ER605 L2TP Problem
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
I have setup L2TP/IPSec on an ER605 (v1 hardware, 1.1.1 firmware) connected to a Huawei gateway with UDP Ports 500 & 4500 forwarded to the ER605.
With no other changes, (ALG IPSec is on by default) a test connection from an Android phone connects to the VPN without any apparent difficulty or problems.
However, when I try to limit the inbound WAN traffic, I do not see the expected results:
1. Without any Access Control rules, the connection works - so I assume there is no default Block ALL on the inbound WAN if no rules are present. I am familiar with other devices where there is a default block ALL for WAN-IN, but no problem as long as I know.
2. With ALLOW rules for WAN-IN on UDP 500 & 4500, the VPN connection still works. I have assumed that having any ALLOW rules would now trigger a default, and possibly hidden, final Block-All on the WAN-IN route. If so, and the VPN still works, the implication is that no other ALLOW rules are required.
3. If I now add an explicit final BLOCK-ALL on WAN-IN, after the ALLOW rules for 500 & 4500, the VPN fails to connect at all.
It is, as if, the BLOCK-ALL is over-riding the ALLOW rules - which makes no sense.
The only other possibility would be that there is a default ALLOW-ALL on the WAN-IN and my rules in [2] above are effectively redundant and there is, in fact, other traffic on the WAN-IN that (a) doesn't require Port-Forward from the modem but (b) is being permitted by this default ALLOW-ALL setup.
- In which case, can anybody suggest what this traffic is, and the rules needed before the final BLOCK-ALL ?
I have tried adding both WAN-IN and LAN-WAN ALLOW rules for both EPS (50) and AH (51) protocols but this did not make any difference.
Thank you.
Doesn't really need a diagram - modem plugs into single WAN Port1 configured on ER605, WiFi AP on Port 2 and NAS on Port 3.
Rules are below
- L2TP/IPSec VPN works with (a) No Rules at all; and (b) With Rules 1 & 2.
- Stops working when Rule 3 is added.
- Still doesn't work with additional Allow rules for Port 1701; Protocol 50; Protocol 51.
- Also, still doesn't work when the pre-defined "ALL" Service Type - which claims to be "All Protocols" is swapped for one which is "All Ports" - so there is commonality between the Allow & Deny elements.
- Wireshark port mirror shows Phase-1 & Phase-2 negotiation only use ports 500 & 4500 when working, and inbound initial request on Port 500 just being repeated over-and-over when it fails. Whatever is receiving the handshake request is apparently blocked by the firewall rule even though only Ports 500 & 4500 are being used.
The mysterious x_l2tp_Server1 IPSec policy may hold the key, but it is locked out from viewing/editing and every attempt to create a new policy just gives
an error message: "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same."
