Check router for VPN Throughput - L2TP VPN
I am working on setting up a VPN for our office. I have the PPTP version working but am unable to get L2TP to function. Through various testing methods (setting up our Mac Yosemite server as a VPN and testing it in and out of the office), I am leaning towards an issue with the router not allowing some of the protocols required by an L2TP through. The reason being I am able to create a L2TP VPN connection with my Mac server when using the internal IP address, but not when using the outside IP address (which to me means the signal is being blocked at the router.)
The server is receiving the SCCRQ from the client and trying to send the SCCRP which the client is not receiving when trying to connect from outside the office.
I have checked all the ports required and they are open (show ip ports), but can not figure out how to check for ESP Protocol 50? Does anyone know how to check this protocol? And if this isn't the solution, does any have other methods I can use to find the issue?
Thank you,
Chris
I think 2811 can handle this task
2811 supports up to 1500 VPN tunnels with the AIM-EPII-PLUS Module
http://www.cisco.com/en/US/products/ps5881/index.html
So no problem with 165 VPNs...
If you speaking about huge traffic volume - you should focus on speed of Internet connectivity in head office - If you have 10 Mbit line for head office you get only 60Kbit per tunnel (10Mbit/165)
M.
Hope that helps rate if it does
Similar Messages
-
OS X Server / VPN /The L2TP-VPN server did not respond...HELP!
I am very new to OS X Server and my goal is to setup DNS & VPN! I would like to have this setup to be able to connect into my apple computer from work or friends house. I am using an Apple Airport Extreme router and im also using the latest version OS X Mountain Lion with OS X Server installed. I have started an account with dyndns website for user host name (using a [email protected] address). I assume this would be used as an alternate way of being able to connect without starting a personal website. I also signed up for another site (no-ip) and I now have a different IP address (not sure if that was necessary). I then followed instructions on youtube (instructional videos by todd for OS X Server Mountain Lion) which seemed to be very easy to understand. But after setting up my VPN on the client side (network setting in system preferences), i tried to connect VPN (L2TP) and i receive this error message "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.". When I open Consol in the utilities folder, I am seeing part of the following message below;
racoon[117]: IKE Packet: transmit success. (Phase1 Retransmit).
racoon[117]: IKE Packet: receive failed. (malformed or unexpected cookie).
pppd[490]: IPSec connection failed
Does anyone know what's happening or what I need to do to fix this? Or can someone tell me the basic requirements to setting things up correctly?Im using Comcast for my ISP and from the wall I have a Motorola Surfboard 6120 cable modem (not sure how to access my setting on the modem). So basically I have my 6120 cable modem connected to the Apple AirportExtreme router and is then wirelessly connected to my macbook pro. im providing screen shots of my apple router settings, OS X Server settings and firewall (which is turned off) settings. Any suggestion on how i should set things up or if you can tell me step by step would be greatly appreciated.
-
Dynamic Routing for Failover L2L VPN
Hi,
Can someone offer me some guidance with this issue please?
I've attached a simple diagram of our WAN for reference.
Overview
Firewall is ASA 5510 running 8.4(9)
Core network at Head Office uses OSPF
Static routes on ASA are redistributed into OSPF
Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
Branch Office WAN uses BGP - Routes are redistributed into OSPF
The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
Backup BO router (.253) only contains a default route to internet
Under normal operation, traffic to/from BO uses Local Branch Office WAN
If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet
I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.
I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?
Thanks,
PaulHi Paul,
your ASA keeps the tunnel alive only because that route exists on ASA. Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA
Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.
This config will go on ASA,
route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
(assuming 10.0.0.2 the peering ip of inside ip address of router at HO)
route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx
(value 254 is higher cost of the route to go via IPSec tunnel and x = to default-gateway of ISP)
sla monitor 99
type echo protocol ipIcmpEcho 10.10.10.254 interface inside
num-packets 3
frequency 10
sla monitor schedule 99 life forever start-time now
track 10 rtr 99 reachability
Let me know, if this helps.
thanks
Rizwan Rafeek -
Is it better to use a firewall like a PIX515E or a router like a 1721 for setting up a VPN?
Hi
What kinda VPN you are talking about ? is it a point to point vpn between 2 sites or gonna be used by remote vpn clients ?
