L2TP/IPSEC VPN behind static NAT not working

last person joined: yesterday

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

L2TP/IPSEC VPN behind static NAT not working

Erdem11-04-2014 05:19

We have an SRX220 with multiple WAN IPs, and a Draytek router behind it which is used for remote users' ...

cooley11-10-2014 19:53

is the Draytek in main mode or an aggressive mode VPN? Because with NAT generally main mode is not ideal ...

Erdem03-09-2016 19:41

aarseniev03-10-2016 23:17

Hello there, @ROL801 wrote: Please advise what i need to change. Swap ...

Erdem03-13-2016 22:14

I'm assuming that your srx is public facing router, with following configuration security ...

1. L2TP/IPSEC VPN behind static NAT not working

Recommend

Erdem

Posted 11-04-2014 05:19

We have an SRX220 with multiple WAN IPs, and a Draytek router behind it which is used for remote users' VPN connections. The Draytek was previously used directly on another WAN connection, but we are migrating it to be on the SRX's connection, so it now has an internal IP and one of the SRX's IPs is routed to it using static NAT. I have enabled address-persistent as per several other threads, but it still doesn't work - the IKE part seems to work fine, but L2TP data is never received.

security {
    nat {
        source {
            address-persistent;
        }
        static {
             rule-set bt {
                from interface pp0.0;
                    rule vpn {          
                        match {                 
                            destination-address x.x.x.147/32;
                        }                       
                        then {                  
                            static-nat {                
                                prefix {                        
                                       10.0.0.201/32;                  
                                }                               
                            }                           
                        }                       
                    }                   
                }               
            }           
        }       
    }   
}

A log from the old (working) setup:

