WR44 L2TP OVER IPSEC CLIENT WITH WINDOWS SERVER 2008 R2

stefano.tanzi1991 · March 10, 2016, 10:24am

I’m having trouble configuring your WR44 as an L2TP over IPSEC client of the Windows Server 2008 R2.
RRAS is configured using a preshared key , and all parameters are default.
In the eventlog of WR44 , when I run the ping command I only see the command:
IP Act_Rq to PPP 5-0: s_ip[0.0.0.0] d_ip[192.168.10.12].

The WR44 configuration has been done following the Application Note 26.

James.Wilson · March 11, 2016, 4:46am

Hi

That looks like the WR44 is trying to open a connection but does not have a source address set

there should be information in the server if there are provblems and it would also need to see the debug.txt from the router to see the configuration

regards

stefano.tanzi1991 · March 14, 2016, 8:00am

this is a config:

eth 0 descr “LAN”
eth 0 IPaddr “192.168.1.200”
eth 1 descr “WAN”
eth 1 IPaddr “192.168.33.200”
eth 1 DNSserver “151.99.125.2”
eth 1 secDNS “151.99.125.3”
eth 1 gateway “192.168.33.60”
eth 1 do_nat 2
eth 1 ipsec 1
eth 1 igmp ON
addp 0 enable ON
l2tp 0 remhost “88.39.145.196”
lapb 0 ans OFF
lapb 0 tinact 120
lapb 1 tinact 120
lapb 3 dtemode 0
lapb 3 asyport 5
lapb 3 mux_0710 ON
lapb 4 dtemode 0
lapb 4 dlc 1
lapb 4 asyport 5
lapb 4 virt_async “mux0”
lapb 4 mux_0710 ON
lapb 5 dtemode 0
lapb 5 dlc 2
lapb 5 asyport 5
lapb 5 virt_async “mux1”
lapb 5 mux_0710 ON
lapb 6 dtemode 0
lapb 6 dlc 3
lapb 6 asyport 5
lapb 6 virt_async “mux2”
lapb 6 mux_0710 ON
ip 0 cidr ON
route 0 descr “Route to L2TP VPN”
route 0 IPaddr “10.11.22.0”
route 0 ll_ent “PPP”
route 0 ll_add 5
def_route 0 descr “gw”
def_route 0 ll_ent “ETH”
def_route 0 ll_add 1
eroute 0 descr “IPSec for L2TP”
eroute 0 peerip “88.39.145.196”
eroute 0 ourid “88.39.145.196”
eroute 0 ouridtype 3
eroute 0 locmsk “255.255.255.255”
eroute 0 remip “88.39.145.196”
eroute 0 remmsk “255.255.255.255”
eroute 0 mode “Transport”
eroute 0 ESPauth “MD5”
eroute 0 ESPenc “3DES”
eroute 0 proto “UDP”
eroute 0 locport 1701
eroute 0 remport 1701
eroute 0 lkbytes 100000
eroute 0 authmeth “PRESHARED”
eroute 0 nosa “TRY”
eroute 0 enckeybits 128
dhcp 0 respdelms 500
dhcp 0 mask “255.255.255.0”
dhcp 0 gateway “192.168.1.1”
dhcp 0 DNS “192.168.1.1”
ppp 0 timeout 300
ppp 1 name “W-WAN (Edge 2.5G)”
ppp 1 phonenum “981#”
ppp 1 IPaddr “0.0.0.0”
ppp 1 timeout 0
ppp 1 use_modem 1
ppp 1 aodion 1
ppp 1 autoassert 1
ppp 1 ipanon ON
ppp 1 r_chap OFF
ppp 3 defpak 16
ppp 4 defpak 16
ppp 5 name “PPP for L2TP connection”
ppp 5 l1iface “L2TP”
ppp 5 phonenum “012345”
ppp 5 username “WR44VPN1”
ppp 5 epassword “MSsnDRQdHg0W”
ppp 5 IPaddr “10.11.22.200”
ppp 5 mask “255.255.255.0”
ppp 5 DNSport 53
ppp 5 IPmin “10.10.10.0”
ppp 5 IPrange 5
ppp 5 timeout 60
ppp 5 do_nat 1
ppp 5 metric 1
ppp 5 netip “0.0.0.0”
ppp 5 ip2count 3
ppp 5 ripauth 1
ppp 5 inrip ON
ppp 5 maxneg 80
ppp 5 l_accm “0x00000000”
ppp 5 r_accm “0xffffffff”
ppp 5 l_mru 1500
ppp 5 r_mru 1500
ppp 5 l_acfc ON
ppp 5 r_pap ON
ppp 5 r_chap ON
ppp 5 l_comp ON
ppp 5 l_pfc ON
ppp 5 l_md5 1
ppp 5 r_md5 ON
ppp 5 r_ms1 ON
ppp 5 r_ms2 ON
ppp 5 lcn 1027
ppp 5 defpak 128
ppp 5 baklcn 1027
ike 0 keybits 128
ike 0 retran 1
modemcc 0 asy_add “mux1”
modemcc 0 info_asy_add “mux2”
modemcc 0 init_str “+CGQREQ=1”
modemcc 0 init_str1 “+CGQMIN=1”
modemcc 0 apn “Your.APN.goes.here”
modemcc 0 link_retries 10
modemcc 0 stat_retries 30
modemcc 0 sms_interval 1
modemcc 0 sms_access 1
modemcc 0 sms_concat 0
modemcc 0 init_str_2 “+CGQREQ=1”
modemcc 0 init_str1_2 “+CGQMIN=1”
modemcc 0 apn_2 “Your.APN.goes.here”
modemcc 0 link_retries_2 10
modemcc 0 stat_retries_2 30
modemcc 0 sms_interval_2 1
modemcc 0 sms_access_2 1
modemcc 0 sms_concat_2 0
ana 0 anon ON
ana 0 l1on ON
ana 0 lapdon 0
ana 0 asyon 1
ana 0 logsize 45
cmd 0 unitid “ss%s>”
cmd 0 cmdnua “99”
cmd 0 hostname “digi.router”
cmd 0 asyled_mode 2
cmd 0 tremto 1200
user 0 access 0
user 1 name “username”
user 1 epassword “KD5lSVJDVVg=”
user 1 access 0
user 2 access 0
user 3 access 0
user 4 access 0
user 5 name “88.39.145.196”
user 5 epassword “MSsnDRQdHg0W”
user 5 access 4
user 6 access 0
user 7 access 0
user 8 access 0
user 9 access 0
local 0 transaccess 2
sslsvr 0 certfile “cert01.pem”
sslsvr 0 keyfile “privrsa.pem”
ssh 0 hostkey1 “privSSH.pem”
ssh 0 nb_listen 5
ssh 0 v1 OFF
idigi 0 sms_optin ON

