L2TP/IpSec configuration

msergius · August 18, 2015, 5:48pm

Hello,

I have a RB951G routerboard and I’'m trying to configure it as L2TP/ipsec client but i can’t , configuration export is attached, i have a dynamic WAN IP but Server has static , please advise.

Thanks,

Lighteagle · August 19, 2015, 10:17am

hi, sorry for bad language, i think my problem is similar, and i ask here to not create a new topic.

I have rb951, and i tryed to make simple vpn server to use it for secure connection from my phone. Firmware version 6.31, there is user friendly configuration on quick set menu, i used it to create vpn server. But it works only from lan, and sometimes mobile internet, from free wifi spots it doesnt works, and it doesnt works from my work. I have global ip at my home router, and when i tryed proxy, it worked fine, but not vpn. My phone base windows 8.1 os, and i try to connect l2pt/ipsec. Here some from log

12:50:06 ipsec,debug,packet debug: 68 bytes message received from 217.77.5
0.129[47544] to <global_router_ip>[4500] 
12:50:06 ipsec,debug,packet debug: 636fa433 b2aaf6b9 d0cd85c5 ba4d0406 05100201 00
000000 00000044 33165a50 
12:50:06 ipsec,debug,packet debug: 72ad9e1d 6cbac4b0 f3683df1 d25c8c95 f6ddfc75 3c
941bbe b2abfc55 6a9f4505 
12:50:06 ipsec,debug,packet debug: 344f8fe2 
12:50:06 ipsec,debug,packet debug: encryption(3des) 
12:50:06 ipsec,debug,packet debug: IV was saved for next processing: 
12:50:06 ipsec,debug,packet debug: 6a9f4505 344f8fe2 
12:50:06 ipsec,debug,packet debug: encryption(3des) 
12:50:06 ipsec,debug,packet debug: with key: 
12:50:06 ipsec,debug,packet debug: a264c64b d2f5e783 41465e3e 48724615 40a23f68 81
e5d305 
12:50:06 ipsec,debug,packet debug: decrypted payload by IV: 
12:50:06 ipsec,debug,packet debug: b747be23 1ecb3d58 
12:50:06 ipsec,debug,packet debug: decrypted payload, but not trimed. 
12:50:06 ipsec,debug,packet debug: 0bf9e3ea 8e082b4b 07cb9b66 7b271d33 bf9cac74 de
396230 b478ba9e 8ff5b699 
12:50:06 ipsec,debug,packet debug: 11382fd7 f723e95b 
12:50:06 ipsec,debug,packet debug: padding len=92 
12:50:06 ipsec,debug,packet debug: skip to trim padding. 
12:50:06 ipsec,debug,packet debug: decrypted. 
12:50:06 ipsec,debug,packet debug: 636fa433 b2aaf6b9 d0cd85c5 ba4d0406 05100201 00
000000 00000044 0bf9e3ea 
12:50:06 ipsec,debug,packet debug: 8e082b4b 07cb9b66 7b271d33 bf9cac74 de396230 b4
78ba9e 8ff5b699 11382fd7 
12:50:06 ipsec,debug,packet debug: f723e95b 
12:50:06 ipsec,debug,packet debug: begin. 
12:50:06 ipsec,debug,packet debug: seen nptype=5(id) 
[b]12:50:06 ipsec,debug debug: invalid length of payload 
12:50:06 ipsec,debug debug: possible cause: wrong password [/b]
12:50:09 ipsec,debug,packet debug: Adding NON-ESP marker 
12:50:09 ipsec,debug,packet debug: 240 bytes from <global_router_ip>[4500] to 217.77.5
0.129[47544] 
12:50:09 ipsec,debug,packet debug: sockname <global_router_ip>[4500] 
12:50:09 ipsec,debug,packet debug: send packet from <global_router_ip>[4500] 
12:50:09 ipsec,debug,packet debug: send packet to 217.77.50.129[47544] 