Nov  4 11:18:02 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:18:02 draytek draytek: Responding to Main Mode from x.x.x.x
Nov  4 11:18:02 draytek draytek: Matching General Setup key for dynamic ip client...
Nov  4 11:18:02 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:18:03 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:18:03 draytek draytek: NAT-Traversal: Using RFC 3947, peer is NATed
Nov  4 11:18:03 draytek draytek: Matching General Setup key for dynamic ip client...
Nov  4 11:18:03 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:18:03 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:18:03 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:18:03 draytek draytek: sent MR3, ISAKMP SA established with x.x.x.x. In/Out Index: 66/0
Nov  4 11:18:03 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov  4 11:18:03 draytek draytek: Receive client L2L remote network setting is 82.108.46.39/32
Nov  4 11:18:03 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov  4 11:18:03 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov  4 11:18:04 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov  4 11:18:04 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov  4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:107, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
Nov  4 11:18:04 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:2, Session ID:0, Ns:0, Nr:1
Nov  4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:20, Tunnel ID:12, Session ID:0, Ns:1, Nr:1
Nov  4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:70, Tunnel ID:12, Session ID:0, Ns:2, Nr:1
Nov  4 11:18:04 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:28, Tunnel ID:2, Session ID:1, Ns:1, Nr:3
Nov  4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:48, Tunnel ID:12, Session ID:65, Ns:3, Nr:2
Nov  4 11:18:04 draytek draytek: PPP Start ()
Nov  4 11:18:04 draytek draytek: PPP Start ()
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x00 MRU: 1400 Magic Number: 0x46c4338f Protocol Field Compression Address/Control Field Compression Call Back: 06 ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfRej Identifier:0x00 Protocol Field Compression Address/Control Field Compression Call Back: 06 ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfNak Identifier:0x00 Authentication Type: PAP ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x01 Authentication Type: PAP Magic Number: 0x1 ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x01 MRU: 1400 Magic Number: 0x46c4338f ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfNak Identifier:0x01 MRU: 1442 ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfAck Identifier:0x01 Authentication Type: PAP Magic Number: 0x1 ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x02 MRU: 1400 Magic Number: 0x46c4338f ##
Nov  4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfNak Identifier:0x02 MRU: 1442 ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x03 MRU: 1442 Magic Number: 0x46c4338f ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfAck Identifier:0x03 MRU: 1442 Magic Number: 0x46c4338f ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) Identification Identifier:0x04Magic Number: 0x46c43SRASV5.20 ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) CodeRej Identifier:0x04 0c 04 00 12 46 c4 33 8f 4d 53 52 41 53 56 35 2e 32 30 ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) Identification Identifier:0x05Magic Number: 0x46c43SRAS-0-MARYLAND ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) CodeRej Identifier:0x05 0c 05 00 18 46 c4 33 8f 4d 53 52 41 53 2d 30 2d 4d 41 52 59 4c 41 4e 44 ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) Identification Identifier:0x06Magic Number: ********************* ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) CodeRej Identifier:0x06 0c 06 00 18 46 c4 33 8f b1 77 29 de 99 61 b7 47 89 78 f9 2f 21 79 40 0a ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:PAP(c023) Authenticate-Request Identifier:0x00 Peer-ID:******** Password:****************** ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:PAP(c023) Authenticate-Ack Identifier:0x00 Message: ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfReq Identifier:0x00 Compression Type: Van Jacobson Compressed TCP/IP  0f 00 IP Address: 10 0 0 200 ##
Nov  4 11:18:05 draytek draytek: FreeLDAPCQueryEntry 0 
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfReq Identifier:0x07 IP Address: 0 0 0 0 Primary Domain Name Server: 0 0 0 0 Primary NetBIOS Name Server: 0 0 0 0 Secondary Domain Name Server: 0 0 0 0 Secondary NetBIOS Name Server: 0 0 0 0 ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfRej Identifier:0x00 Compression Type: Van Jacobson Compressed TCP/IP  0f 00 ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfRej Identifier:0x07 Primary NetBIOS Name Server: 0 0 0 0 Secondary NetBIOS Name Server: 0 0 0 0 ##
Nov  4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfReq Identifier:0x01 IP Address: 10 0 0 200 ##
Nov  4 11:18:06 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfReq Identifier:0x08 IP Address: 0 0 0 0 Primary Domain Name Server: 0 0 0 0 Secondary Domain Name Server: 0 0 0 0 ##
Nov  4 11:18:06 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfNak Identifier:0x08 IP Address: 10 0 13 2 Primary Domain Name Server: 10 0 0 53 Secondary Domain Name Server: 10 0 0 54 ##
Nov  4 11:18:06 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfAck Identifier:0x01 IP Address: 10 0 0 200 ##
Nov  4 11:18:06 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfReq Identifier:0x09 IP Address: 10 0 13 2 Primary Domain Name Server: 10 0 0 53 Secondary Domain Name Server: 10 0 0 54 ##
Nov  4 11:18:06 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfAck Identifier:0x09 IP Address: 10 0 13 2 Primary Domain Name Server: 10 0 0 53 Secondary Domain Name Server: 10 0 0 54 ##
Nov  4 11:18:06 draytek draytek: IPCP Opening (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12); Own IP Address : 10.0.0.200  Peer IP Address : 10.0.13.2
Nov  4 11:18:06 draytek draytek: IPCP Opening (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12); Own IP Address : 10.0.0.200  Peer IP Address : 10.0.13.2
Nov  4 11:18:06 draytek draytek: [H2L][UP][L2TP/IPSec][@x.x.x.x]
Nov  4 11:18:14 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:48, Tunnel ID:12, Session ID:65, Ns:3, Nr:2
Nov  4 11:18:14 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:2, Session ID:1, Ns:2, Nr:4
Nov  4 11:18:19 draytek draytek: Local User (MAC=00-00-00-00-00-00): 10.0.13.2:49313 -> 10.0.0.4:9100 (TCP) 
Nov  4 11:18:19 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) TermReq Identifier:0x0A 46 c4 33 8f 00 3c cd 74 00 00 00 00 ##
Nov  4 11:18:19 draytek draytek: PPP Closed : Remote Terminating (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12)
Nov  4 11:18:19 draytek draytek: PPP Closed : Remote Terminating (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12)
Nov  4 11:18:19 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) TermAck Identifier:0x0A ##
Nov  4 11:18:19 draytek draytek: PPP Drop VPN : Remote Dial-in Profile Index = 65, Name = 
Nov  4 11:18:19 draytek draytek: [H2L][DOWN][L2TP/IPSec][@x.x.x.x]
Nov  4 11:18:19 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:2, Session ID:1, Ns:2, Nr:4
Nov  4 11:18:19 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:2, Session ID:0, Ns:3, Nr:4
Nov  4 11:18:19 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:12, Session ID:65, Ns:4, Nr:2

A log from the current setup:

