|
|
Post by mikael on May 25, 2016 9:39:09 GMT
The clients I have used are iPad (built in L2TP/IPsec, newest iOS) and MacOS (built in L2TP/IPsec, newest MacOS).
Unfortunately I have no Windows machine right now, and the clients for Linux are very difficult to configure and mostly buggy.
The captive portal is disabled on my test VMs.
I have Wireshark, but can you please explain what you mean by "capture packets and see the difference between web on smallwall and web on a local client".
I can send you login information to the VMs if you'd like to take a look around.
Thanks!
Mikael
|
|
|
|
Post by Lee Sharp on May 25, 2016 15:09:56 GMT
The clients I have used are iPad (built in L2TP/IPsec, newest iOS) and MacOS (built in L2TP/IPsec, newest MacOS). Unfortunately I have no Windows machine right now, and the clients for Linux are very difficult to configure and mostly buggy. Tell me about it! Linux L2tp is essentially unworkable right now! The captive portal is disabled on my test VMs. I have Wireshark, but can you please explain what you mean by "capture packets and see the difference between web on smallwall and web on a local client". Install wireshark on the MAC, and go to the web page on the firewall (fail) and a web page on another local resource (sucess) and compare the web traffic between the two. Is it not going out, not coming back, or coming back denied? I am trying to see where the break is. |
|
|
|
Post by mikael on May 28, 2016 9:02:32 GMT
I have captured successful (local resource on LAN) and unsuccessful (smallwall web interface) using tcpdump. I send you the files in email. I don't want to share them in public forum in case there are sensitive data in the captures.
|
|
|
|
Post by Lee Sharp on May 29, 2016 16:11:24 GMT
I will look when I get a chance. Holiday weekend.  |
|
|
|
Post by dja on May 30, 2016 12:33:49 GMT
Just for info,
if you look in the FW log it seems that all traffic from the smallwall itself is blocked when using L2TP
so the DNS queries doesn't com thru either,
so I get a lot of these in the log: (14:14:12.594800 L2TP 10.10.10.1, port 53 10.10.10.64, port 59448 UDP)
as well as (14:27:55.801935 L2TP 10.10.10.1, port 443 10.10.10.64, port 64819 TCP)
although traffic thru the smallwall towards internet works if you use ip addresses instead of DNS names
|
|
|
|
Post by Lee Sharp on Jun 24, 2016 0:04:36 GMT
A client of mine is needing to use l2TP so I will be working on this next week. I love it when paid work and the project come together. |
|
|
|
Post by mikael on Jul 27, 2016 14:32:14 GMT
I have installed the latest beta (1.8.4b11) and it's behaving the same way as before: Connected to the VPN I am able to reach resources on the LAN, but not the smallwall itself.
Have you been able to make any progress? Do you have any image I could help you testing?
Thanks,
Mikael
|
|
|
|
Post by Lee Sharp on Jul 27, 2016 14:55:01 GMT
That client put a hold on spending for a while. But I am seeing them today to see if they will lift it. And then i will be focusing on it! |
|
|
|
Post by mikael on Jul 29, 2016 11:59:24 GMT
Perhaps the pcap files I sent you earlier can be of any help.
There are a few sites where I would like to switch away from PPTP. L2TP/Ipsec in smallwall would really be the best option since they're on m0n0wall right now. The only thing that stops me from doing this is that I can not access smallwall webinterface while connected to the L2TP/Ipsec VPN in smallwall. That works without a problem in PPTP.
Just tell me what I can do to help.
|
|
|
|
Post by Lee Sharp on Jul 29, 2016 13:52:01 GMT
Really, what I need is an uninterrupted bucket of time. This is a complex problem, and little looks and fixes have not done the job. I just need to sit down for a day or two and focus on this untill I fully understand what is happening. (and what is not)
|
|
|
|
Post by ky41083 on Feb 1, 2017 4:02:30 GMT
- Connect via L2TP/IPsec
- Assign interfaces, add new interface bound to network port l2tp1 (or l2tp#)
- Add permit all firewall rule for new interface
- Enable new optional interface, bridge with LAN
- Reboot
- Add static route for new interface, destination network same as L2TP subnet, gateway same as L2TP server address, done.
