Can’t connect via L2tp over Ipsec

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
RedCat
Posts: 5
Joined: Sun Jun 02, 2019 6:41 am

Can’t connect via L2tp over Ipsec

Post by RedCat » Sun Jun 02, 2019 6:57 am

Good day to all! I had a problem with the SoftEther VPN server, I cannot connect via the l2tp over ipsec protocol, the standard Windows VPN client gives an error: Error # 789 "An attempt to connect L2TP failed because of an error that occurred at the security level during negotiations with the remote computer" . The standard Android client issues simply: "fail" Without any messages. If you connect using SoftEther VPN Client on Windows, everything is normally connected and working. Debian9 + Softether VPN Server is installed on the server, L2tp is enabled, a user with password authentication is created.

centeredki69
Posts: 212
Joined: Wed Sep 18, 2013 1:49 pm

Re: Can’t connect via L2tp over Ipsec

Post by centeredki69 » Sun Jun 02, 2019 2:00 pm

Did you open/forward ports 500 & 4500 to the Debian9 machine running the SE server?

RedCat
Posts: 5
Joined: Sun Jun 02, 2019 6:41 am

Re: Can’t connect via L2tp over Ipsec

Post by RedCat » Sun Jun 02, 2019 4:47 pm

Yes, in iptables, input policy ports 500 and 4500 are open, and in Forward policy there all ports is anywhere anywhere ACCEPT

RedCat
Posts: 5
Joined: Sun Jun 02, 2019 6:41 am

Re: Can’t connect via L2tp over Ipsec

Post by RedCat » Sun Jun 02, 2019 4:52 pm

My Iptables config:

Code: Select all

# Generated by iptables-save v1.6.0 on Sun Jun  2 19:49:47 2019
*filter
:INPUT DROP [3:120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [109:19362]
:syn_flood - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10024 -j ACCEPT
-A INPUT -p udp -m udp --dport 10024 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10025 -j ACCEPT
-A INPUT -p udp -m udp --dport 10025 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i tap_soft -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -i tap_soft -j ACCEPT
-A syn_flood -m limit --limit 500/sec --limit-burst 2000 -j RETURN
-A syn_flood -j DROP
COMMIT
# Completed on Sun Jun  2 19:49:47 2019
# Generated by iptables-save v1.6.0 on Sun Jun  2 19:49:47 2019
*nat
:PREROUTING ACCEPT [69170:3913944]
:INPUT ACCEPT [27614:1697901]
:OUTPUT ACCEPT [28324:2198610]
:POSTROUTING ACCEPT [28317:2196594]
-A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source "myexternalip"
COMMIT
# Completed on Sun Jun  2 19:49:47 2019

centeredki69
Posts: 212
Joined: Wed Sep 18, 2013 1:49 pm

Re: Can’t connect via L2tp over Ipsec

Post by centeredki69 » Sun Jun 02, 2019 5:45 pm

Those commends were performed on the firewall that the Dedian9 machine is behind or the Dedian9 machine itself?

RedCat
Posts: 5
Joined: Sun Jun 02, 2019 6:41 am

Re: Can’t connect via L2tp over Ipsec

Post by RedCat » Sun Jun 02, 2019 6:05 pm

On the Debian machine itself, it is on my VPS server

centeredki69
Posts: 212
Joined: Wed Sep 18, 2013 1:49 pm

Re: Can’t connect via L2tp over Ipsec

Post by centeredki69 » Sun Jun 02, 2019 7:00 pm

I'm not sure. I have 2 different Ubuntu servers on different VPS providers they both have only Public IP addresses. On both I didn't have to do anything other then enable it on the SE server software.. However, I also have a VPS (MS SERVER 2019) on MS Azure running SE server. On this one I had to open ports on the network security group as this VPS also had a internal IP address.

RedCat
Posts: 5
Joined: Sun Jun 02, 2019 6:41 am

Re: Can’t connect via L2tp over Ipsec

Post by RedCat » Tue Jun 04, 2019 2:12 am

Here is the Nmap scan log:

Nmap scan report for "MyHost"
Host is up (0.00011s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53 / udp open domain
67 / udp open | filtered dhcps
123 / udp open ntp
500 / udp open isakmp
1701 / udp open | filtered L2TP
4500 / udp open | filtered nat-t-ike

I do not like the state of the 4500 port, is it normal that it is filtered?

cedar
Site Admin
Posts: 1187
Joined: Sat Mar 09, 2013 5:37 am

Re: Can’t connect via L2tp over Ipsec

Post by cedar » Tue Jun 11, 2019 8:23 am

It may be normal.
Can you see 500 and 4500 port in netstat opened for vpnserver?

Post Reply