If its a simple point to point vpn between 2 clients then you can go ahead with Cisco 1721 which can handle the same..
But if its gonna be more than one site with that if you are more concerned in your security aspects then go with PIX aplliances.
Otherwise you can settled down with even a higher end router which can solve your purpose..
regds -
SonicWall SourceNAT VPN setup as default route for all traffic!
Hi,OK hope someone can help with this mess.....Our customer has been taken over by a US company who have said all outgoing internet traffic must go via their data centre. They want us to create an IPSEC vpn from our SonicWALL TZ215 to them then route all traffic locally via this VPN.In principle this didn't sound too bad. Then there were some more options:Our local subnet 172.x.x.x has to be NAT'd to a single /32 address. 192.x.x.131They also require our destination network to be set as 0.0.0.0. as they wont specify the range at the datacenter.I have managed to get the VPN up but using the the NAT address as my local subnet and using the option on the SonicWALL "Use this VPN Tunnel as default route for all Internet traffic" on the remote network. Phase 1 and Phase 2 work ok. The problem i now have is i need to route all LAN traffic...
This topic first appeared in the Spiceworks CommunityHi Norbert,
I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
We're replacing a third party router with a Cisco 1721. This location is the hub of multi-location (3 remote sites) VPN.
The 3 remote sites are all on fixed public IPs.
I've seen examples of both no assupmtion/restriction of remote IPs (crypto isakmp key [key] address 0.0.0.0 0.0.0.0); as well as setting a key per remote (crypto isakmp key [key1]address [remote ip1]
crypto isakmp key [key2] address [remote ip2]
crypto isakmp key [key3] address [remote ip3]
Is there a disadvantage/security concern to using the quad-0 approach?There are no advantages or disadvantages other than what should be obvious.
Single key.
Advantage: Simple administration, common config on all routers.
Disadvantage: Potentially allows anyone to connect to the router from the Internet if not forbidden by another policy on the router.
Multiple keys.
Advantage: ISAKMP can not be negotiated if not specifically configured on the router for that remote IP address. Conceptually more secure.
Disadvantage: More administrative overhead.
With 3 sites, the specific key per site is fairly easy to do. If you had 200 sites, that method would be much less doable. You could do a quick estimate. (N * 5) + (N ^ 2) minutes to do your entire network, or something in that line.
It's much easier if you have a system that manages this for larger installs. I believe this is the one of the purposes of Cisco's GET VPN.
Rob -
L2TP VPN connection not working under 10.6.3
Hi everyone.
I need to connect to a VPN with L2TP/IPSec.
The connection works fine if I boot into Bootcamp (win7).
But if I boot into 10.6.3, it does not work.
any idea what the problem could be.
Settings are triple checked and copy pasted into their proper fields (like in win7). router settings are correct, otherwise it would not work in win7.
So it is a problem with osx.
The following is out of the ppp.log:
Thu Apr 22 19:14:03 2010 : L2TP connecting to server 'vpn.xxx.com' (x.x.x.x)...
Thu Apr 22 19:14:03 2010 : IPSec connection started
Thu Apr 22 19:14:03 2010 : IPSec phase 1 client started
Thu Apr 22 19:14:03 2010 : IPSec phase 1 server replied
Thu Apr 22 19:14:04 2010 : IPSec phase 2 started
Thu Apr 22 19:14:34 2010 : IPSec connection failed
the server is reachable, but something fails in phase 2.
in the system log, the entry is:
Apr 22 19:14:03 noname pppd[517]: pppd 2.4.2 (Apple version 412.0.10) started by x, uid x
Apr 22 19:14:03 noname pppd[517]: L2TP connecting to server 'vpn.xxx.com' (x.x.x.x)…
Apr 22 19:14:03 noname pppd[517]: IPSec connection started
Apr 22 19:14:03 noname racoon[518]: Connecting.
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Apr 22 19:14:03 noname racoon[518]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Apr 22 19:14:03 noname racoon[518]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Information message).
Apr 22 19:14:03 noname racoon[518]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Apr 22 19:14:04 noname racoon[518]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Apr 22 19:14:04 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:07 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:08 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:10 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:10 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:13 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:13 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:16 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:16 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:19 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:19 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:22 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:22 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:25 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:26 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:28 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:28 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:31 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:31 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:34 noname pppd[517]: IPSec connection failed
Apr 22 19:14:34 noname racoon[518]: IKE Packet: transmit failed. (Information message).