This *should* be done automatically for every new dynamic L2TP interface (user) created, inheriting the rules from the main L2TP interface. It isn't. Something for the devs to do ;-)
Completely fixes L2TP/IPsec access to the firewall itself.
|
|
|
|
Post by ky41083 on Feb 1, 2017 4:12:21 GMT
Oh, sorry, must enable advanced -> Bypass firewall rules for traffic on the same interface, also, for this to work.
|
|
|
|
Post by Lee Sharp on Feb 1, 2017 5:32:33 GMT
Not sure I follow here. Are you adding routes on the client?
|
|
marc
Junior Member
Posts: 10 
|
Post by marc on May 21, 2018 21:14:03 GMT
Lee, I read though this thread and I'm in the exact same situation. I didn't understand the "fix" user ky41083 wrote above and would appreciate any help you or Andy could provide. Now that it's 2018 and smallwall is at 1.8.4b11 can we reopen this? BTW, I've also tried the latest version of t1n1wall last week and like other users posted in this forum somewhere, I couldn't even get a L2TP or PPTP client to connect, so I reverted back to smallwall.
Here's my situation:
L2TP connection is not routing to internet nor smallwall interface, but can access LAN resource.
I followed your instructions RE setting up an L2TP connection (http://www.smallwall.org/docs/handbook/index-single.htm)
but it is not routing out to the internet (i.e. DNS is not working, also not getting out).
Notes: Other than this, I have a fully working smallwall setup and have been using monowall for years and smallwall since it came out. I'm only looking to get L2TP working now.
Current Setup:
Smallwall version: 1.8.4b11
Client machine: Windows 7x64 using built-in VPN connectivity specified as L2TP (standard setup, nothing configured manually but secret and username / password, smallwall server (WAN) ip)
I can successfully connect to the smallwall L2TP interface I setup and here's what happens:
Windows 7 Client, connected with this L2TP connection:
I am getting an IP address within the range I specified and also am getting the 'default' DNS servers (192.168.1.1 and 156.154.71.1) specified in the General Setup.
With this L2TP connection:
I cannot get to the smallwall LAN interface at 192.168.1.1, no ping either, "Request timed out"
I cannot get DNS resolution. nslookup responds with "DNS request timed out, Server: UnKnown, Address: 192.168.1.1", Windows tracert to google.com results in "Request timed out"
I CAN get to another host on the LAN network by IP, ex. 192.168.1.159 (via SSH) and Ping also works correctly to this host
I have a working PPTP connection and have an adequate understanding of networking, but can't figure this one out.
L2TP firewall rules are set just like the default PPTP rule (any, any, any, any allowed). PPTP works perfectly but is unusable now that our client network is behind a different NAT - PPTP connects in this environment, but fails to authenticate, hence needing to move to L2TP.
Here's my setup:
LAN: 192.168.1.1/24
DHCP: 192.168.1.163-192.168.1.199
Working PPTP setup: Server address: 192.168.1.8, Remote address range: 192.168.1.16/29
L2TP setup: Server address: 192.168.1.7, Remote address range: 192.168.1.24/29
IPsec (not sure if this matters): IPsec is not enabled, mobile clients not enabled, NAT-T enabled
I've attached an L2TP connection from the System log below and believe it might be these lines causing the issue?
May 21 12:57:33 dnsmasq[89]: failed to send packet: Network is unreachable
--------------------
May 21 12:58:00 racoon: INFO: KA remove: 68.6.1.23[4500]->172.32.27.101[33296]
May 21 12:58:00 racoon: INFO: ISAKMP-SA deleted 68.6.1.23[4500]-172.32.27.101[33296] spi:f2b903c502cca170:d8a9f353fa53aee5
May 21 12:58:00 racoon: INFO: ISAKMP-SA expired 68.6.1.23[4500]-172.32.27.101[33296] spi:f2b903c502cca170:d8a9f353fa53aee5
May 21 12:58:00 racoon: INFO: purged IPsec-SA proto_id=ESP spi=710786252.
