Network issues for L2tp/ipsec with CCR 1009

servaris · October 29, 2017, 12:49pm

Hi, trying to get an L2TP/IPsec VPN working so it can be used to go out on the net and to devices behind the CCR1009 as one of the IP’s in the 104.19x.x.x subnet.

When remotely connected to the VPN and search ‘my ip’ with a search engine, it does report the IP as 104.19x.x.x. The problem is trying to connect to hosts/devices on the 104.19x.x.x behind Eth2.

Our CCR 1009 is setup with the following:
Eth1: 192.154.x.x (WAN)
Eth2: 104.19x.x.x (LAN)
198.168.1.1 (Private LAN)

The 104.19x.x.x/24 is routed to the 192.154.x.x/28 subnet. The WAN external gateway is 192.154.x.6x

The hosts/devices behind the CCR1009 all have 104.19x.x.x IP addresses. Some hosts have NIC2 using the 192.168.1.0/24 but there is no src natting wanted. I only put it in the question for completeness.

We cannot have masquerading on Eth2 because external devices require data coming from the 104.19x.x.x subnet.

The issue is when connecting to the L2TP VPN remotely, and the client wants to get email, the connection to the mail server (which is on the 104.19x.x.x subnet) times out. This is intermittent but a problem nonetheless.

On the remote windows clients, have the L2TP connection to 192.158.x.x. The PPP Profile in the CCR 1009 for L2TP server has local and remote address set to use a pool which contains IP’s in 104.19x.x.x/28 subnet. The IP’s in the pool are not used by any other devices obviously.

Any idea on either what might be wrong with the configuration??

Thanks!

idlemind · October 29, 2017, 12:54pm

The IPs you’re using are public IPs you know that right?

If you have subnet overlap you need to enable Proxy ARP on the overlapping non VPN subnet, ether2 in your case.

servaris · October 30, 2017, 2:54am

The IPs you’re using are public IPs you know that right?
Yes the IP’s subnets are public with exception of 192.168.1.0/24 obviously.
There are no overlapping subnets. But when and in this case there is, 192.158.x.x on eth1 (wan) and there is 104.19x.x.x on eth2 AND there is a src nat rule, anything going out from eth2 will show up as main IP address (.1) of eth1. At least that is how I understand nat. But the question still stands, why would or what might be causing anyone using L2TP/IPSec vpn to NOT be able to get to hosts on eth2??

Thanks

servaris · October 30, 2017, 3:15am

If you have subnet overlap you need to enable Proxy ARP on the overlapping non VPN subnet, ether2 in your case.

Originally, the VPN windows ‘connect to’ was set for the 104.19x.x.1 which is on Eth2. Looking at what you said above makes sense because I believe connecting to the .1 IP on Eth2 is overlapping. Have subsequently changed the ‘connect to’ IP to use the IP on Eth1 and the PPP profile on the CCR1009 is using IP’s from the 104.19x.x.x which are on Eth2. After making the change in the windows VPN ‘Connect to’ address the connection problems are popping up any more.