Nov  4 11:19:48 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:19:48 draytek draytek: Responding to Main Mode from x.x.x.x
Nov  4 11:19:48 draytek draytek: Matching General Setup key for dynamic ip client...
Nov  4 11:19:48 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:19:49 draytek draytek: NAT-Traversal: Using RFC 3947, both are NATed
Nov  4 11:19:49 draytek draytek: Matching General Setup key for dynamic ip client...
Nov  4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov  4 11:19:49 draytek draytek: sent MR3, ISAKMP SA established with x.x.x.x. In/Out Index: 66/0
Nov  4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov  4 11:19:49 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov  4 11:19:49 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov  4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov  4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov  4 11:19:49 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov  4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2
Nov  4 11:19:49 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov  4 11:19:49 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov  4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2
Nov  4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2
Nov  4 11:19:49 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov  4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x30b527a5
Nov  4 11:19:52 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x3
Nov  4 11:19:52 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov  4 11:19:52 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov  4 11:19:52 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x3
Nov  4 11:19:52 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x3
Nov  4 11:19:52 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov  4 11:19:52 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x53671445
Nov  4 11:19:56 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x4
Nov  4 11:19:56 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov  4 11:19:56 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov  4 11:19:56 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x4
Nov  4 11:19:56 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x4
Nov  4 11:19:56 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov  4 11:19:56 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x7611648d
Nov  4 11:20:58 draytek draytek: statistic: WAN1: Tx 0 Kbps, Rx 0 Kbps (5 min average)
Nov  4 11:20:58 draytek draytek: statistic: WAN2: Tx 0 Kbps, Rx 1 Kbps (5 min average)
Nov  4 11:20:58 draytek draytek: statistic: Session Usage: 4 (5 min average)

It appears the L2TP traffic is not reaching the Draytek router, but I haven't found any reason why. One other suggestion was to use address-persistent but this doesn't seem to have made a difference.

2. RE: L2TP/IPSEC VPN behind static NAT not working

0 Recommend
cooley
Posted 11-10-2014 19:53

Reply Reply Privately
is the Draytek in main mode or an aggressive mode VPN? Because with NAT generally main mode is not ideal you want aggressive mode. Also check out the ike alg on the firewall to make sure its not getting in the way. Try disabling it under security.
3. RE: L2TP/IPSEC VPN behind static NAT not working

0 Recommend
Erdem
Posted 03-09-2016 19:41

Reply Reply Privately
Got similar problem with my own SRX220H , static NAT to server in trust zone. running SoftEther VPN server running L2TP over IPSec. Its running all great with SSG5 with MIP as well . But once i swap cable to SRX220H.

Connection fail.

Please advise what i need to change.
4. RE: L2TP/IPSEC VPN behind static NAT not working

0 Recommend
aarseniev
Posted 03-10-2016 23:17

Reply Reply Privately
Hello there,

@ROL801 wrote:

Please advise what i need to change.

Swap the cable back? 🙂

On more serious note - in what zone is Your st0.* interface - assuming You use route-based VPN?

Do You have a poilicy between that zone and "trust" zone?

Please post Your complete sanitized config from SRX220H.

HTH

Thx

Alex
5. RE: L2TP/IPSEC VPN behind static NAT not working

0 Recommend
Erdem
Posted 03-13-2016 22:14

Reply Reply Privately
I'm assuming that your srx is public facing router, with following configuration

security { nat { source { address-persistent; } static { rule-set bt { from interface pp0.0; rule vpn { match { destination-address x.x.x.147/32; } then { static-nat { prefix { 10.0.0.201/32; } } } } } } } }

please do remember that static nat is itself persistant, also the persistant snipper above is for source nat so not useful at all.

Can you share the output of show security nat static rule all and see if counters are incremented ?

if yes, then srx configs looks good.

Now check with the router on which your tunnel is terminated, since NAT is now into play, this is not usual ipsec tunnel port 500 setup.

Need to varify if NAT-T is enable on your dratetk software.

SRX

L2TP/IPSEC VPN behind static NAT not working

Erdem11-04-2014 05:19

cooley11-10-2014 19:53

Erdem03-09-2016 19:41

aarseniev03-10-2016 23:17

Erdem03-13-2016 22:14

1. L2TP/IPSEC VPN behind static NAT not working

2. RE: L2TP/IPSEC VPN behind static NAT not working

3. RE: L2TP/IPSEC VPN behind static NAT not working

4. RE: L2TP/IPSEC VPN behind static NAT not working

5. RE: L2TP/IPSEC VPN behind static NAT not working