May 21 12:57:59 mpd: L2TP: Control connection 0x285b3d08 terminated: 0 ()
May 21 12:57:59 mpd: [L-1] Link: Shutdown
May 21 12:57:59 mpd: [L-1] Link: SHUTDOWN event
May 21 12:57:59 mpd: [L-1] LCP: state change Closed --> Initial
May 21 12:57:59 mpd: [L-1] LCP: Down event
May 21 12:57:59 mpd: [L-1] LCP: state change Stopped --> Closed
May 21 12:57:59 mpd: [L-1] LCP: Close event
May 21 12:57:59 mpd: [L-1] Link: DOWN event
May 21 12:57:59 mpd: [L-1] L2TP: Call #0 terminated locally
May 21 12:57:59 mpd: [L-1] LCP: LayerFinish
May 21 12:57:59 mpd: [L-1] LCP: state change Stopping --> Stopped
May 21 12:57:58 mpd: [L-1] rec'd proto IP during terminate phase
May 21 12:57:58 mpd: [L-1] LCP: SendTerminateAck #3
May 21 12:57:58 mpd: [L-1] LCP: rec'd Terminate Request #11 (Stopping)
May 21 12:57:57 mpd: [L-1] LCP: LayerDown
May 21 12:57:57 mpd: [L-1] LCP: SendTerminateAck #2
May 21 12:57:57 mpd: [L2TP_T-1] Bundle: Shutdown
May 21 12:57:57 mpd: [L2TP_T-1] IPCP: state change Closing --> Initial
May 21 12:57:57 mpd: [L2TP_T-1] Bundle: No NCPs left. Closing links...
May 21 12:57:57 mpd: [L2TP_T-1] IPCP: LayerFinish
May 21 12:57:57 mpd: [L2TP_T-1] IPCP: Down event
May 21 12:57:57 mpd: [L2TP_T-1] IFACE: Rename interface l2tp1 to l2tp1
May 21 12:57:57 mpd: [L2TP_T-1] IFACE: Down event
May 21 12:57:57 mpd: [L2TP_T-1] IPCP: LayerDown
May 21 12:57:57 mpd: [L2TP_T-1] IPCP: SendTerminateReq #3
May 21 12:57:57 mpd: [L2TP_T-1] IPCP: state change Opened --> Closing
May 21 12:57:57 mpd: [L2TP_T-1] IPCP: Close event
May 21 12:57:57 mpd: [L2TP_T-1] Bundle: Status update: up 0 links, total bandwidth 9600 bps
May 21 12:57:57 mpd: [L-1] Link: Leave bundle "L2TP_T-1"
May 21 12:57:57 mpd: [L-1] LCP: state change Opened --> Stopping
May 21 12:57:57 mpd: [L-1] LCP: rec'd Terminate Request #10 (Opened)
May 21 12:57:37 last message repeated 7 times
May 21 12:57:33 dnsmasq[89]: failed to send packet: Network is unreachable
May 21 12:57:33 dnsmasq[89]: failed to send packet: Network is unreachable
May 21 12:57:33 kernel: ng0: changing name to 'l2tp1'
May 21 12:57:33 mpd: [L2TP_T-1] IFACE: Rename interface ng0 to l2tp1
May 21 12:57:33 mpd: [L2TP_T-1] IFACE: Up event
May 21 12:57:33 racoon: INFO: fe80:7::211:aff:fe60:d346[4500] used as isakmp port (fd=29)
May 21 12:57:33 racoon: INFO: fe80:7::211:aff:fe60:d346[500] used as isakmp port (fd=28)
May 21 12:57:33 racoon: INFO: 192.168.1.7[4500] used as isakmp port (fd=27)
May 21 12:57:33 racoon: INFO: 192.168.1.7[4500] used for NAT-T
May 21 12:57:33 racoon: INFO: 192.168.1.7[500] used as isakmp port (fd=26)
May 21 12:57:33 racoon: INFO: 192.168.1.7[500] used for NAT-T
May 21 12:57:33 mpd: [L2TP_T-1] 192.168.1.7 -> 192.168.1.24
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: LayerUp
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: state change Ack-Rcvd --> Opened
May 21 12:57:33 mpd: [L2TP_T-1] SECDNS 156.154.71.1
May 21 12:57:33 mpd: [L2TP_T-1] PRIDNS 192.168.1.1
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 192.168.1.24
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: SendConfigAck #9
May 21 12:57:33 mpd: [L2TP_T-1] SECDNS 156.154.71.1
May 21 12:57:33 mpd: [L2TP_T-1] PRIDNS 192.168.1.1
