We have an SRX220 with multiple WAN IPs, and a Draytek router behind it which is used for remote users' VPN connections. The Draytek was previously used directly on another WAN connection, but we are migrating it to be on the SRX's connection, so it now has an internal IP and one of the SRX's IPs is routed to it using static NAT. I have enabled address-persistent as per several other threads, but it still doesn't work - the IKE part seems to work fine, but L2TP data is never received.
security {
nat {
source {
address-persistent;
}
static {
rule-set bt {
from interface pp0.0;
rule vpn {
match {
destination-address x.x.x.147/32;
}
then {
static-nat {
prefix {
10.0.0.201/32;
}
}
}
}
}
}
}
}
}
A log from the old (working) setup:
Nov 4 11:18:02 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:18:02 draytek draytek: Responding to Main Mode from x.x.x.x
Nov 4 11:18:02 draytek draytek: Matching General Setup key for dynamic ip client...
Nov 4 11:18:02 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:18:03 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:18:03 draytek draytek: NAT-Traversal: Using RFC 3947, peer is NATed
Nov 4 11:18:03 draytek draytek: Matching General Setup key for dynamic ip client...
Nov 4 11:18:03 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:18:03 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:18:03 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:18:03 draytek draytek: sent MR3, ISAKMP SA established with x.x.x.x. In/Out Index: 66/0
Nov 4 11:18:03 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov 4 11:18:03 draytek draytek: Receive client L2L remote network setting is 82.108.46.39/32
Nov 4 11:18:03 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov 4 11:18:03 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov 4 11:18:04 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov 4 11:18:04 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov 4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:107, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
Nov 4 11:18:04 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:104, Tunnel ID:2, Session ID:0, Ns:0, Nr:1
Nov 4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:20, Tunnel ID:12, Session ID:0, Ns:1, Nr:1
Nov 4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:70, Tunnel ID:12, Session ID:0, Ns:2, Nr:1
Nov 4 11:18:04 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:28, Tunnel ID:2, Session ID:1, Ns:1, Nr:3
Nov 4 11:18:04 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:48, Tunnel ID:12, Session ID:65, Ns:3, Nr:2
Nov 4 11:18:04 draytek draytek: PPP Start ()
Nov 4 11:18:04 draytek draytek: PPP Start ()
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x00 Authentication Type: CHAP 81 Magic Number: 0x1 ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x00 MRU: 1400 Magic Number: 0x46c4338f Protocol Field Compression Address/Control Field Compression Call Back: 06 ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfRej Identifier:0x00 Protocol Field Compression Address/Control Field Compression Call Back: 06 ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfNak Identifier:0x00 Authentication Type: PAP ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfReq Identifier:0x01 Authentication Type: PAP Magic Number: 0x1 ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x01 MRU: 1400 Magic Number: 0x46c4338f ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfNak Identifier:0x01 MRU: 1442 ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfAck Identifier:0x01 Authentication Type: PAP Magic Number: 0x1 ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x02 MRU: 1400 Magic Number: 0x46c4338f ##
Nov 4 11:18:04 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfNak Identifier:0x02 MRU: 1442 ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) ConfReq Identifier:0x03 MRU: 1442 Magic Number: 0x46c4338f ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) ConfAck Identifier:0x03 MRU: 1442 Magic Number: 0x46c4338f ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) Identification Identifier:0x04Magic Number: 0x46c43SRASV5.20 ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) CodeRej Identifier:0x04 0c 04 00 12 46 c4 33 8f 4d 53 52 41 53 56 35 2e 32 30 ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) Identification Identifier:0x05Magic Number: 0x46c43SRAS-0-MARYLAND ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) CodeRej Identifier:0x05 0c 05 00 18 46 c4 33 8f 4d 53 52 41 53 2d 30 2d 4d 41 52 59 4c 41 4e 44 ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) Identification Identifier:0x06Magic Number: ********************* ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) CodeRej Identifier:0x06 0c 06 00 18 46 c4 33 8f b1 77 29 de 99 61 b7 47 89 78 f9 2f 21 79 40 0a ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:PAP(c023) Authenticate-Request Identifier:0x00 Peer-ID:******** Password:****************** ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:PAP(c023) Authenticate-Ack Identifier:0x00 Message: ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfReq Identifier:0x00 Compression Type: Van Jacobson Compressed TCP/IP 0f 00 IP Address: 10 0 0 200 ##
Nov 4 11:18:05 draytek draytek: FreeLDAPCQueryEntry 0
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfReq Identifier:0x07 IP Address: 0 0 0 0 Primary Domain Name Server: 0 0 0 0 Primary NetBIOS Name Server: 0 0 0 0 Secondary Domain Name Server: 0 0 0 0 Secondary NetBIOS Name Server: 0 0 0 0 ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfRej Identifier:0x00 Compression Type: Van Jacobson Compressed TCP/IP 0f 00 ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfRej Identifier:0x07 Primary NetBIOS Name Server: 0 0 0 0 Secondary NetBIOS Name Server: 0 0 0 0 ##
