How do i get my L2TP/IPsec VPN to transmit traffic?

Hi Experts!

I'm using a Windows Server 2012 R2 server with RRAS to setup a L2TP/IPsec VPN.  In my lab it works perfectly.  But in production I can connect to the VPN but I cannot ping the server or anything on the network nor can I access any of the services on the network.

I've setup RRAS as with a VPN and Lan Routing, DHCP relay, set a PSK and setup port forwarding on the firewall/router (TP-Link TL-WR940N V2).  I setup my lab the same way except the firewall is a very nice Barracuda NG Firewall.

On the LAN the server is accessible and it works great -- it just won't transmit any traffic through the VPN.  I've tried:

1.  Reinstalling RRAS
2.  Messing with NAP (although I didn't have to with my lab setup and I've returned NAP to the original settings)
3.  Played around with additional port forward settings
4.  Disabled the SPI firewall on the TP-Link router
5.  Connected the server directly into the router, was connected before into an unmanaged D-Link switch
6.  Enabled/Disabled L2TP and IPSEC passthrough on the firewall
7.  Tried multiple different user credentials

The LAN is on a different subnet than the client device is on (Windows 7 laptop and an Android 5.1 phone) .  The routing table looks good and about the only thing I haven't done is make sure the the firewall isn't SNAT'ing (which I believe I setup the NG Firewall not to do) and make sure that the MTU of the WAN port isn't something randomly small.  Other devices are able to access services behind the firewall without issue i.e. security camera app on a cellphone.  I'ved looked a little through the RRAS logs but I'll admit I don't know what I'm looking for.  This is my first time setting up a VPN on a Windows Server -- well second :).

Thoughts?
bytespeedAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
When you are on the LAN you already have a path .. Does you lab VPN configuration to secure all, use gateway on remote n.....

What IP does you VPN server allocate, does it include a route push to the VPN user.

When connected ipconfig /all
arnoldCommented:
Oh, ping might not be a good test as windows firewall might be blocking it under the non domain network if ping on the LAN works.
bytespeedAuthor Commented:
Ping isn't be being blocked and no other service works either.  When I attempt to get to the internet on my laptop and phone, the requests time out.  Right now the firewalls are off on the system and the client.

I tested my lab from coming in from offsite -- same exact config.  I didn't turn off any firewalls in my lab and ping worked as well as getting to the internet.  The routes are the same too.

VPN server doesn't push any routes.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

bytespeedAuthor Commented:
Here's ipconfig on the server:

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.176.107(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : 00-1E-67-B6-46-3A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b064:efe9:8ba7:c542%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.176.50(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.176.1
   DHCPv6 IAID . . . . . . . . . . . : 369106535
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-78-D4-4E-00-1E-67-B6-46-3B
   DNS Servers . . . . . . . . . . . : 192.168.176.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-1E-67-B6-46-3B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{12F3555D-C62A-4C73-AEB5-75BC0C898CEF}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:1077:1f50:bea4:3a98(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1077:1f50:bea4:3a98%16(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 469762048
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-78-D4-4E-00-1E-67-B6-46-3B
   NetBIOS over Tcpip. . . . . . . . : Disab
bytespeedAuthor Commented:
Here's ipconfig on the client:

PPP adapter VPN Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VPN Connection
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.176.107(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.176.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller #2
   Physical Address. . . . . . . . . : 00-23-81-1B-01-E2
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : guest.local
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-N 7260
   Physical Address. . . . . . . . . : FC-F8-AE-E5-2A-63
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9127:7d15:faee:ee29%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.20.56(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, September 14, 2015 8:32:39 AM
   Lease Expires . . . . . . . . . . : Monday, September 14, 2015 4:32:39 PM
   Default Gateway . . . . . . . . . : 10.0.20.1
   DHCP Server . . . . . . . . . . . : 10.0.20.2
   DHCPv6 IAID . . . . . . . . . . . : 318568622
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-6D-39-26-00-23-81-1A-D9-B0

   DNS Servers . . . . . . . . . . . : 10.0.20.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.guest.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : guest.local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D67982EB-5501-4914-B620-5EF6D9202CCE}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{3C315737-CD60-410E-90E5-56F4068082F6}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
arnoldCommented:
OK, with the routing that you show, if you go to any IP on the 192.168.176.107 255.255.255.255 is the single IP.
Do you have a route that advertises which networks are accessible via this network?
route print
route add net 192.168.176.0 mask 255.255.255.0 192.168.176.107
route add net 172.16.10.0 mask 255.255.255.0 192.168.176.107

ipsec usually establishes the secure tunnel from your system to the windows VPN server,
the L2TP negotiation then obtains the VPN IP to be locally used and the LAN IPs reachable on the other side.
Or you have to manually add those IP ranges.
arnoldCommented:
your server reflects the connection being established

   IPv4 Address. . . . . . . . . . . : 192.168.176.107(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255

You are assigning the same IPs that are on your servers LAN to the VPN,  commonly you would need  to have the a second network connected using a loopback (RJ45 with pin 1 connected to pin 3 and pin 2 with pin 6) this will have the VPN IP segment and then your RRAS configured to route VPN IP segments to the lan.

Which guide did you use to set this up?
Ref MS ......
https://technet.microsoft.com/en-us/library/dd458983.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bytespeedAuthor Commented:
The DHCP Relay wasn't working properly with the TP-Link router to hand out IPs to the clients.  It would hand out the same IP the server has to the clients.

I set the IPv4 Address assignment under RRAS > Properties > IPv4 to a static pool outside of the DHCP scope of the router and things started to work.
arnoldCommented:
To assign IPs via DHCP, you have  to enable a second NIC (using loopback) with an IP on a new scope which will have the additional DHCP scope assigned to it. your DHCP server will have two scopes, LAN, VPN scope.
The VPN clients will be assigned the VPN scope
bytespeedAuthor Commented:
My own comment shows how to fix an issue if your DHCP server doesn't hand out the IPs correct to the RRAS server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.