May 21 12:57:33 mpd: [L2TP_T-1] 192.168.1.24 is OK
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 192.168.1.24
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: rec'd Configure Request #9 (Ack-Rcvd)
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: state change Req-Sent --> Ack-Rcvd
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 192.168.1.7
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: rec'd Configure Ack #2 (Req-Sent)
May 21 12:57:33 mpd: [L2TP_T-1] SECDNS 156.154.71.1
May 21 12:57:33 mpd: [L2TP_T-1] PRIDNS 192.168.1.1
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 192.168.1.24
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: SendConfigNak #8
May 21 12:57:33 mpd: [L2TP_T-1] NAKing with 156.154.71.1
May 21 12:57:33 mpd: [L2TP_T-1] SECDNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] NAKing with 192.168.1.1
May 21 12:57:33 mpd: [L2TP_T-1] PRIDNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] NAKing with 192.168.1.24
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: rec'd Configure Request #8 (Req-Sent)
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 192.168.1.7
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: SendConfigReq #2
May 21 12:57:33 mpd: [L2TP_T-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: rec'd Configure Reject #1 (Req-Sent)
May 21 12:57:33 mpd: [L2TP_T-1] SECNBNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] PRINBNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: SendConfigRej #7
May 21 12:57:33 mpd: [L2TP_T-1] SECNBNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] NAKing with 156.154.71.1
May 21 12:57:33 mpd: [L2TP_T-1] SECDNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] PRINBNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] NAKing with 192.168.1.1
May 21 12:57:33 mpd: [L2TP_T-1] PRIDNS 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] NAKing with 192.168.1.24
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 0.0.0.0
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: rec'd Configure Request #7 (Req-Sent)
May 21 12:57:33 mpd: [L-1] rec'd unexpected protocol CCP, rejecting
May 21 12:57:33 mpd: [L-1] rec'd unexpected protocol IPV6CP, rejecting
May 21 12:57:33 mpd: [L2TP_T-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
May 21 12:57:33 mpd: [L2TP_T-1] IPADDR 192.168.1.7
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: SendConfigReq #1
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: state change Starting --> Req-Sent
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: Got IP 192.168.1.24 from pool "pool2" for peer
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: Up event
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: LayerStart
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: state change Initial --> Starting
May 21 12:57:33 mpd: [L2TP_T-1] IPCP: Open event
May 21 12:57:33 mpd: [L2TP_T-1] Bundle: Status update: up 1 link, total bandwidth 64000 bps
May 21 12:57:33 mpd: [L-1] Link: Join bundle "L2TP_T-1"
May 21 12:57:33 mpd: [L2TP_T-1] Bundle: Interface ng0 created
May 21 12:57:33 mpd: [L-1] Creating new bundle using template "L2TP_T".
