP-1723 Â
                          PPTP-47  Â
Please note that I have changed the policy name to NAMEOFPOLICY and the MIP to XXX.XXX.XXX.XXX for security purposes.
I manually created the L2TP-UPD policies. Please note that, as you can see, PPTP passthrough is configured and works fine.
What do I need to add to enable L2TP/IPSec traffic to passthrough properly to the RRAS server?
Here is my current policy configuration on the SSG5 from untrust to trust to the internal RRAS server:
9 Untrust  NAMEOFPOLICY Any      MIP(XXX.XXX.XXX.XXX)
                          GRE          Permit enabled ---X-X
                          L2TP    Â
                          L2TP-UDP1701
                          L2TP-UDP4500
                          L2TP-UDP500
                          PING    Â
                          PPTP-1723 Â
                          PPTP-47  Â
Please note that I have changed the policy name to NAMEOFPOLICY and the MIP to XXX.XXX.XXX.XXX for security purposes.
I manually created the L2TP-UPD policies. Please note that, as you can see, PPTP passthrough is configured and works fine.
What do I need to add to enable L2TP/IPSec traffic to passthrough properly to the RRAS server?
Sorry, I should have said "I manually created the L2TP-UDP Custom Services".
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Check the RRAS server's log to see whether IPSEC errors are occuring.
Did you check whether your IPSEC from remote to the RRAS is establishing?
IPSEC has to be configured as a policy using the ipsec MMC on both the remote client and the RRAS.
Did you check whether your IPSEC from remote to the RRAS is establishing?
IPSEC has to be configured as a policy using the ipsec MMC on both the remote client and the RRAS.
I checked the RRAS server log, but an entry from the server log looks like this (machine name changed for security purposes):
192.168.20.2,USERNAME,06/1
I actually made another EE post about this requested assistance on dissecting these logs because I have no idea (nor can I find anything online) how to read these. They're very complex. If you can point me towards a reference on this that would be extremely appreciated.
Furthermore, on the SSG5, don't IP protocols 50 and 51 needs to be opened up for IPSec to passthrough? How do I add these custom services?
192.168.20.2,USERNAME,06/1
I actually made another EE post about this requested assistance on dissecting these logs because I have no idea (nor can I find anything online) how to read these. They're very complex. If you can point me towards a reference on this that would be extremely appreciated.
Furthermore, on the SSG5, don't IP protocols 50 and 51 needs to be opened up for IPSec to passthrough? How do I add these custom services?
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
It's always a good idea to use the logging of session in the policy - that shows if every required port/service is hitting that policy.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Networking
--
Questions
--
Followers
Top Experts
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.