‘route print’

   Destination          Gateway   Metric   Protocol  Idx Interface  Status

  10.11.22.0/24                       2     Static     0   PPP 5    DOWN
 192.168.1.0/24    192.168.1.200      1      Local     -   ETH 0      UP
192.168.33.0/24   192.168.33.200      1      Local     -   ETH 1      UP

     0.0.0.0/0                        2     Static     0   ETH 1      UP

This is EventLog

11:02:44, 14 Mar 2016,(60) IKE SA Removed. Peer: ,Negotiation Failure
11:02:44, 14 Mar 2016,(60) IKE Negotiation Failed. Peer: ,Retries Exceeded
11:02:44, 14 Mar 2016,LAPB 6 down,Lower deactivated
11:02:44, 14 Mar 2016,LAPB 5 down,Lower deactivated
11:02:44, 14 Mar 2016,LAPB 4 down,Lower deactivated
11:02:44, 14 Mar 2016,LAPB 3 down,Lower deactivated
11:02:38, 14 Mar 2016,PPP 1 down,LL disconnect
11:02:30, 14 Mar 2016,LAPB 6 down,Lower deactivated
11:02:30, 14 Mar 2016,LAPB 5 down,Lower deactivated
11:02:30, 14 Mar 2016,LAPB 4 down,Lower deactivated
11:02:30, 14 Mar 2016,LAPB 3 down,Lower deactivated
11:02:28, 14 Mar 2016,PPP 1 down,LL disconnect
11:02:28, 14 Mar 2016,PPP 5 down,LL disconnect
11:02:24, 14 Mar 2016,(60) New Phase 1 IKE Session 88.39.145.196,Initiator
11:02:24, 14 Mar 2016,IKE Request Received From Eroute 0
11:02:24, 14 Mar 2016,IP Act_Rq to PPP 5-0: s_ip[0.0.0.0] d_ip[10.11.22.200]

James.Wilson · March 14, 2016, 12:39pm

Hi

I have not tried this to connect to a 2008R2 server from the eventlog it looks like it is either filing IKE due to wrong or unsupport encryption

or

it is not passing the firewall on the 2008 server

the encrtption i found on technet

L2TP/IPsec
IKE Main Mode will support:
· Advanced Encryption Standard (AES) 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.
· Secure Hash Algorithm 1 (SHA1) integrity check algorithm.
· Diffie-Hellman (DH) groups 19 (new) and 20 (new) for Main Mode negotiation.
IKE Quick Mode will support:
· AES 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.
· SHA1 integrity check algorithm.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f5aae3c-9ef5-4879-9529-f21d131fd960/windows-server-2008r2-rras-l2tp-connection-to-a-sonicwall?forum=winserverNIS

which would suject wrong encryption

and this about firewall

http://serverfault.com/questions/710454/how-to-setup-l2tp-ipsec-vpn-server-on-windows-server-2008-r2

jserink · July 6, 2016, 8:58pm

Ok, where to begin…
After having getting what you are trying to do working (it took 3 weeks) I know understand why Cisco does not feel the least bit threatened by Microsoft.

First:
You cannot use VPN dial in to make this work. It doesn’t work, none ot the tick boxes and presse buttons work (like use static IP, etc…) forget it. It doesn’t work.

What does work is Site-to-site vpn. Set RRAS up for that and have the digi call in, works a treat, will route traffic properly, everything.

Cheers,
John

Topic		Replies	Views
WR44 as L2TP over IPSec server Digi TransPort WR (Series) wr44 , l2tp	10	1743	August 5, 2016
L2TP PPP problems to Windows 2008Rs RRAS Digi TransPort WR (Series) ppp , l2tp	2	895	April 13, 2015
WR44 routing problem Digi TransPort WR (Series) wr44 , ipsec , gre , routes	6	1297	July 7, 2016
Regarding about L2TP without IPSEC Setting. Digi TransPort WR (Series) l2tp , wr31	5	759	December 12, 2016
L2TP tunnel to EdgeMax router closes before PPP can authenticate. Digi TransPort WR (Series) ppp , ipsec , l2tp	1	526	January 3, 2017

WR44 L2TP OVER IPSEC CLIENT WITH WINDOWS SERVER 2008 R2

Related topics