12:50:09 ipsec,debug,packet debug: src4 <global_router_ip>[4500] 
12:50:09 ipsec,debug,packet debug: dst4 217.77.50.129[47544] 
12:50:09 ipsec,debug,packet debug: 1 times of 240 bytes message will be sent to 21
7.77.50.129[47544] 
12:50:09 ipsec,debug,packet debug: 00000000 636fa433 b2aaf6b9 d0cd85c5 ba4d0406 04
100200 00000000 000000ec 
12:50:09 ipsec,debug,packet debug: 0a000084 4b925f00 b557eb7d 68ff0888 42adf2fa fe
4b24f9 012e4455 6eea43c6 
12:50:09 ipsec,debug,packet debug: 69a16659 0593cce0 65c764a6 b1c63bea 8a54dfc0 2f
728abd 4e615ed8 ab94c56b 
12:50:09 ipsec,debug,packet debug: 3d9718d2 550bc813 37534188 23b99668 ab682a57 eb
a2c1cf cf2a4429 54085a66 
12:50:09 ipsec,debug,packet debug: e33aeea9 136c21ad 92328826 d7ba40fb 2c5a0762 a1
4d7d7c 2584acaa d5f7bbf0 
12:50:09 ipsec,debug,packet debug: 35026c25 1400001c b5daf806 f01850fc 6d602563 b1
496939 b79c9912 4584748d 
12:50:09 ipsec,debug,packet debug: 14000018 0866a3c2 915ce5c7 60cea296 1cef312f c1
626052 00000018 673cce75 
12:50:09 ipsec,debug,packet debug: 263ac498 8cbae488 f845ad1f ff9e9045 
12:50:09 ipsec,debug debug: resent phase1 packet <global_router_ip>[4500]<=>217.77.50.
129[47544] 636fa433b2aaf6b9:d0cd85c5ba4d0406 
12:50:14 ipsec,debug,packet debug: KA: <global_router_ip>[4500]->217.77.50.129[47544] 
12:50:14 ipsec,debug,packet debug: sockname <global_router_ip>[4500] 
12:50:14 ipsec,debug,packet debug: send packet from <global_router_ip>[4500] 
12:50:14 ipsec,debug,packet debug: send packet to 217.77.50.129[47544] 
12:50:14 ipsec,debug,packet debug: src4 <global_router_ip>[4500] 
12:50:14 ipsec,debug,packet debug: dst4 217.77.50.129[47544] 
12:50:14 ipsec,debug,packet debug: 1 times of 1 bytes message will be sent to 217.
77.50.129[47544] 
12:50:14 ipsec,debug,packet debug: ff 
[b]12:50:19 ipsec,error phase1 negotiation failed due to time up <global_router_ip>[4500]
<=>217.77.50.129[47544] 636fa433b2aaf6b9:d0cd85c5ba4d0406 
12:50:19 ipsec,error debug: phase1 negotiation failed due to time up <global_router_ip>[/b]
5[4500]<=>217.77.50.129[47544] 636fa433b2aaf6b9:d0cd85c5ba4d0406 
12:50:19 ipsec,debug debug: KA remove: <global_router_ip>[4500]->217.77.50.129[47544] 
12:50:19 ipsec,debug,packet debug: KA tree dump: <global_router_ip>[4500]->217.77.50.1
29[47544] (in_use=1) 
12:50:19 ipsec,debug,packet debug: KA removing this one... 
13:08:53 system,info,account user Eagle logged in from 217.77.50.129 via telnet

Errors the same when i use simple or hard, right or wrong password.
Rules to accept udp 1700,500,4500 created. And as i sayed, sometime its connect from mobile internet, and always from lan at home.

Lighteagle · August 19, 2015, 1:55pm

carefully read similar totics, i find decision. I’ve changed settings in ipsec\peers: delete dynamic entry, create new, inside it exclude NAT Traversal (but clients still behind NAT), and changed Generate policy from port strict to port override, and at last add input rules for udp 500 4500. And now all is working. Win7 and WP 8.1 connects well.