Apr 22 19:14:34 noname racoon[518]: IKEv1 Information-Notice: transmit failed. (Delete ISAKMP-SA).
Apr 22 19:14:34 noname racoon[518]: Disconnecting. (Connection tried to negotiate for, 31.609591 seconds).
Apr 22 19:14:34 noname racoon[518]: IKE Packets Transmit Failure-Rate Statistic. (Failure-Rate = 7.143).
Apr 22 19:14:34 noname racoon[518]: IKE Information-Notice Transmit Failure-Rate Statistic. (Failure-Rate = 100.000).Hi
i have the same messages on 10.6.4 and with the sonic xx170:
28.06.10 11:39:04 racoon[489] IKE Packet: transmit success. (Phase2 Retransmit).
28.06.10 11:39:07 racoon[489] IKE Packet: transmit success. (Phase2 Retransmit).
28.06.10 11:39:08 racoon[489] IKE Packet: receive success. (Information message).
28.06.10 11:39:10 pppd[488] IPSec connection failed
28.06.10 11:39:10 racoon[489] IKE Packet: transmit success. (Information message).
28.06.10 11:39:10 racoon[489] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
any ideas?
waiting on 10.6.5, 10.6.6 ....?
regards, Arthur -
VPN Problems - The L2TP-VPN server did not respond
Okay, so I read quite a few threads about this and can't really figure it out. Would be great if I can get some handholding.
I'm a complete newbie, trying to set up Server for home use. The VPN service seems to be running fine, but I just can't connect from the clients, it just keeps saying "The L2TP-VPN server did not respond". Here is a glimpse at my settings:
- I have opened up all the relevant ports for UDP (500,1701,4500) and TCP (1723). But this is only required for the Server, right?
- I don't have a domain name yet so just using my external IP. This is what I put in under VPN Host name in the Server and Client settings.
- I login with username and password credentials for one of my network users as created in the Server. Format is [email protected] and the password is the same as the login password.
** I seem to get a 'authentication failed' error if I just use my local IP address... Not sure whats happening their, but before that I need to be able to connect to Server with the external IP!
Am I missing something? Why won't my client connect and that too when I'm at home?To run a public VPN server behind an NAT gateway, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change.
With a third-party router, there may be a similar setting.
4. Configure any firewall in use to pass this traffic.
5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
6. "Back to My Mac" on the server is incompatible with the VPN service.
If the server is directly connected to the Internet, see this blog post. -
Cisco ASA 5505 L2TP VPN cannot access internal network
Hi,
I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
Can you jhelp me to find out the issue?
I have Cisco ASA:
inside network - 192.168.1.0
VPN network - 192.168.168.0
I have router 192.168.1.2 and I cannot ping or get access to this router.
Here is my config:
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 198.X.X.A 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network net-all
subnet 0.0.0.0 0.0.0.0
object network vpn_local
subnet 192.168.168.0 255.255.255.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool sales_addresses 192.168.168.1-192.168.168.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic net-all interface
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
object network vpn_local
nat (outside,outside) dynamic interface
object network inside_nw
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sales_policy internal
group-policy sales_policy attributes
dns-server value 75.75.75.75 76.76.76.76
vpn-tunnel-protocol l2tp-ipsec
username ----------
username ----------
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Slow VPN throughput speeds using WRT54GX4
I have a WRT54GX4 and am experiencing slow VPN throughput.
When I connect from my home network to my work network via my companies VPN client I've noticed that the throughput drops significantly. Speed tests to DSL Reports are ~10500 kbit/s download and 950 kbit/s upload when going through the WRT54GX4 not using VPN, but only 250 kbit/s download and 95 kbit/s upload when I connect using my VPN client.
I have used the same laptop computer at various locations away from home and tested through my work VPN connection to DSL Reports and noted that the speeds don't change too much when I switch between direct and VPN.
Next I bypassed the WRT54GX4 router all together and connected directly to my cable modem at home and repeated the test. This time the speed test using my VPN client was ~9950 kbit/s download and 850 kbit/s upload.
