- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: L2TP/Ipsec client to site cannot connect with ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2017 04:41 AM - edited 10-10-2018 01:21 AM
01-24-2017 04:41 AM - edited 10-10-2018 01:21 AM
L2TP/Ipsec client to site cannot connect with clients if they are behind NAT
Hi!
I've configured L2TP over IPSEC on HP MSR930 (JG512A) Client to Site
I have a problem when client is behind nat it cannot connect.
If I try to connect with client who is not behind nat (eg. from Windows phone with Mobile data) connection is succesfull... as soon as i connect on any Wifi network (so i am behind nat) I cannot connect anymore.
Here is my configuration if comeone can help.
vlan 1
description *Local LAN*
#
domain system
authentication ppp local
authorization ppp none
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 10.0.0.2 10.0.0.50
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike proposal 2
#
ike proposal 3
encryption-algorithm aes-cbc 128
authentication-algorithm md5
#
ike proposal 4
encryption-algorithm aes-cbc 192
dh group2
#
ike proposal 5
encryption-algorithm aes-cbc 256
dh group2
#
ike peer l2tpipsec
exchange-mode aggressive
proposal 5 1 2 3 4
pre-shared-key cipher $c$3$/HKpgF5avFmyN7EHYDOsE3w6e4J6xJg/59yPU8U=
nat traversal
#
ipsec transform-set l2tpipsec
encapsulation-mode transport
transform esp
esp authentication-algorithm sha1 sha2-256 md5 aes-xcbc-mac
esp encryption-algorithm 3des des aes-cbc-128 aes-cbc-192 aes-cbc-256 aes-ctr-128 aes-ctr-192 aes-ctr-256
#
ipsec policy-template ipsecl2tptemplate 1
connection-name ipsecl2tp
ike-peer l2tpipsec
transform-set l2tpipsec
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy ipsecl2tp 1 isakmp template ipsecl2tptemplate
#
dhcp server ip-pool lan extended
network ip range 192.168.5.101 192.168.5.150
network mask 255.255.255.0
gateway-list 192.168.5.1
dns-list 193.189.160.13 193.189.160.23
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher ***
authorization-attribute level 3
service-type ssh telnet terminal
service-type ppp
service-type web
#
cwmp
undo cwmp enable
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
#
interface Dialer10
description *Internet*
nat outbound
link-protocol ppp
ppp chap user ***
ppp chap password cipher ***
ppp pap local-user fkovac20 password cipher ***
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
tcp mss 1024
dialer user username
dialer-group 10
dialer bundle 10
ipsec policy ipsecl2tp
#
interface Virtual-Template0
ppp authentication-mode ms-chap-v2 domain system
ppp ipcp dns admit-any
remote address pool 1
ip address 10.0.0.1 255.0.0.0
#
interface NULL0
#
interface Vlan-interface1
description *Local LAN*
ip address 192.168.5.1 255.255.255.0
tcp mss 1350
dhcp server apply ip-pool lan
ip virtual-reassembly
#
interface GigabitEthernet0/0
port link-mode route
description *WAN*
pppoe-client dial-bundle-number 10
ip virtual-reassembly
#
ip route-static 0.0.0.0 0.0.0.0 Dialer10
#
dhcp enable
#
ntp-service unicast-server 193.77.204.20
#
dialer-rule 10 ip permit
#
nms primary monitor-interface Dialer10
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2017 02:54 AM
03-02-2017 02:54 AM
Re: L2TP/Ipsec client to site cannot connect with clients if they are behind NAT
Do You have an idea how to make "ike peer" on commware v.7 ?
I found somethig like this:
"When the PPP user information matches the specified user, the LAC considers the PPP user to be an L2TP
user and initiates tunneling requests to the LNS.
You can specify a user by configuring one of the following:
• Fully qualified name—The LAC initiates tunneling requests to the LNS only if the username of
a PPP user matches the configured fully qualified name. "
Am I wright to go this way ?
Wuwik