L2TP/IPsec VPN -- no reply to Win7

L2TP/IPsec VPN -- no reply to Win7

L2TP/IPsec VPN -- no reply to Win7
L2TP/IPsec VPN -- no reply to Win7
2024-07-17 13:24:47 - last edited 2024-07-19 11:41:31
Tags: #VPN #Windows
Model: ER706W  
Hardware Version: V1
Firmware Version: 1.02

I'm trying to set up a L2TP/IPsec VPN from Windows, to Omada AX3000.

 

The device is not replying to the Windows Client.

 

The device does reply to ike-scan, the device accepts with proposal MD5/3DES.

 

So yes, I appear to be on the same network, I can ping the device, I can open local management, I can get a secuirity proposal accepted from a command-line utility on the client machine, I can see the log entry on the device with the security proposal is accepted.

 

There is a very explicit FAQ document on How to configure PPTP/L2TP client on remote PC | TP-Link , but it doesn't say that anything special is required in the way of configuration of the Windows Client: just turn it on, add the name and password and pre-shared-key.

 

But when I do that, the negotiation isn't even getting to the PSK stage, let alone the L2TP stage: it's failing on the first step: the key exchange proposal is not just getting rejected, it's getting silently dropped.

 

I've got WireShark on the client PC, and I can see the network packets going from the Windows Machine to the ER709W.  When the packet is generated by ike-scan, the ER709W replies with an acceptance packet. When the packet is generated by Windows, there is no reply.

 

Windows is using source port 500, destination port 500

ike-scan is using source port (random), destination port (500 or 4500)

 

Wireshark is not reporting a mal-formed packet: the ipsec analyzer is describing the packets without reporting any errors. Both 500 and 4500 work correctly.

(ike-scan is using a random source port because Windows is holding onto 500: ike-scan is using destination port 500, or 4500 if I add NAT traversal.)

(ike-scan has poor support for quick/aggressive mode, but when I try it, I get a correct AUTHENTICATION_FAILED response. The packet is not dropped)

(If ike-scan proposes only an an odd transform, I get a correct NO-PROTOCAL-CHOSEN response. The packet is not dropped)

 

I'm almost at a dead end. I don't know why the ER709W is dropping the IPsec negotiation packet from Windows.

  0      
  0      
#1
Options
1 Accepted Solution
Re:L2TP/IPsec VPN -- no reply to Win7-Solution
2024-07-19 11:17:19 - last edited 2024-07-19 11:41:31

  @Clive_A 

 

Thank you for your response.

 

I thought I covered all the bases in my initial message, I even checkd the ports in the IP header. The one thing I didn't post was the IP/Name of the destination, because obviously I got that right, ok?  It worked for the Web Page and for the test utility OK?  And was on the right adapter and on the correct subnet, right? Something so obvious it must be true is a bit of a trap. Using different procedures, with separate configs...

 

Anyway, thank you for your response.  I was trying to get an L2TP/IPsec tunnel up. That /is/ L2TP, and it /is/ IPsec: it starts with IKE, proceeds to IPsec, then L2TP.  And on the Omada ER705W, L2TP/IPsec is under the "L2TP" VPN menu item (L2TP/Ipsec and L2TP w/o IPsec are both L2TP), and it clashes with the "IPSEC" VPN, because the Omada ER705W won't let you set up two different IPSEC configs on the same WAN port.  Because I had made the obvious mistake, I was failing at the IKE of the IPsec of the L2TP/IPsec. And because I'd made the obvious mistake, I could see the packet on the wire, but not in the log at either end of the ethernet jumper cable.

 

I'd close the question, but I don't see a way to do that.

Recommended Solution
  0  
  0  
#3
Options
2 Reply
Re:L2TP/IPsec VPN -- no reply to Win7
2024-07-18 01:31:07

Hi @FarNorth 

Thanks for posting in our business forum.

Not sure if I understand you correctly. Are you referring to the title as L2TP over IPsec, and it does not make a connection to Win 7?

L2TP over IPsec is not IPsec or L2TP.

I have to confirm this before I recommend you do anything. Is the connection even up or not up at all?

 

What If My Windows Computer Is Not Accessible or Pingable Over the VPN/VLAN Interface

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:L2TP/IPsec VPN -- no reply to Win7-Solution
2024-07-19 11:17:19 - last edited 2024-07-19 11:41:31

  @Clive_A 

 

Thank you for your response.

 

I thought I covered all the bases in my initial message, I even checkd the ports in the IP header. The one thing I didn't post was the IP/Name of the destination, because obviously I got that right, ok?  It worked for the Web Page and for the test utility OK?  And was on the right adapter and on the correct subnet, right? Something so obvious it must be true is a bit of a trap. Using different procedures, with separate configs...

 

Anyway, thank you for your response.  I was trying to get an L2TP/IPsec tunnel up. That /is/ L2TP, and it /is/ IPsec: it starts with IKE, proceeds to IPsec, then L2TP.  And on the Omada ER705W, L2TP/IPsec is under the "L2TP" VPN menu item (L2TP/Ipsec and L2TP w/o IPsec are both L2TP), and it clashes with the "IPSEC" VPN, because the Omada ER705W won't let you set up two different IPSEC configs on the same WAN port.  Because I had made the obvious mistake, I was failing at the IKE of the IPsec of the L2TP/IPsec. And because I'd made the obvious mistake, I could see the packet on the wire, but not in the log at either end of the ethernet jumper cable.

 

I'd close the question, but I don't see a way to do that.

Recommended Solution
  0  
  0  
#3
Options