Link to home
Start Free TrialLog in
Avatar of bytespeed
bytespeedFlag for United States of America

asked on

How do i get my L2TP/IPsec VPN to transmit traffic?

Hi Experts!

I'm using a Windows Server 2012 R2 server with RRAS to setup a L2TP/IPsec VPN.  In my lab it works perfectly.  But in production I can connect to the VPN but I cannot ping the server or anything on the network nor can I access any of the services on the network.

I've setup RRAS as with a VPN and Lan Routing, DHCP relay, set a PSK and setup port forwarding on the firewall/router (TP-Link TL-WR940N V2).  I setup my lab the same way except the firewall is a very nice Barracuda NG Firewall.

On the LAN the server is accessible and it works great -- it just won't transmit any traffic through the VPN.  I've tried:

1.  Reinstalling RRAS
2.  Messing with NAP (although I didn't have to with my lab setup and I've returned NAP to the original settings)
3.  Played around with additional port forward settings
4.  Disabled the SPI firewall on the TP-Link router
5.  Connected the server directly into the router, was connected before into an unmanaged D-Link switch
6.  Enabled/Disabled L2TP and IPSEC passthrough on the firewall
7.  Tried multiple different user credentials

The LAN is on a different subnet than the client device is on (Windows 7 laptop and an Android 5.1 phone) .  The routing table looks good and about the only thing I haven't done is make sure the the firewall isn't SNAT'ing (which I believe I setup the NG Firewall not to do) and make sure that the MTU of the WAN port isn't something randomly small.  Other devices are able to access services behind the firewall without issue i.e. security camera app on a cellphone.  I'ved looked a little through the RRAS logs but I'll admit I don't know what I'm looking for.  This is my first time setting up a VPN on a Windows Server -- well second :).

Thoughts?
Avatar of arnold
arnold
Flag of United States of America image

When you are on the LAN you already have a path .. Does you lab VPN configuration to secure all, use gateway on remote n.....

What IP does you VPN server allocate, does it include a route push to the VPN user.

When connected ipconfig /all
Oh, ping might not be a good test as windows firewall might be blocking it under the non domain network if ping on the LAN works.
Avatar of bytespeed

ASKER

Ping isn't be being blocked and no other service works either.  When I attempt to get to the internet on my laptop and phone, the requests time out.  Right now the firewalls are off on the system and the client.

I tested my lab from coming in from offsite -- same exact config.  I didn't turn off any firewalls in my lab and ping worked as well as getting to the internet.  The routes are the same too.

VPN server doesn't push any routes.
Here's ipconfig on the server:

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.176.107(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : 00-1E-67-B6-46-3A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b064:efe9:8ba7:c542%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.176.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.176.1
   DHCPv6 IAID . . . . . . . . . . . : 369106535
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-78-D4-4E-00-1E-67-B6-46-3B
   DNS Servers . . . . . . . . . . . : 192.168.176.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-1E-67-B6-46-3B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{12F3555D-C62A-4C73-AEB5-75BC0C898CEF}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:1077:1f50:bea4:3a98(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1077:1f50:bea4:3a98%16(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 469762048
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-78-D4-4E-00-1E-67-B6-46-3B
   NetBIOS over Tcpip. . . . . . . . : Disab
Here's ipconfig on the client:

PPP adapter VPN Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN Connection
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.176.107(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.176.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller #2
   Physical Address. . . . . . . . . : 00-23-81-1B-01-E2
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : guest.local
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7260
   Physical Address. . . . . . . . . : FC-F8-AE-E5-2A-63
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9127:7d15:faee:ee29%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.20.56(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, September 14, 2015 8:32:39 AM
   Lease Expires . . . . . . . . . . : Monday, September 14, 2015 4:32:39 PM
   Default Gateway . . . . . . . . . : 10.0.20.1
   DHCP Server . . . . . . . . . . . : 10.0.20.2
   DHCPv6 IAID . . . . . . . . . . . : 318568622
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-6D-39-26-00-23-81-1A-D9-B0

   DNS Servers . . . . . . . . . . . : 10.0.20.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.guest.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : guest.local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D67982EB-5501-4914-B620-5EF6D9202CCE}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{3C315737-CD60-410E-90E5-56F4068082F6}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
OK, with the routing that you show, if you go to any IP on the 192.168.176.107 255.255.255.255 is the single IP.
Do you have a route that advertises which networks are accessible via this network?
route print
route add net 192.168.176.0 mask 255.255.255.0 192.168.176.107
route add net 172.16.10.0 mask 255.255.255.0 192.168.176.107

ipsec usually establishes the secure tunnel from your system to the windows VPN server,
the L2TP negotiation then obtains the VPN IP to be locally used and the LAN IPs reachable on the other side.
Or you have to manually add those IP ranges.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
To assign IPs via DHCP, you have  to enable a second NIC (using loopback) with an IP on a new scope which will have the additional DHCP scope assigned to it. your DHCP server will have two scopes, LAN, VPN scope.
The VPN clients will be assigned the VPN scope
My own comment shows how to fix an issue if your DHCP server doesn't hand out the IPs correct to the RRAS server.