My company has several DS-3 connections that are load sharing and as mentioned above testing from other locations has shown that my office isn't the bottleneck.
Everything points to the WRT54GX4.
Also, my previous router was an early Wireless-G Linksys router - forgot the model - and it did not slow down my VPN like this new one does.
The problem exists in either wired or wireless connection mode.
I recently upgraded with the latest firmware V 1.00.20 but that didn't help.
I have also tried various MTU sizes and auto but nope, no joy there.
By the way, we have both Cisco and Nortel VPN servers at work and I've tried each client on two separate host machines at home and both exhibit the same slow connection.
When I turn off the VPN client everything is great and my speeds are super.
Any ideas?This may help significantly.
I have DSL, speed is 3 mb. I have a WRT54GS router. When I hardwired the connection from modem to laptop, speed was 3mb - ISP was doing it's job. Via wireless connection, speed dropped to 1 mb.
I spoke with Linksys and after some tweaks (upgrading Firmware etc ...) - they said that the drop was not unexpected and this is what I had to accept.
I spoke with my network specialist at work (I am in I.T. myself) and he thought that the router should not eat 2/3 of the speed. This was confirmed by the Geek Squad as well.
Combing through this forum, I came across an interesting article about some tweaks you can do with www.speedguide.net - they have an optimzing tool that has yielded the solution.
Try this ...
http://www.speedguide.net/files/TCPOptimizer.exe
This will download the tool. When you open this up you will see a number of tabs - the general tab yielded the most for me. You will see some radio buttons for current state and proposed state. When you choose apply you will see the registry settings that will be affected - a re-boot is necessary.
So after I did this, I noticed that my wireless speed was up to 2 mb - better but still only 2/3 of what I expected.
About an hour later I went to the basement, did a speedcheck ( www.speedtest.net ) - and I was getting 3 mb!! I went up to the kitchen and ... 3mb. I went to the access point and ... 3mb.
Bottom line: Re-boot helps - but it seems that there is some cycling involved ... so try a little later.
Message Edited by Shamrockoz on 11-09-2007 01:44 PM -
I have my Windows Server 2008 standard installed with RRAS service and configure with L2TP VPN with pre-shared key. Services such as Active Directory, DHCP and DNS are not installed. The Internet connection doesn't pass through a router to my server machine.
I have the Verizon fios Internet cable plugged in to the server machine directly.
PCs running Windows and Mac OS X can connect to the server without problem. When I tried to connect by using android or iOS mobiles and tablets, they cannot connect to the server. If I change the VPN type to PPTP, the mobile devices can connect successfully
but I would like to use IPSec/L2TP since it's more secure.
I tried so hard to look for the solution for this issue on Internet but I had no luck on that. Can anyone please provide me some help, please ?
Thanks,
CKHi CK,
I think we may need to create a policy in Network Policies. Please follow the steps below,
Right click Network Policies, Click New.
Enter the policy name, click Next.
Click Add, select the Day and Time Restrictions, click
Add.
In the Day and Time Restrictions, choose Permited for
all, click OK.
Click Next five times(leave everything default), click
Finish.
Move the policy to top and try to connect with your device.
If issue persists, please make sure that the Connection Requet Policies have been configured properly.
For detailed information about how to create a network policy, please refer to the link below,
Configuring NPS network policies
http://technet.microsoft.com/en-us/library/dd441006.aspx
Best Regards.
Steven Lee
TechNet Community Support -
[Mac OS X] Problems setting up L2TP VPN Connection
I recently moved from Windows to Mac OS X (10.6.6). Unfortunately this move was not so smoothly as I hoped for and I am currently facing some issues with the VPN-connection to the company I work for. As with many companies they do not have a Mac-guide and I am trying to solve this issue, but so far unsuccesful.
To access my data on the company’s server (MS TS Environment) I need to establish a L2TP-IPsec VPN connection. I used Mac OS X built in network tool and filled out all the necessary information such as vpn address, shared secret/key, password and accountname. I even double checked the information various times so no spelling errors occurred. After some seconds I receive the message that the L2TP-VPN-server does not respond.
