Hi guys,
I'm currently setting up a Softether VPN connection for my home network and encountered the following issue:
When I connect from a Windows of Apple device while connected to the home network the VPN connection is being made.
When I try to connect from outside my home network I encounter the following issues.
- When connecting from an Apple device, I get "The L2TP-VPN server did not respond."
- When connecting from a Windows device, I get "L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
- When connecting from a Windows device while using the connection client, the VPN works completely fine.
- When connecting from an Android device, the VPN works completely fine!
I have the following ports open:
443, 992, 1194, 5555, 500, 4500 and 1701.
The firewall on the server OS is disabled.
Softether VPN server is installed on Windows 10 (64BIT)
The Softether log shows the following:
2022-01-03 15:17:58.863 IPsec Client 520 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:17:58.863 IPsec IKE Session (IKE SA) 10671 (Client: 520) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8E68C7922BE37C6B, Responder Cookie: 0xA875DF1843F8A8E5, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2022-01-03 15:17:59.880 IPsec Client 521 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:17:59.880 IPsec IKE Session (IKE SA) 10672 (Client: 521) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8E68C7922BE37C6B, Responder Cookie: 0x812942009808F557, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2022-01-03 15:18:00.865 IPsec Client 522 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:18:00.865 IPsec IKE Session (IKE SA) 10673 (Client: 522) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8E68C7922BE37C6B, Responder Cookie: 0x7D92711940CFFCB6, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2022-01-03 15:18:03.865 IPsec Client 523 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:18:03.865 IPsec IKE Session (IKE SA) 10674 (Client: 523) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8E68C7922BE37C6B, Responder Cookie: 0xCB47DB8FD4610024, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2022-01-03 15:18:08.864 IPsec IKE Session (IKE SA) 10671 (Client: 520) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:08.865 IPsec Client 520 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
2022-01-03 15:18:09.881 IPsec IKE Session (IKE SA) 10672 (Client: 521) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:09.881 IPsec Client 521 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
2022-01-03 15:18:10.878 IPsec IKE Session (IKE SA) 10673 (Client: 522) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:10.879 IPsec Client 522 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
2022-01-03 15:18:13.874 IPsec IKE Session (IKE SA) 10674 (Client: 523) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:13.874 IPsec Client 523 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
2022-01-03 15:18:37.001 IPsec Client 524 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:18:37.001 IPsec IKE Session (IKE SA) 10675 (Client: 524) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8EA0AFCB40AED9F7, Responder Cookie: 0xDE9F5E32B6966F72, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-2-256, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2022-01-03 15:18:40.277 IPsec Client 525 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:18:40.277 IPsec IKE Session (IKE SA) 10676 (Client: 525) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8EA0AFCB40AED9F7, Responder Cookie: 0x7E4CE6BDFF293C57, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-2-256, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2022-01-03 15:18:43.522 IPsec Client 526 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:18:43.522 IPsec IKE Session (IKE SA) 10677 (Client: 526) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8EA0AFCB40AED9F7, Responder Cookie: 0x18E40C436A6541C1, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-2-256, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2022-01-03 15:18:46.598 IPsec Client 527 (188.207.77.73:42846 -> 192.168.2.162:500): A new IPsec client is created.
2022-01-03 15:18:46.599 IPsec IKE Session (IKE SA) 10678 (Client: 527) (188.207.77.73:42846 -> 192.168.2.162:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x8EA0AFCB40AED9F7, Responder Cookie: 0xD56F2CF38863D10F, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-2-256, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2022-01-03 15:18:47.006 IPsec IKE Session (IKE SA) 10675 (Client: 524) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:47.006 IPsec Client 524 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
2022-01-03 15:18:50.286 IPsec IKE Session (IKE SA) 10676 (Client: 525) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:50.287 IPsec Client 525 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
2022-01-03 15:18:53.533 IPsec IKE Session (IKE SA) 10677 (Client: 526) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:53.533 IPsec Client 526 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
2022-01-03 15:18:56.607 IPsec IKE Session (IKE SA) 10678 (Client: 527) (188.207.77.73:42846 -> 192.168.2.162:500): This IKE SA is deleted.
2022-01-03 15:18:56.607 IPsec Client 527 (188.207.77.73:42846 -> 192.168.2.162:500): This IPsec Client is deleted.
If any additional information is needed please let me know and I'll provide it to you.
Thanks in advance,
Jordy
L2TP not working from outside the network
-
Radiofreak1041
- Posts: 7
- Joined: Wed Dec 29, 2021 2:54 pm
Re: L2TP not working from outside the network
Hoi Jordy,
For me to get this working, I only had to open UDP ports 4500 and 500 (I opened those ports UDP/TCP, which obviously works as well).
I assume you ticked the box "Enable L2TP Server Function (L2TP over IPsec)" in the admin console under IPsec/L2TP Setting?
You should be able to close ports 443, 992, 1194, 5555 and 1701 and have it still working, assuming you don't use the OpenVPN functionality and only modify the VPN configuration on your local network.
Also, make sure your home network subnet does NOT match the VPN server's subnet. If both networks use the 192.168.1.0\24 subnet for example, making a connection won't work as expected.
In Windows, in your VPN settings, select "L2TP/IPsec with pre-shared key" (not IKE), type in your Pre-shared key that you've configured in SoftEther, select "User name and password" under Type of sign-in info and fill in your username and password for the specific device.
For me to get this working, I only had to open UDP ports 4500 and 500 (I opened those ports UDP/TCP, which obviously works as well).
I assume you ticked the box "Enable L2TP Server Function (L2TP over IPsec)" in the admin console under IPsec/L2TP Setting?
You should be able to close ports 443, 992, 1194, 5555 and 1701 and have it still working, assuming you don't use the OpenVPN functionality and only modify the VPN configuration on your local network.
Also, make sure your home network subnet does NOT match the VPN server's subnet. If both networks use the 192.168.1.0\24 subnet for example, making a connection won't work as expected.
In Windows, in your VPN settings, select "L2TP/IPsec with pre-shared key" (not IKE), type in your Pre-shared key that you've configured in SoftEther, select "User name and password" under Type of sign-in info and fill in your username and password for the specific device.
-
PH-IT
- Posts: 26
- Joined: Tue Jan 18, 2022 9:47 am
- Contact:
Re: L2TP not working from outside the network
You may need to forward IP protocol 50 (ESP) as well