HPE Community
Comware Based
1753679 Members
5628 Online
108799 Solutions
New Discussion

Re: L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

 
JanezKovacic
Occasional Contributor

‎01-24-2017 04:41 AM - edited ‎10-10-2018 01:21 AM

‎01-24-2017 04:41 AM - edited ‎10-10-2018 01:21 AM

L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

Hi!

 

I've configured L2TP over IPSEC on HP MSR930 (JG512A) Client to Site

I have a problem when client is behind nat it cannot connect.

If I try to connect with client who is not behind nat (eg. from Windows phone with Mobile data) connection is succesfull... as soon as i connect on any Wifi network (so i am behind nat) I cannot connect anymore.

Here is my configuration if comeone can help.

vlan 1
description *Local LAN*
#
domain system
authentication ppp local
authorization ppp none
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 10.0.0.2 10.0.0.50
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike proposal 2
#
ike proposal 3
encryption-algorithm aes-cbc 128
authentication-algorithm md5
#
ike proposal 4
encryption-algorithm aes-cbc 192
dh group2
#
ike proposal 5
encryption-algorithm aes-cbc 256
dh group2
#
ike peer l2tpipsec
exchange-mode aggressive
proposal 5 1 2 3 4
pre-shared-key cipher $c$3$/HKpgF5avFmyN7EHYDOsE3w6e4J6xJg/59yPU8U=
nat traversal
#
ipsec transform-set l2tpipsec
encapsulation-mode transport
transform esp
esp authentication-algorithm sha1 sha2-256 md5 aes-xcbc-mac
esp encryption-algorithm 3des des aes-cbc-128 aes-cbc-192 aes-cbc-256 aes-ctr-128 aes-ctr-192 aes-ctr-256
#
ipsec policy-template ipsecl2tptemplate 1
connection-name ipsecl2tp
ike-peer l2tpipsec
transform-set l2tpipsec
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy ipsecl2tp 1 isakmp template ipsecl2tptemplate
#
dhcp server ip-pool lan extended
network ip range 192.168.5.101 192.168.5.150
network mask 255.255.255.0
gateway-list 192.168.5.1
dns-list 193.189.160.13 193.189.160.23
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher ***
authorization-attribute level 3
service-type ssh telnet terminal
service-type ppp
service-type web
#
cwmp
undo cwmp enable
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
#
interface Dialer10
description *Internet*
nat outbound
link-protocol ppp
ppp chap user ***
ppp chap password cipher ***
ppp pap local-user fkovac20 password cipher ***
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
tcp mss 1024
dialer user username
dialer-group 10
dialer bundle 10
ipsec policy ipsecl2tp
#
interface Virtual-Template0
ppp authentication-mode ms-chap-v2 domain system
ppp ipcp dns admit-any
remote address pool 1
ip address 10.0.0.1 255.0.0.0
#
interface NULL0
#
interface Vlan-interface1
description *Local LAN*
ip address 192.168.5.1 255.255.255.0
tcp mss 1350
dhcp server apply ip-pool lan
ip virtual-reassembly
#
interface GigabitEthernet0/0
port link-mode route
description *WAN*
pppoe-client dial-bundle-number 10
ip virtual-reassembly
#
ip route-static 0.0.0.0 0.0.0.0 Dialer10
#
dhcp enable
#
ntp-service unicast-server 193.77.204.20
#
dialer-rule 10 ip permit
#
nms primary monitor-interface Dialer10

 

0 Kudos
1 REPLY 1
wuwik
Member

‎03-02-2017 02:54 AM

‎03-02-2017 02:54 AM

Re: L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

Do You have an idea how to make "ike peer" on commware v.7 ?
I found somethig like this:

"When the PPP user information matches the specified user, the LAC considers the PPP user to be an L2TP
user and initiates tunneling requests to the LNS.
You can specify a user by configuring one of the following:
• Fully qualified name—The LAC initiates tunneling requests to the LNS only if the username of
a PPP user matches the configured fully qualified name. "

Am I wright to go this way ?
Wuwik

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.