Nov 4 11:18:05 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfReq Identifier:0x01 IP Address: 10 0 0 200 ##
Nov 4 11:18:06 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfReq Identifier:0x08 IP Address: 0 0 0 0 Primary Domain Name Server: 0 0 0 0 Secondary Domain Name Server: 0 0 0 0 ##
Nov 4 11:18:06 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfNak Identifier:0x08 IP Address: 10 0 13 2 Primary Domain Name Server: 10 0 0 53 Secondary Domain Name Server: 10 0 0 54 ##
Nov 4 11:18:06 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfAck Identifier:0x01 IP Address: 10 0 0 200 ##
Nov 4 11:18:06 draytek draytek: L2TP (VPN-0) <== Protocol:IPCP(8021) ConfReq Identifier:0x09 IP Address: 10 0 13 2 Primary Domain Name Server: 10 0 0 53 Secondary Domain Name Server: 10 0 0 54 ##
Nov 4 11:18:06 draytek draytek: L2TP (VPN-0) ==> Protocol:IPCP(8021) ConfAck Identifier:0x09 IP Address: 10 0 13 2 Primary Domain Name Server: 10 0 0 53 Secondary Domain Name Server: 10 0 0 54 ##
Nov 4 11:18:06 draytek draytek: IPCP Opening (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12); Own IP Address : 10.0.0.200 Peer IP Address : 10.0.13.2
Nov 4 11:18:06 draytek draytek: IPCP Opening (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12); Own IP Address : 10.0.0.200 Peer IP Address : 10.0.13.2
Nov 4 11:18:06 draytek draytek: [H2L][UP][L2TP/IPSec][@x.x.x.x]
Nov 4 11:18:14 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:48, Tunnel ID:12, Session ID:65, Ns:3, Nr:2
Nov 4 11:18:14 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:12, Tunnel ID:2, Session ID:1, Ns:2, Nr:4
Nov 4 11:18:19 draytek draytek: Local User (MAC=00-00-00-00-00-00): 10.0.13.2:49313 -> 10.0.0.4:9100 (TCP)
Nov 4 11:18:19 draytek draytek: L2TP (VPN-0) <== Protocol:LCP(c021) TermReq Identifier:0x0A 46 c4 33 8f 00 3c cd 74 00 00 00 00 ##
Nov 4 11:18:19 draytek draytek: PPP Closed : Remote Terminating (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12)
Nov 4 11:18:19 draytek draytek: PPP Closed : Remote Terminating (VPN- Remote Dial-in Profile index = 65, Name = , ifno=12)
Nov 4 11:18:19 draytek draytek: L2TP (VPN-0) ==> Protocol:LCP(c021) TermAck Identifier:0x0A ##
Nov 4 11:18:19 draytek draytek: PPP Drop VPN : Remote Dial-in Profile Index = 65, Name =
Nov 4 11:18:19 draytek draytek: [H2L][DOWN][L2TP/IPSec][@x.x.x.x]
Nov 4 11:18:19 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:2, Session ID:1, Ns:2, Nr:4
Nov 4 11:18:19 draytek draytek: L2TP ==> Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:2, Session ID:0, Ns:3, Nr:4
Nov 4 11:18:19 draytek draytek: L2TP <== Control(0xC802)-L-S Ver:2 Len:38, Tunnel ID:12, Session ID:65, Ns:4, Nr:2
A log from the current setup:
Nov 4 11:19:48 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:19:48 draytek draytek: Responding to Main Mode from x.x.x.x
Nov 4 11:19:48 draytek draytek: Matching General Setup key for dynamic ip client...
Nov 4 11:19:48 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:19:49 draytek draytek: NAT-Traversal: Using RFC 3947, both are NATed
Nov 4 11:19:49 draytek draytek: Matching General Setup key for dynamic ip client...
Nov 4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
Nov 4 11:19:49 draytek draytek: sent MR3, ISAKMP SA established with x.x.x.x. In/Out Index: 66/0
Nov 4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov 4 11:19:49 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov 4 11:19:49 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov 4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov 4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x1
Nov 4 11:19:49 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov 4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2
Nov 4 11:19:49 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov 4 11:19:49 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov 4 11:19:49 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2
Nov 4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2
Nov 4 11:19:49 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov 4 11:19:49 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x30b527a5
Nov 4 11:19:52 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x3
Nov 4 11:19:52 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov 4 11:19:52 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov 4 11:19:52 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x3
Nov 4 11:19:52 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x3
Nov 4 11:19:52 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov 4 11:19:52 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x53671445
Nov 4 11:19:56 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x4
Nov 4 11:19:56 draytek draytek: Receive client L2L remote network setting is 81.150.190.147/32
Nov 4 11:19:56 draytek draytek: Responding to Quick Mode from x.x.x.x
Nov 4 11:19:56 draytek draytek: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x4
Nov 4 11:19:56 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x4
Nov 4 11:19:56 draytek draytek: IPsec SA established with x.x.x.x. In/Out Index: 66/0
Nov 4 11:19:56 draytek draytek: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x7611648d
Nov 4 11:20:58 draytek draytek: statistic: WAN1: Tx 0 Kbps, Rx 0 Kbps (5 min average)
Nov 4 11:20:58 draytek draytek: statistic: WAN2: Tx 0 Kbps, Rx 1 Kbps (5 min average)
Nov 4 11:20:58 draytek draytek: statistic: Session Usage: 4 (5 min average)
It appears the L2TP traffic is not reaching the Draytek router, but I haven't found any reason why. One other suggestion was to use address-persistent but this doesn't seem to have made a difference.