I checked other posts already and I checked the box that sents all traffic via this VPN-connection but without any results. For a moment I doubted that the cause of this issue might be my home-network: MBA <-> Timecapsule <-> Thomson TG789 … however when I make a L2TP VPN connection using a Windows XP or Vista pc this can be done without problems (using the same network structure) so I guess it is a mac-related problem either with my MBA (Mac OSX) or with the companies servers…
I found out that using the console.app can provide me with some more information about the connection process:
- L2TP connecting to server
- IPSec connection started
- IKE Packet: transmit success.
- IKE Packet: receive success.
After a couple of attemps from the 6th message it suddenly shows:
- IKE Packet: receive failed.
- IKE Packet: transmit success.
- IKE Packet: receive failed.
-IKEv1 Phase1: maximum retransmits.
-IKE Packets Receive Failure-Rate Statistic.
And this finally results in ' IPSec connection failed'
Does anyone has an idea of what the problem might be (e.g. the settings of the MAC or the settings of the companies VPN or ???) and maybe a solution for this problem?
Many thanks from a newbie but satisfied Mac-user!Hi, I have the same problem with the establishing VPN connection using L2TP without IPsec.
-
I just upgraded my iPhone 4S from 5.0.1 to 5.1.1 b206, and I noticed this issue.
I have a Mac Mini Server running Mac OSX 10.6.8.
I build up the VPN server with L2TP and PPTP.
Before I upgrade my iPhone to 5.1.1, it works with L2TP and PPTP both.
After I upgrade to 5.1.1 b206, it only connect to PPTP, L2TP shows the error message
"VPN Connection"
"The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."
Simultaneously, I tried my iPad, it connects to L2TP AND PPTP with no problem.
Please advice, thanks.The point of checking the console, is there might be a message that pops up in response to trying to copy a file to the target. Your looking for a doorbell like response. IE you try to copy a 1k file, error message pops up. Try to copy again, same error message.
Is Copy Enabled on the target client?
ie: ard into the target, open system preferences, click on sharing, click on remote management. ( If allow access is set to "only these users"; then select the account your using to ard into the computer. ) click on the options button, Verify the fallowing items are checked: Open & Quite Applications, Change Settings, Delete & Replace Items, Restart & Shutdown, Copy Items. click the Ok button.
if Copy Is Enabled, have you verified the firewall is off?
ie: ard into the client, open system preferences, click on security, click on the Firewall tab, verify Firewall is off. This would also go for any programs that act like a firewall. (little snitch, anti virus barrier, extra)
Have you verified the ARD reporting time on the target computer? Some times ARD can get weird if the reports have ran in a while.
ie: get info on the client in ARD. click on the reporting tab. Set the reporting time to be a few minutes from the actual time. Let the time on the target computer hit the reporting time.Then try copying a file.
Have you ruled out the network?
ie: plug the ARD computer into the target directly by ethernet. make sure airport is off on both computers. Then try copying the file again. -
"The L2TP-VPN server did not respond"
I just bought an Airport extreme base station, and installed lion server, and configured it for VPN. I have checked all my settings and even looked using AirPort utility. I have tried connecting to my VPN from 2 different Macs and an iPad, and all yield the same error:"The L2TP-VPN server did not respond". When I look at my vpnd.log it is pretty bare:
2011-08-31 18:27:34 EDT Loading plugin /System/Library/Extensions/L2TP.ppp
2011-08-31 18:27:38 EDT Listening for connections...
it looks like the VPN connection requests aren't making it from the airport to the server. Any ideasFWIW, my Lion Server VPN issue has been solved...
https://discussions.apple.com/thread/2696981?start=30&tstart=0 -
Only my MBP Drops L2TP VPN Connection after 60 Seconds
My Old G4 Laptop and my Dual G5 Tower both connect to my office via L2TP VPN without an issue. with the exact same settings exported over to my mac book pro, the connection drops after exactly 60 seconds. I've tried both wireless and wired connections, and in either case, the VPN drops after 60 seconds of connect time.
I checked with my VPN administrator. He upgraded the XServe to Mac OS 10.4.5, and we tried again, with the same results. He sent me the server log to post:
2006-03-14 14:39:20 PST Listening for connections...
