Solved: RVS4000 L2TP IPSec

rasmussen.d · ‎11-09-2009

Currently trying to establish L2TP IPSec VPN tunnels between Windows XP remote client and Windows 2003 RRAS Server.

Both the XP remote client and the W2003 RRAS Server are behind RVS4000 routers.

Have established that the W2003 RRAS server will accept L2TP IPSec connections from clients behind the Cisco RVS4000 router [LAN clients].

Can not establish remote L2TP IPSec connections through the RVS4000 routers. Have established that PPTP VPN through the RVS4000 routers. Both routers are running version 1.3.0.5

Both RVS 4000 routers are configured for PPTP, IPSec, & L2TP VPN passthrough with UDP port 1701 being forwarded to the RRAS server by the

RVS 4000 router. PPTP VPN connections have no problem.

Error code is 792

The problem appears to be with IPSec passthrough. UDP port 1701 is being forwarded to the RRAS server. Can not create port rules for IKE 500 or IP Protocol 50/4500 on the RVS4000 because those policies conflict with forwarding UDP1701.

Any guidance on why the IPSec fails through the RVS4000 for remote access clients but IPSec is successful in establishing a connection to the RRAS server using LAN clients.

Gerald Vogt · ‎11-10-2009

1. Never forward UDP port 1701. UDP port 1701 is used for L2TP. However, L2TP is supposed to be tunneled inside an IPSec tunnel. Exposing an L2TP server directly to the internet can be a security risk. Don't do that.

2. What you have to have to forward is UDP port 500 for IKE (establishing the IPSec connection) and possibly TCP/UDP port 4500 for NAT traversal of IPSec. There should be no conflict there. If there is, I guess it's because the RVS4000 has its own IPSec implementation.

3. LAN works because there is NAT involved and thus there is no need for port forwarding, NAT traversal or anything similar.

View solution in original post

Gerald Vogt · ‎11-10-2009

1. Never forward UDP port 1701. UDP port 1701 is used for L2TP. However, L2TP is supposed to be tunneled inside an IPSec tunnel. Exposing an L2TP server directly to the internet can be a security risk. Don't do that.

2. What you have to have to forward is UDP port 500 for IKE (establishing the IPSec connection) and possibly TCP/UDP port 4500 for NAT traversal of IPSec. There should be no conflict there. If there is, I guess it's because the RVS4000 has its own IPSec implementation.

3. LAN works because there is NAT involved and thus there is no need for port forwarding, NAT traversal or anything similar.

rasmussen.d · ‎11-10-2009

Will try UDP 500 for IKE and see if that works. Thanks for the response.

note: the RVS4000 single forwarding and port triggering rules only allows 1 L2TP IPSec rule. If you try to configure

other L2TP IPSec port forwarding rules, the router says there is a conflict between rules.

Gerald Vogt · ‎11-13-2009

Of course you can only forward each port exactly once. It is not possible to forward a single port to two or more LAN addresses. This would duplicate the traffic and it does not really make much sense to do so.

rasmussen.d · ‎11-18-2009

Found out that IPSec using a preshared key with the RVS4000 does not work. TAC case pending. IPSec using a certificate works

but only with the Windows 7 VPN Client which you can specify what certificate to use. With Windows XP VPN client, you can not specify what certificate to use other than importing and assigning the certificate to be used for secure communications. Even then, the router causes an interruption with the verification process and the connection fails.

Tested the RVL200 with IPSec preshared key and certificates and both work with Windows 7 and Windows XP.

The difference between the two routers is that the RVS4000 does not let you configure IPSec port forwarding for UDP port 4500/ UDP 500 [IKE]

and UDP 1701 if VPN L2TP passthrough and IPSec passthrough is enabled. The router will say there is a conflict with rules. Turning off VPN passthrough to enable

port fowarding for UDP ports causes IP Protocol 50/51 to fail.

The RVL200 does allow you to forward UDP 1701, UDP 500 and UDP 4500 with VPN passthrough for IPSec and L2TP .

RMA Exchange on the RVS4000 for the RVL200.

Gerald Vogt · ‎11-19-2009

I repeat one more time: Never ever forward port UDP 1701. You don't want to expose the L2TP server to the internet. If the server is configured correctly on your VPN server then it won't accept direct access to UDP port 1701 anyway. But still you don't want to do it.

L2TP or better L2TP over IPSec tunnels L2TP traffic on UDP 1701 inside an IPSec tunnel between the client and the server. If you run your VPN server inside your LAN behind a NAT router all you ever want to forward for that purpose is IPSec, i.e. ports UDP 500 and TCP/UDP 4500. Nothing else. For L2TP over IPSec all the router will ever see is IPSec traffic. The L2TP traffic is encrypted inside the IPSec tunnel. The router does not know about this.

If you forward UDP 1701 to your L2TP server you expose the L2TP server directly to the internet, removing the pre-shared key or certificate authentication and encryption of IPSec. All L2TP is completely unencrypted, then if someone has an L2TP (with no IPSec) client to connect.

The standard Windows L2TP/IPSec won't connect directly to L2TP without IPSec.

Even if the RVL allows you to forward UDP 1701 don't do it. If your VPN connection to your VPN server only works with this forwarding in place then you have a big problem with your whole VPN configuration because as I have mentioned before the router should never see any VPN traffic on UDP 1701 as it is supposed to be fully encrypted and hidden inside the IPSec tunnel...