Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

JanezKovacic
Occasional Contributor

L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

Hi!

 

I've configured L2TP over IPSEC on HP MSR930 (JG512A) Client to Site

I have a problem when client is behind nat it cannot connect.

If I try to connect with client who is not behind nat (eg. from Windows phone with Mobile data) connection is succesfull... as soon as i connect on any Wifi network (so i am behind nat) I cannot connect anymore.

Here is my configuration if comeone can help.

vlan 1
description *Local LAN*
#
domain system
authentication ppp local
authorization ppp none
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 10.0.0.2 10.0.0.50
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike proposal 2
#
ike proposal 3
encryption-algorithm aes-cbc 128
authentication-algorithm md5
#
ike proposal 4
encryption-algorithm aes-cbc 192
dh group2
#
ike proposal 5
encryption-algorithm aes-cbc 256
dh group2
#
ike peer l2tpipsec
exchange-mode aggressive
proposal 5 1 2 3 4
pre-shared-key cipher $c$3$/HKpgF5avFmyN7EHYDOsE3w6e4J6xJg/59yPU8U=
nat traversal
#
ipsec transform-set l2tpipsec
encapsulation-mode transport
transform esp
esp authentication-algorithm sha1 sha2-256 md5 aes-xcbc-mac
esp encryption-algorithm 3des des aes-cbc-128 aes-cbc-192 aes-cbc-256 aes-ctr-128 aes-ctr-192 aes-ctr-256
#
ipsec policy-template ipsecl2tptemplate 1
connection-name ipsecl2tp
ike-peer l2tpipsec
transform-set l2tpipsec
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy ipsecl2tp 1 isakmp template ipsecl2tptemplate
#
dhcp server ip-pool lan extended
network ip range 192.168.5.101 192.168.5.150
network mask 255.255.255.0
gateway-list 192.168.5.1
dns-list 193.189.160.13 193.189.160.23
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$Zvg+xjhVa5c/x6+pnATPXiePFVPR3P8FeTNGcU4=
authorization-attribute level 3
service-type ssh telnet terminal
service-type ppp
service-type web
#
cwmp
undo cwmp enable
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
#
interface Dialer10
description *Internet*
nat outbound
link-protocol ppp
ppp chap user fkovac20
ppp chap password cipher $c$3$SBVoZg841CjQCXszi5LAOX1tuhGvQnnUblZS
ppp pap local-user fkovac20 password cipher $c$3$HP8ZEhavG86bcaXa8pBLPqJwqoYs5oNhOlb8
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
tcp mss 1024
dialer user username
dialer-group 10
dialer bundle 10
ipsec policy ipsecl2tp
#
interface Virtual-Template0
ppp authentication-mode ms-chap-v2 domain system
ppp ipcp dns admit-any
remote address pool 1
ip address 10.0.0.1 255.0.0.0
#
interface NULL0
#
interface Vlan-interface1
description *Local LAN*
ip address 192.168.5.1 255.255.255.0
tcp mss 1350
dhcp server apply ip-pool lan
ip virtual-reassembly
#
interface GigabitEthernet0/0
port link-mode route
description *WAN*
pppoe-client dial-bundle-number 10
ip virtual-reassembly
#
ip route-static 0.0.0.0 0.0.0.0 Dialer10
#
dhcp enable
#
ntp-service unicast-server 193.77.204.20
#
dialer-rule 10 ip permit
#
nms primary monitor-interface Dialer10

 

1 REPLY
wuwik
Member

Re: L2TP/Ipsec client to site cannot connect with clients if they are behind NAT

Do You have an idea how to make "ike peer" on commware v.7 ?
I found somethig like this:

"When the PPP user information matches the specified user, the LAC considers the PPP user to be an L2TP
user and initiates tunneling requests to the LNS.
You can specify a user by configuring one of the following:
• Fully qualified name—The LAC initiates tunneling requests to the LNS only if the username of
a PPP user matches the configured fully qualified name. "

Am I wright to go this way ?
Wuwik