Comware Based

Re: L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

Occasional Contributor

L2TP/Ipsec client to site cannot connect with clients if they are behind NAT



I've configured L2TP over IPSEC on HP MSR930 (JG512A) Client to Site

I have a problem when client is behind nat it cannot connect.

If I try to connect with client who is not behind nat (eg. from Windows phone with Mobile data) connection is succesfull... as soon as i connect on any Wifi network (so i am behind nat) I cannot connect anymore.

Here is my configuration if comeone can help.

vlan 1
description *Local LAN*
domain system
authentication ppp local
authorization ppp none
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 2
ike proposal 3
encryption-algorithm aes-cbc 128
authentication-algorithm md5
ike proposal 4
encryption-algorithm aes-cbc 192
dh group2
ike proposal 5
encryption-algorithm aes-cbc 256
dh group2
ike peer l2tpipsec
exchange-mode aggressive
proposal 5 1 2 3 4
pre-shared-key cipher $c$3$/HKpgF5avFmyN7EHYDOsE3w6e4J6xJg/59yPU8U=
nat traversal
ipsec transform-set l2tpipsec
encapsulation-mode transport
transform esp
esp authentication-algorithm sha1 sha2-256 md5 aes-xcbc-mac
esp encryption-algorithm 3des des aes-cbc-128 aes-cbc-192 aes-cbc-256 aes-ctr-128 aes-ctr-192 aes-ctr-256
ipsec policy-template ipsecl2tptemplate 1
connection-name ipsecl2tp
ike-peer l2tpipsec
transform-set l2tpipsec
sa duration traffic-based 1843200
sa duration time-based 3600
ipsec policy ipsecl2tp 1 isakmp template ipsecl2tptemplate
dhcp server ip-pool lan extended
network ip range
network mask
user-group system
group-attribute allow-guest
local-user admin
password cipher ***
authorization-attribute level 3
service-type ssh telnet terminal
service-type ppp
service-type web
undo cwmp enable
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
interface Dialer10
description *Internet*
nat outbound
link-protocol ppp
ppp chap user ***
ppp chap password cipher ***
ppp pap local-user fkovac20 password cipher ***
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
tcp mss 1024
dialer user username
dialer-group 10
dialer bundle 10
ipsec policy ipsecl2tp
interface Virtual-Template0
ppp authentication-mode ms-chap-v2 domain system
ppp ipcp dns admit-any
remote address pool 1
ip address
interface NULL0
interface Vlan-interface1
description *Local LAN*
ip address
tcp mss 1350
dhcp server apply ip-pool lan
ip virtual-reassembly
interface GigabitEthernet0/0
port link-mode route
description *WAN*
pppoe-client dial-bundle-number 10
ip virtual-reassembly
ip route-static Dialer10
dhcp enable
ntp-service unicast-server
dialer-rule 10 ip permit
nms primary monitor-interface Dialer10



Re: L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

Do You have an idea how to make "ike peer" on commware v.7 ?
I found somethig like this:

"When the PPP user information matches the specified user, the LAC considers the PPP user to be an L2TP
user and initiates tunneling requests to the LNS.
You can specify a user by configuring one of the following:
• Fully qualified name—The LAC initiates tunneling requests to the LNS only if the username of
a PPP user matches the configured fully qualified name. "

Am I wright to go this way ?