2006-03-14 14:43:44 PST terminating on signal 15
2006-03-14 14:43:44 PST terminating on signal 15
#End-Date: 2006-03-14 14:43:44 PST
#End-Date: 2006-03-14 14:43:44 PST
#Start-Date: 2006-03-14 14:44:55 PST
#Fields: date time s-comment
#Start-Date: 2006-03-14 14:44:55 PST
#Fields: date time s-comment
2006-03-14 14:44:55 PST Loading plugin /System/Library/Extensions/L2TP.ppp
2006-03-14 14:44:55 PST Loading plugin /System/Library/Extensions/PPTP.ppp
2006-03-14 14:44:58 PST Listening for connections...
2006-03-14 14:44:58 PST Listening for connections...
2006-03-14 17:06:52 PST Incoming call... Address given to client = 172.16.6.2
Tue Mar 14 17:06:52 2006 : Directory Services Authentication plugin initialized
Tue Mar 14 17:06:52 2006 : Directory Services Authorization plugin initialized
Tue Mar 14 17:06:52 2006 : PPTP incoming call in progress from 'REDACTED'...
Tue Mar 14 17:06:52 2006 : PPTP connection established.
Tue Mar 14 17:06:52 2006 : using link 0
Tue Mar 14 17:06:52 2006 : Using interface ppp0
Tue Mar 14 17:06:52 2006 : Connect: ppp0 <--> socket[34:17]
Tue Mar 14 17:06:52 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xe2f50f1d> <pcomp> <accomp>]
Tue Mar 14 17:06:52 2006 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x122fcd45> <pcomp> <accomp>]
Tue Mar 14 17:06:52 2006 : lcp_reqci: returning CONFACK.
Tue Mar 14 17:06:52 2006 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x122fcd45> <pcomp> <accomp>]
Tue Mar 14 17:06:55 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xe2f50f1d> <pcomp> <accomp>]
Tue Mar 14 17:06:55 2006 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xe2f50f1d> <pcomp> <accomp>]
Tue Mar 14 17:06:55 2006 : sent [LCP EchoReq id=0x0 magic=0xe2f50f1d]
Tue Mar 14 17:06:55 2006 : sent [CHAP Challenge id=0xbf <cc4af73a9d88941b39418f9c31043e6c>, name = "osxvpn.local"]
Tue Mar 14 17:06:55 2006 : rcvd [LCP EchoReq id=0x0 magic=0x122fcd45]
Tue Mar 14 17:06:55 2006 : sent [LCP EchoRep id=0x0 magic=0xe2f50f1d]
Tue Mar 14 17:06:55 2006 : rcvd [LCP EchoRep id=0x0 magic=0x122fcd45]
Tue Mar 14 17:06:55 2006 : rcvd [CHAP Response id=0xbf <REDACTED>, name = "dpisoni"]
Tue Mar 14 17:06:55 2006 : sent [CHAP Success id=0xbf "S=REDACTED M=Access granted"]
Tue Mar 14 17:06:55 2006 : DSAccessControl plugin: User 'dpisoni' authorized for access
Tue Mar 14 17:06:55 2006 : sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Tue Mar 14 17:06:55 2006 : rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Tue Mar 14 17:06:55 2006 : sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Tue Mar 14 17:06:55 2006 : rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Tue Mar 14 17:06:55 2006 : MPPE 128-bit stateless compression enabled
Tue Mar 14 17:06:55 2006 : sent [IPCP ConfReq id=0x1 <addr 172.16.100.51>]
Tue Mar 14 17:06:55 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:06:55 2006 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Mar 14 17:06:55 2006 : ipcp: returning Configure-NAK
Tue Mar 14 17:06:55 2006 : sent [IPCP ConfNak id=0x1 <addr 172.16.6.2> <ms-dns1 172.16.5.100> <ms-dns3 172.16.5.100>]
Tue Mar 14 17:06:55 2006 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::0216:cbff:fe89:f062>]
Tue Mar 14 17:06:55 2006 : Unsupported protocol 0x8057 received
Tue Mar 14 17:06:55 2006 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 16 cb ff fe 89 f0 62]
Tue Mar 14 17:06:55 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:06:55 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:06:55 2006 : rcvd [IPCP ConfAck id=0x1 <addr 172.16.100.51>]
Tue Mar 14 17:06:55 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:06:55 2006 : rcvd [IPCP ConfReq id=0x2 <addr 172.16.6.2> <ms-dns1 172.16.5.100> <ms-dns3 172.16.5.100>]
Tue Mar 14 17:06:55 2006 : ipcp: returning Configure-ACK
Tue Mar 14 17:06:55 2006 : sent [IPCP ConfAck id=0x2 <addr 172.16.6.2> <ms-dns1 172.16.5.100> <ms-dns3 172.16.5.100>]
Tue Mar 14 17:06:55 2006 : ipcp: up
Tue Mar 14 17:06:55 2006 : found interface en0 for proxy arp
Tue Mar 14 17:06:55 2006 : local IP address 172.16.100.51
Tue Mar 14 17:06:55 2006 : remote IP address 172.16.6.2
Tue Mar 14 17:06:58 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:06:58 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:06:58 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:06:58 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:01 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:01 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:01 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:01 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:04 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:04 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:04 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:04 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:07 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:07 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:07 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:07 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:10 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:10 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:10 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:10 