Security e-Series

L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

 
seba3d
Collector

L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

Hi all,

I'm trying to setup a L2TP/IPSEC VPN with my HP VPN FW Mod JG372A behind NAT.

All manuals and guides that I read explains how to setup a site-to-site vpn L2TP/IPSEC only, but I want to setup a client-to-site one.

The HP Firewall is behind a NAT device.

I want to be able to connect to my office LAN with my Windows 7 client (or my mobile device) from outside the office LAN

 

Here is the configuration:

 

 

[HP]di cu
#
version 5.20.108, Release 3819P01
#
sysname HP
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
undo alg ftp
undo alg dns
undo alg rtsp
undo alg h323
undo alg sip
undo alg sqlnet
undo alg ils
undo alg nbt
undo alg msn
undo alg qq
undo alg tftp
undo alg sccp
undo alg gtp
#
session synchronization enable
#
password-recovery enable
#
acl number 3101
rule 0 permit udp destination-port eq 1701
rule 5 permit udp source-port eq 1701
#
vlan 1
#
radius scheme radius1
primary authentication 172.0.0.2
primary accounting 172.0.0.2
secondary authentication 172.0.0.3
secondary accounting 172.0.0.3
key authentication cipher 1234
key accounting cipher 1234
#
domain domain1
authentication default radius-scheme radius1
authorization default radius-scheme radius1
accounting default radius-scheme radius1
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 172.16.0.10 172.16.0.20
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
pki domain default
crl check disable
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
sa duration 28800
#
ike peer inode
exchange-mode aggressive
pre-shared-key cipher $c$3$ao83gxoY0Cfngx2U9HYH6VY5FBtOPpA6dpZkEQ==
#
ipsec transform-set for_inode
encapsulation-mode transport
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy-template temp_inode 1
security acl 3101
ike-peer inode
transform-set for_inode
#
ipsec policy policy_inode 1 isakmp template temp_inode
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher 1234
authorization-attribute level 3
service-type telnet
service-type web
local-user vpnuser
password cipher 1234
service-type ppp
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
#
interface Virtual-Template0
ppp authentication-mode ms-chap-v2 domain domain1
remote address pool 1
ip address 172.16.0.1 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
#
interface Ten-GigabitEthernet0/1
port link-mode route
#
interface Ten-GigabitEthernet0/1.10
vlan-type dot1q vid 10
ip address 172.0.0.4 255.255.255.0
# interface Ten-GigabitEthernet0/1.4010 vlan-type dot1q vid 4010 ip address 10.10.10.1 255.255.255.240 ipsec policy policy_inode # interface Ten-GigabitEthernet0/1.4094 vlan-type dot1q vid 4094 ip address 10.1.0.2 255.255.255.240 # interface Ten-GigabitEthernet0/2 port link-mode route # interface Ten-GigabitEthernet0/3 port link-mode route # interface Ten-GigabitEthernet0/4 port link-mode route # vd Root id 1 # zone name Management id 0 priority 100 zone name Local id 1 priority 100 zone name Trust id 2 priority 85 import interface Virtual-Template0 import interface Ten-GigabitEthernet0/1.4094 zone name DMZ id 3 priority 50 zone name Untrust id 4 priority 5 import interface Ten-GigabitEthernet0/1.4010 switchto vd Root zone name Management id 0 ip virtual-reassembly zone name Local id 1 ip virtual-reassembly zone name Trust id 2 ip virtual-reassembly zone name DMZ id 3 ip virtual-reassembly zone name Untrust id 4 ip virtual-reassembly # ip route-static 0.0.0.0 0.0.0.0 10.1.0.1
ip route-static 172.0.0.0 255.255.255.0 172.0.0.1 # load xml-configuration # user-interface con 0 user-interface aux 0 authentication-mode none user privilege level 3 user-interface vty 0 4 authentication-mode scheme # return [HP]

 

Debugging Firewall side I've got the following error just before to establish the L2TP Tunnel:

"Drop packet due to no match IPsec policy"

If I try to connect from inside the LAN (without passing the NAT device) everything works.

 

I've tried also enabling nat traversal and applying this Microsoft KB but nothing is changed.

 

Help would be very appreciated

 

Thanks

Bye

 

3 REPLIES 3
GoodiesHQ
Occasional Contributor

Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

Do you have the source NAT configured correctly on the NAT-perfoming device? That's what this sounds like.

seba3d
Collector

Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

 


@GoodiesHQ wrote:

Do you have the source NAT configured correctly on the NAT-perfoming device? That's what this sounds like.


I configure NAT on two different devices... Same result.

Moreover I successfully setup a L2TP/IPSec VPN on Microsoft RRAS 2012 behind the same NAT device.

NAT device is not the problem.

FQuintino
Frequent Visitor

Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A

Hello seba3d, have you solved this issue? I am expirience exactly the same issue and have no answers from HP support.  

Fernando Quintino
IT Analist - Networking
fernando.quintino@ziva.com.br