May 21 12:57:33 mpd: [L-1] Link: Matched action 'bundle "L2TP_T" ""'
May 21 12:57:33 mpd: [L-1] LCP: authorization successful
May 21 12:57:33 mpd: [L-1] CHAP: sending SUCCESS #2 len: 46
May 21 12:57:33 mpd: [L-1] CHAP: Reply message: S=CC4047D0EBA39E9D5277316536D25F1BD2B27F5F
May 21 12:57:33 mpd: [L-1] CHAP: Response is valid
May 21 12:57:33 mpd: [L-1] CHAP: Auth return status: undefined
May 21 12:57:33 mpd: [L-1] AUTH: INTERNAL returned: undefined
May 21 12:57:33 mpd: [L-1] AUTH: Trying INTERNAL
May 21 12:57:33 mpd: [L-1] Name: "L2TPUser"
May 21 12:57:33 mpd: [L-1] CHAP: rec'd RESPONSE #2 len: 62
May 21 12:57:33 mpd: [L-1] CHAP: sending CHALLENGE #2 len: 21
May 21 12:57:31 mpd: [L-1] MESG: IðTB¯ÌpÂ÷^]OÃ
May 21 12:57:31 mpd: [L-1] MESG: Á3æ
May 21 12:57:31 mpd: [L-1] LCP: rec'd Ident #4 (Opened)
May 21 12:57:31 mpd: [L-1] MESG: MSRAS-0-E6410
May 21 12:57:31 mpd: [L-1] LCP: rec'd Ident #3 (Opened)
May 21 12:57:31 mpd: [L-1] MESG: MSRASV5.20
May 21 12:57:31 mpd: [L-1] LCP: rec'd Ident #2 (Opened)
May 21 12:57:31 mpd: [L-1] LCP: LayerUp
May 21 12:57:31 mpd: [L-1] CHAP: sending CHALLENGE #1 len: 21
May 21 12:57:31 mpd: [L-1] LCP: auth: peer wants nothing, I want CHAP
May 21 12:57:31 mpd: [L-1] LCP: state change Ack-Rcvd --> Opened
May 21 12:57:31 mpd: [L-1] ACFCOMP
May 21 12:57:31 mpd: [L-1] PROTOCOMP
May 21 12:57:31 mpd: [L-1] MAGICNUM 61e84fff
May 21 12:57:31 mpd: [L-1] MRU 1400
May 21 12:57:31 mpd: [L-1] LCP: SendConfigAck #1
May 21 12:57:31 mpd: [L-1] ACFCOMP
May 21 12:57:31 mpd: [L-1] PROTOCOMP
May 21 12:57:31 mpd: [L-1] MAGICNUM 61e84fff
May 21 12:57:31 mpd: [L-1] MRU 1400
May 21 12:57:31 mpd: [L-1] LCP: rec'd Configure Request #1 (Ack-Rcvd)
May 21 12:57:31 mpd: [L-1] LCP: state change Req-Sent --> Ack-Rcvd
May 21 12:57:31 mpd: [L-1] AUTHPROTO CHAP MSOFTv2
May 21 12:57:31 mpd: [L-1] MAGICNUM 6b36d3c4
May 21 12:57:31 mpd: [L-1] MRU 1500
May 21 12:57:31 mpd: [L-1] PROTOCOMP
May 21 12:57:31 mpd: [L-1] ACFCOMP
May 21 12:57:31 mpd: [L-1] LCP: rec'd Configure Ack #1 (Req-Sent)
May 21 12:57:31 mpd: [L-1] CALLBACK 6
May 21 12:57:31 mpd: [L-1] LCP: SendConfigRej #0
May 21 12:57:31 mpd: [L-1] CALLBACK 6
May 21 12:57:31 mpd: [L-1] ACFCOMP
May 21 12:57:31 mpd: [L-1] PROTOCOMP
May 21 12:57:31 mpd: [L-1] MAGICNUM 61e84fff
May 21 12:57:31 mpd: [L-1] MRU 1400
May 21 12:57:31 mpd: [L-1] LCP: rec'd Configure Request #0 (Req-Sent)
May 21 12:57:31 mpd: [L-1] AUTHPROTO CHAP MSOFTv2
May 21 12:57:31 mpd: [L-1] MAGICNUM 6b36d3c4
May 21 12:57:31 mpd: [L-1] MRU 1500
May 21 12:57:31 mpd: [L-1] PROTOCOMP
May 21 12:57:31 mpd: [L-1] ACFCOMP
May 21 12:57:31 mpd: [L-1] LCP: SendConfigReq #1
May 21 12:57:31 mpd: [L-1] LCP: state change Starting --> Req-Sent
May 21 12:57:31 mpd: [L-1] LCP: Up event
May 21 12:57:31 mpd: [L-1] Link: UP event
May 21 12:57:31 mpd: [L-1] L2TP: Call #0 connected
