Can’t connect via L2tp over Ipsec
-
- Posts: 9
- Joined: Sun Jun 02, 2019 6:41 am
Can’t connect via L2tp over Ipsec
Good day to all! I had a problem with the SoftEther VPN server, I cannot connect via the l2tp over ipsec protocol, the standard Windows VPN client gives an error: Error # 789 "An attempt to connect L2TP failed because of an error that occurred at the security level during negotiations with the remote computer" . The standard Android client issues simply: "fail" Without any messages. If you connect using SoftEther VPN Client on Windows, everything is normally connected and working. Debian9 + Softether VPN Server is installed on the server, L2tp is enabled, a user with password authentication is created.
-
- Posts: 329
- Joined: Wed Sep 18, 2013 1:49 pm
Re: Can’t connect via L2tp over Ipsec
Did you open/forward ports 500 & 4500 to the Debian9 machine running the SE server?
-
- Posts: 9
- Joined: Sun Jun 02, 2019 6:41 am
Re: Can’t connect via L2tp over Ipsec
Yes, in iptables, input policy ports 500 and 4500 are open, and in Forward policy there all ports is anywhere anywhere ACCEPT
-
- Posts: 9
- Joined: Sun Jun 02, 2019 6:41 am
Re: Can’t connect via L2tp over Ipsec
My Iptables config:
Code: Select all
# Generated by iptables-save v1.6.0 on Sun Jun 2 19:49:47 2019
*filter
:INPUT DROP [3:120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [109:19362]
:syn_flood - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10024 -j ACCEPT
-A INPUT -p udp -m udp --dport 10024 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10025 -j ACCEPT
-A INPUT -p udp -m udp --dport 10025 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i tap_soft -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -i tap_soft -j ACCEPT
-A syn_flood -m limit --limit 500/sec --limit-burst 2000 -j RETURN
-A syn_flood -j DROP
COMMIT
# Completed on Sun Jun 2 19:49:47 2019
# Generated by iptables-save v1.6.0 on Sun Jun 2 19:49:47 2019
*nat
:PREROUTING ACCEPT [69170:3913944]
:INPUT ACCEPT [27614:1697901]
:OUTPUT ACCEPT [28324:2198610]
:POSTROUTING ACCEPT [28317:2196594]
-A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source "myexternalip"
COMMIT
# Completed on Sun Jun 2 19:49:47 2019
-
- Posts: 329
- Joined: Wed Sep 18, 2013 1:49 pm
Re: Can’t connect via L2tp over Ipsec
Those commends were performed on the firewall that the Dedian9 machine is behind or the Dedian9 machine itself?
-
- Posts: 9
- Joined: Sun Jun 02, 2019 6:41 am
Re: Can’t connect via L2tp over Ipsec
On the Debian machine itself, it is on my VPS server
-
- Posts: 329
- Joined: Wed Sep 18, 2013 1:49 pm
Re: Can’t connect via L2tp over Ipsec
I'm not sure. I have 2 different Ubuntu servers on different VPS providers they both have only Public IP addresses. On both I didn't have to do anything other then enable it on the SE server software.. However, I also have a VPS (MS SERVER 2019) on MS Azure running SE server. On this one I had to open ports on the network security group as this VPS also had a internal IP address.
-
- Posts: 9
- Joined: Sun Jun 02, 2019 6:41 am
Re: Can’t connect via L2tp over Ipsec
Here is the Nmap scan log:
Nmap scan report for "MyHost"
Host is up (0.00011s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53 / udp open domain
67 / udp open | filtered dhcps
123 / udp open ntp
500 / udp open isakmp
1701 / udp open | filtered L2TP
4500 / udp open | filtered nat-t-ike
I do not like the state of the 4500 port, is it normal that it is filtered?
Nmap scan report for "MyHost"
Host is up (0.00011s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53 / udp open domain
67 / udp open | filtered dhcps
123 / udp open ntp
500 / udp open isakmp
1701 / udp open | filtered L2TP
4500 / udp open | filtered nat-t-ike
I do not like the state of the 4500 port, is it normal that it is filtered?
-
- Site Admin
- Posts: 2082
- Joined: Sat Mar 09, 2013 5:37 am
Re: Can’t connect via L2tp over Ipsec
It may be normal.
Can you see 500 and 4500 port in netstat opened for vpnserver?
Can you see 500 and 4500 port in netstat opened for vpnserver?