- Community Home
- >
- Networking
- >
- Security e-Series
- >
- L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-26-2015 02:39 AM
тАО08-26-2015 02:39 AM
L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A
Hi all,
I'm trying to setup a L2TP/IPSEC VPN with my HP VPN FW Mod JG372A behind NAT.
All manuals and guides that I read explains how to setup a site-to-site vpn L2TP/IPSEC only, but I want to setup a client-to-site one.
The HP Firewall is behind a NAT device.
I want to be able to connect to my office LAN with my Windows 7 client (or my mobile device) from outside the office LAN
Here is the configuration:
[HP]di cu # version 5.20.108, Release 3819P01 # sysname HP # l2tp enable # undo voice vlan mac-address 00e0-bb00-0000 # domain default enable system # undo alg ftp undo alg dns undo alg rtsp undo alg h323 undo alg sip undo alg sqlnet undo alg ils undo alg nbt undo alg msn undo alg qq undo alg tftp undo alg sccp undo alg gtp # session synchronization enable # password-recovery enable # acl number 3101 rule 0 permit udp destination-port eq 1701 rule 5 permit udp source-port eq 1701 # vlan 1 # radius scheme radius1 primary authentication 172.0.0.2 primary accounting 172.0.0.2 secondary authentication 172.0.0.3 secondary accounting 172.0.0.3 key authentication cipher 1234 key accounting cipher 1234 # domain domain1 authentication default radius-scheme radius1 authorization default radius-scheme radius1 accounting default radius-scheme radius1 access-limit disable state active idle-cut disable self-service-url disable ip pool 1 172.16.0.10 172.16.0.20 domain system access-limit disable state active idle-cut disable self-service-url disable # pki domain default crl check disable # ike proposal 1 encryption-algorithm 3des-cbc dh group2 sa duration 28800 # ike peer inode exchange-mode aggressive pre-shared-key cipher $c$3$ao83gxoY0Cfngx2U9HYH6VY5FBtOPpA6dpZkEQ== # ipsec transform-set for_inode encapsulation-mode transport transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des # ipsec policy-template temp_inode 1 security acl 3101 ike-peer inode transform-set for_inode # ipsec policy policy_inode 1 isakmp template temp_inode # user-group system group-attribute allow-guest # local-user admin password cipher 1234 authorization-attribute level 3 service-type telnet service-type web local-user vpnuser password cipher 1234 service-type ppp # l2tp-group 1 undo tunnel authentication allow l2tp virtual-template 0 # interface Virtual-Template0 ppp authentication-mode ms-chap-v2 domain domain1 remote address pool 1 ip address 172.16.0.1 255.255.255.0 # interface NULL0 # interface GigabitEthernet0/1 port link-mode route # interface GigabitEthernet0/2 port link-mode route # interface Ten-GigabitEthernet0/1 port link-mode route #
interface Ten-GigabitEthernet0/1.10
vlan-type dot1q vid 10
ip address 172.0.0.4 255.255.255.0
# interface Ten-GigabitEthernet0/1.4010 vlan-type dot1q vid 4010 ip address 10.10.10.1 255.255.255.240 ipsec policy policy_inode # interface Ten-GigabitEthernet0/1.4094 vlan-type dot1q vid 4094 ip address 10.1.0.2 255.255.255.240 # interface Ten-GigabitEthernet0/2 port link-mode route # interface Ten-GigabitEthernet0/3 port link-mode route # interface Ten-GigabitEthernet0/4 port link-mode route # vd Root id 1 # zone name Management id 0 priority 100 zone name Local id 1 priority 100 zone name Trust id 2 priority 85 import interface Virtual-Template0 import interface Ten-GigabitEthernet0/1.4094 zone name DMZ id 3 priority 50 zone name Untrust id 4 priority 5 import interface Ten-GigabitEthernet0/1.4010 switchto vd Root zone name Management id 0 ip virtual-reassembly zone name Local id 1 ip virtual-reassembly zone name Trust id 2 ip virtual-reassembly zone name DMZ id 3 ip virtual-reassembly zone name Untrust id 4 ip virtual-reassembly # ip route-static 0.0.0.0 0.0.0.0 10.1.0.1
ip route-static 172.0.0.0 255.255.255.0 172.0.0.1 # load xml-configuration # user-interface con 0 user-interface aux 0 authentication-mode none user privilege level 3 user-interface vty 0 4 authentication-mode scheme # return [HP]
Debugging Firewall side I've got the following error just before to establish the L2TP Tunnel:
"Drop packet due to no match IPsec policy"
If I try to connect from inside the LAN (without passing the NAT device) everything works.
I've tried also enabling nat traversal and applying this Microsoft KB but nothing is changed.
Help would be very appreciated
Thanks
Bye
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-13-2015 11:38 PM
тАО09-13-2015 11:38 PM
Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A
Do you have the source NAT configured correctly on the NAT-perfoming device? That's what this sounds like.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2015 02:16 AM
тАО09-17-2015 02:16 AM
Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A
@GoodiesHQ wrote:Do you have the source NAT configured correctly on the NAT-perfoming device? That's what this sounds like.
I configure NAT on two different devices... Same result.
Moreover I successfully setup a L2TP/IPSec VPN on Microsoft RRAS 2012 behind the same NAT device.
NAT device is not the problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2016 04:45 PM
тАО04-04-2016 04:45 PM
Re: L2TP/IPSEC VPN behind NAT with HP 10500/11900/7500 20Gbps VPN FW Mod JG372A
Hello seba3d, have you solved this issue? I am expirience exactly the same issue and have no answers from HP support.
IT Analist - Networking
fernando.quintino@ziva.com.br