May 21 12:57:31 mpd: [L-1] LCP: LayerStart
May 21 12:57:31 mpd: [L-1] LCP: state change Initial --> Starting
May 21 12:57:31 mpd: [L-1] LCP: Open event
May 21 12:57:31 mpd: [L-1] Link: OPEN event
May 21 12:57:31 mpd: [L-1] L2TP: Incoming call #0 via control connection 0x285b3d08 accepted
May 21 12:57:31 mpd: L2TP: Incoming call #0 via connection 0x285b3d08 received
May 21 12:57:31 mpd: L2TP: Control connection 0x285b3d08 0.0.0.0 1701 <-> 172.32.27.101 1701 connected
May 21 12:57:31 mpd: Incoming L2TP packet from 172.32.27.101 1701
May 21 12:57:30 racoon: INFO: IPsec-SA established: ESP/Transport 68.6.1.23[500]->172.32.27.101[500] spi=710786252(0x2a5dbccc)
May 21 12:57:30 racoon: INFO: IPsec-SA established: ESP/Transport 68.6.1.23[500]->172.32.27.101[500] spi=108995874(0x67f2522)
May 21 12:57:30 racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
May 21 12:57:30 racoon: INFO: Adjusting my encmode UDP-Transport->Transport
May 21 12:57:30 racoon: INFO: respond new phase 2 negotiation: 68.6.1.23[4500]<=>172.32.27.101[33296]
May 21 12:57:30 racoon: INFO: ISAKMP-SA established 68.6.1.23[4500]-172.32.27.101[33296] spi:f2b903c502cca170:d8a9f353fa53aee5
May 21 12:57:30 racoon: INFO: KA found: 68.6.1.23[4500]->172.32.27.101[33296] (in_use=4)
May 21 12:57:30 racoon: INFO: NAT-T: ports changed to: 172.32.27.101[33296]<->68.6.1.23[4500]
May 21 12:57:29 racoon: INFO: Adding remote and local NAT-D payloads.
May 21 12:57:29 racoon: [68.6.1.23] INFO: Hashing 68.6.1.23[500] with algo #2
May 21 12:57:29 racoon: [172.32.27.101] INFO: Hashing 172.32.27.101[18486] with algo #2
May 21 12:57:29 racoon: INFO: NAT detected: PEER
May 21 12:57:29 racoon: INFO: NAT-D payload #1 doesn't match
May 21 12:57:29 racoon: [172.32.27.101] INFO: Hashing 172.32.27.101[18486] with algo #2
May 21 12:57:29 racoon: INFO: NAT-D payload #0 verified
May 21 12:57:29 racoon: [68.6.1.23] INFO: Hashing 68.6.1.23[500] with algo #2
May 21 12:57:29 racoon: ERROR: invalid DH group 19.
May 21 12:57:29 racoon: ERROR: invalid DH group 20.
May 21 12:57:29 racoon: [172.32.27.101] INFO: Selected NAT-T version: RFC 3947
May 21 12:57:29 racoon: INFO: received Vendor ID: FRAGMENTATION
May 21 12:57:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 21 12:57:29 racoon: INFO: received Vendor ID: RFC 3947
May 21 12:57:29 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 21 12:57:29 racoon: INFO: begin Identity Protection mode.
May 21 12:57:29 racoon: INFO: respond new phase 1 negotiation: 68.6.1.23[500]<=>172.32.27.101[18486]
|
|
|
|
Post by Lee Sharp on May 24, 2018 19:04:07 GMT
I was never really sure what he was doing either. And it works fine with some people. I am having a bear of a time troubleshooting this! I have had better luck on L2TP using a scope of IP addresses OUTSIDE the LAN range... Then set DNS to the LAN IP and it seems to work. |
|
