ER605 L2TP Problem

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 L2TP Problem

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 L2TP Problem
ER605 L2TP Problem
2021-12-13 13:12:17
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.1.1

I have setup L2TP/IPSec on an ER605 (v1 hardware, 1.1.1 firmware) connected to a Huawei gateway with UDP Ports 500 & 4500 forwarded to the ER605.

 

With no other changes, (ALG IPSec is on by default) a test connection from an Android phone connects to the VPN without any apparent difficulty or problems.

 

However, when I try to limit the inbound WAN traffic, I do not see the expected results:

 

1. Without any Access Control rules, the connection works - so I assume there is no default Block ALL on the inbound WAN if no rules are present.  I am  familiar with other devices where there is a default block ALL for WAN-IN, but no problem as long as I know.

 

2. With ALLOW rules for WAN-IN on UDP 500 & 4500, the VPN connection still works.   I have assumed that having any ALLOW rules would now trigger a default, and possibly hidden, final Block-All on the WAN-IN route.  If so, and the VPN still works, the implication is that no other ALLOW rules are required.

 

3. If I now add an explicit final BLOCK-ALL on WAN-IN, after the ALLOW rules for 500 & 4500, the VPN fails to connect at all.

 

It is, as if, the BLOCK-ALL is over-riding the ALLOW rules - which makes no sense.

 

The only other possibility would be that there is a default ALLOW-ALL on the WAN-IN and my rules in [2] above are effectively redundant and there is, in fact, other traffic on the WAN-IN that (a) doesn't require Port-Forward from the modem but (b) is being permitted by this default ALLOW-ALL setup.

 

   - In which case, can anybody suggest what this traffic is, and the rules needed before the final BLOCK-ALL ?

 

I have tried adding both WAN-IN and LAN-WAN ALLOW rules for both EPS (50) and AH (51) protocols but this did not make any difference.

 

Thank you.

  0      
  0      
#1
Options
7 Reply
Re:ER605 L2TP Problem
2021-12-14 09:54:28

Dear @IanRP ,

 

IanRP wrote

 

I have tried adding both WAN-IN and LAN-WAN ALLOW rules for both EPS (50) and AH (51) protocols but this did not make any difference.

 

 

The ER605 NAT rules are like this, as you say there is a default block-all rule.
But if you create an internal allow entry, then it will take effect, like the port forwarding you mentioned.


For example, if the device on the back end of the router can go out and access the external server, then necessarily this data will also be passed back to the internal device, but if the external server detects that it has previously communicated with the internal device and wants to send data to the internal device, then it will be blocked by NAT unless an port forwarding is set, etc.

 

" I have tried adding both WAN-IN and LAN-WAN ALLOW rules for both EPS (50) and AH (51) protocols but this did not make any difference. "

Could you please tell more details about this issue? How do you verify this settings no work?

 

Best Regards!

 

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:ER605 L2TP Problem
2021-12-14 10:14:49

@Hank21 

Thank you for helping.

 

Without the Block-All, so just the WAN-IN Allow rules for ports 500 & 4500, the VPN connection works without any issues.

 

Add the Block-All, and then it doesn't connect at all - not even any sign of a Phase-1 negotiation in the logs.

.

  0  
  0  
#3
Options
Re:ER605 L2TP Problem
2021-12-15 06:31:50

Dear @IanRP ,

 

IanRP wrote

@Hank21 

Without the Block-All, so just the WAN-IN Allow rules for ports 500 & 4500, the VPN connection works without any issues.

 

Add the Block-All, and then it doesn't connect at all - not even any sign of a Phase-1 negotiation in the logs.

.

 

Please try to add another allow rule in front of this block-all to allow UDP port 1701.
Still don't quite understand the purpose of your test like this, could you please explain it one more time?


Please note: The default rule for this router Access control rule is the whitelist rule, which means that it is allowed to pass it by default without any Access control settings.

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:ER605 L2TP Problem
2021-12-15 06:49:21

@Hank21 

1. The purpose is to ensure that only expected, legitimate traffic is allowed in from the WAN - so ALLOWING the required ports and then adding a general DENY rule is, I thought, quite typical.

 

2. I did try adding 1701 WAN-IN, and adding it to the port forward from the modem box at the same time - and it made no difference.

 

[As the VPN works with just 500 & 4500  forwarded, I wasn't expecting 1701 to make any difference, but you are right to suggest it as one thing to eliminate.]

  0  
  0  
#5
Options
Re:ER605 L2TP Problem
2021-12-16 09:50:05

Dear @IanRP ,

 

IanRP wrote

@Hank21 

1. The purpose is to ensure that only expected, legitimate traffic is allowed in from the WAN - so ALLOWING the required ports and then adding a general DENY rule is, I thought, quite typical.

2. I did try adding 1701 WAN-IN, and adding it to the port forward from the modem box at the same time - and it made no difference.

[As the VPN works with just 500 & 4500  forwarded, I wasn't expecting 1701 to make any difference, but you are right to suggest it as one thing to eliminate.]

 

Could you please tell me What's the physical connection(current topology) of your all devices?(You can draw a diagram of Network Topology simply if you don't mind.)

Please also provide the screenshots of your all Access control and VPN settings.

Did you use the router in standalone mode? Or use a controller to manage it?

If you have the controller, what is the version of it?

 

Did you set any other advanced settings other than the Access control?

 

Thanks for your cooperation and patience.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options
Re:ER605 L2TP Problem
2021-12-19 02:59:31

@Hank21 

Doesn't really need a diagram - modem plugs into single WAN Port1 configured on ER605, WiFi AP on Port 2 and NAS on Port 3.

 

Rules are below

- L2TP/IPSec VPN works with (a) No Rules at all; and (b) With Rules 1 & 2. 

- Stops working when Rule 3 is added.

 

- Still doesn't work with additional Allow rules for Port 1701; Protocol 50; Protocol 51.

- Also, still doesn't work when the pre-defined "ALL" Service Type - which claims to be "All Protocols" is swapped for one which is "All Ports" - so there is commonality between the Allow & Deny elements.

 

- Wireshark port mirror shows Phase-1 & Phase-2 negotiation only use ports 500 & 4500 when working, and inbound initial request on Port 500 just being repeated over-and-over when it fails.  Whatever is receiving the handshake request is apparently blocked by the firewall rule even though only Ports 500 & 4500 are being used.

 

The mysterious x_l2tp_Server1 IPSec policy may hold the key, but it is locked out from viewing/editing and every attempt to create a new policy just gives

an error message:  "For an IPsec policy with the same IP address at both ends, the parameters in Phase-1 should be kept the same."

 

  0  
  0  
#7
Options
Re:ER605 L2TP Problem
2021-12-19 03:06:40

@IanRP 

Sorry - Other info:

 

No Controller.

No other advanced features.

IPSec Policy is just the auto-created x_l2tp_Server1

L2TP is simply the below, enabled:

 

Remeber - it works fine without the Block rule.

 

  0  
  0  
#8
Options