HPE Community
Security e-Series
1752749 Members
4926 Online
108789 Solutions
New Discussion

Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

 
seba3d
Collector

‎08-26-2015 02:39 AM

‎08-26-2015 02:39 AM

L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

Hi all,

I'm trying to setup a L2TP/IPSEC VPN with my HP VPN FW Mod JG372A behind NAT.

All manuals and guides that I read explains how to setup a site-to-site vpn L2TP/IPSEC only, but I want to setup a client-to-site one.

The HP Firewall is behind a NAT device.

I want to be able to connect to my office LAN with my Windows 7 client (or my mobile device) from outside the office LAN

 

Here is the configuration:

 

 

[HP]di cu
#
version 5.20.108, Release 3819P01
#
sysname HP
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
undo alg ftp
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
acl number 3101
rule 0 permit udp destination-port eq 1701
rule 5 permit udp source-port eq 1701
#
vlan 1
#
radius scheme radius1
primary authentication 172.0.0.2
primary accounting 172.0.0.2
secondary authentication 172.0.0.3
secondary accounting 172.0.0.3
key authentication cipher 1234
key accounting cipher 1234
#
domain domain1
authentication default radius-scheme radius1
authorization default radius-scheme radius1
accounting default radius-scheme radius1
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 172.16.0.10 172.16.0.20
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki domain default
crl check disable
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
sa duration 28800
#
ike peer inode
exchange-mode aggressive
pre-shared-key cipher $c$3$ao83gxoY0Cfngx2U9HYH6VY5FBtOPpA6dpZkEQ==
#
ipsec transform-set for_inode
encapsulation-mode transport
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy-template temp_inode 1
security acl 3101
ike-peer inode
transform-set for_inode
#
ipsec policy policy_inode 1 isakmp template temp_inode
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher 1234
authorization-attribute level 3
service-type telnet
service-type web
local-user vpnuser
password cipher 1234
service-type ppp
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
#
interface Virtual-Template0
ppp authentication-mode ms-chap-v2 domain domain1
remote address pool 1
ip address 172.16.0.1 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
#
interface Ten-GigabitEthernet0/1
port link-mode route
#
interface Ten-GigabitEthernet0/1.10
vlan-type dot1q vid 10
ip address 172.0.0.4 255.255.255.0
#
interface Ten-GigabitEthernet0/1.4010
vlan-type dot1q vid 4010
ip address 10.10.10.1 255.255.255.240
ipsec policy policy_inode
#
interface Ten-GigabitEthernet0/1.4094
vlan-type dot1q vid 4094
ip address 10.1.0.2 255.255.255.240
#
interface Ten-GigabitEthernet0/2
port link-mode route
#
interface Ten-GigabitEthernet0/3
port link-mode route
#
interface Ten-GigabitEthernet0/4
port link-mode route
#
vd Root id 1
#
zone name Management id 0
priority 100
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface Virtual-Template0
import interface Ten-GigabitEthernet0/1.4094
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
import interface Ten-GigabitEthernet0/1.4010
switchto vd Root
zone name Management id 0
ip virtual-reassembly
zone name Local id 1
ip virtual-reassembly
zone name Trust id 2
ip virtual-reassembly
zone name DMZ id 3
ip virtual-reassembly
zone name Untrust id 4
ip virtual-reassembly
#
ip route-static 0.0.0.0 0.0.0.0 10.1.0.1
ip route-static 172.0.0.0 255.255.255.0 172.0.0.1
#
load xml-configuration
#
user-interface con 0
user-interface aux 0
authentication-mode none
user privilege level 3
user-interface vty 0 4
authentication-mode scheme
#
return
[HP]

 

Debugging Firewall side I've got the following error just before to establish the L2TP Tunnel:

"Drop packet due to no match IPsec policy"

If I try to connect from inside the LAN (without passing the NAT device) everything works.

 

I've tried also enabling nat traversal and applying this Microsoft KB but nothing is changed.

 

Help would be very appreciated

 

Thanks

Bye

 

0 Kudos
3 REPLIES 3
GoodiesHQ
Occasional Contributor

‎09-13-2015 11:38 PM

‎09-13-2015 11:38 PM

Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

Do you have the source NAT configured correctly on the NAT-perfoming device? That's what this sounds like.

0 Kudos
seba3d
Collector

‎09-17-2015 02:16 AM

‎09-17-2015 02:16 AM

Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

 

@GoodiesHQ wrote:

Do you have the source NAT configured correctly on the NAT-perfoming device? That's what this sounds like.

I configure NAT on two different devices... Same result.

Moreover I successfully setup a L2TP/IPSec VPN on Microsoft RRAS 2012 behind the same NAT device.

NAT device is not the problem.

0 Kudos
FQuintino
Regular Visitor

‎04-04-2016 04:45 PM

‎04-04-2016 04:45 PM

Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

Hello seba3d, have you solved this issue? I am expirience exactly the same issue and have no answers from HP support.  

Fernando Quintino
IT Analist - Networking
fernando.quintino@ziva.com.br
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.