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:13 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:13 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:13 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:13 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:16 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:16 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:16 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:16 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:19 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:19 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:19 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:19 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:22 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:22 2006 : rcvd [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:22 2006 : sent [ACSCP] 04 01 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:22 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:25 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:25 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:25 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:25 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:28 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:28 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:31 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:31 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:31 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:31 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:34 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:34 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:34 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:34 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:37 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:37 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:37 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:37 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:40 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:40 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:40 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:40 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:43 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:43 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:43 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:43 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:46 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:46 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:46 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:46 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:49 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:49 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:49 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:49 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:52 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:52 2006 : rcvd [ACSCP] 01 02 00 10 01 06 00 00 00 01 02 06 00 00 00 01
Tue Mar 14 17:07:52 2006 : sent [ACSCP] 04 02 00 0a 01 06 00 00 00 01
Tue Mar 14 17:07:52 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:55 2006 : sent [ACSCP] 01 01 00 04
Tue Mar 14 17:07:55 2006 : rcvd [ACSCP] 02 01 00 04
Tue Mar 14 17:07:55 2006 : rcvd [LCP TermReq id=0x2 "MPPE disabled"]
Tue Mar 14 17:07:55 2006 : LCP terminated by peer (MPPE disabled)
Tue Mar 14 17:07:55 2006 : ipcp: down
Tue Mar 14 17:07:55 2006 : sent [LCP TermAck id=0x2]
Tue Mar 14 17:07:55 2006 : rcvd [LCP TermReq id=0x3 "MPPE disabled"]
Tue Mar 14 17:07:55 2006 : sent [LCP TermAck id=0x3]
Tue Mar 14 17:07:55 2006 : Connection terminated.
Tue Mar 14 17:07:55 2006 : Connect time 1.1 minutes.
Tue Mar 14 17:07:55 2006 : Sent 0 bytes, received 8176 bytes.
Tue Mar 14 17:07:55 2006 : PPTP disconnecting...
Tue Mar 14 17:07:55 2006 : PPTP disconnected
2006-03-14 17:07:55 PST --> Client with address = 172.16.6.2 has hungup
Maybe you are looking for
-
Upgrading Controllers firmware on a degraded RAID 5 array
Hi guys I have been told that upgrading the controllers firmware on a degraded raid array can cause a loss of configuration. I have been doing this for over 1 year and it has never happened, it sounds more like a myth to me that anything else but i w
-
Compare two text box values????
Hello All, I do have one logic, but not sure where to write it so want your guys help for the same. The logic is:- if (&P13_NEW_PASSWORD. == &P13_CONFIRM_NEW_PASSWORD.) then insert into tbuser (password) values (&P13_NEW_PASSWORD.); else dbms_output.
-
I have two computers both using OS X (10.4.11) and both usimg Mail 2.1.3(753.1). When I open a New Message blank on the G4 computer it comes up with a blank message form with the toolbar attached to the top of the message blank window just as I expec
-
War between getTargetURLForFormAuthentication and login ActiveX
I'm trying to implement redirection to previously requested page using weblogic.servlet.security.ServletAuthentication.getTargetURLForFormAuthentication(session); But my authentication Servlet gets user's credentials from ActiveX object located on lo
-
I have some songs/interludes on my Garageband app on my Iphone. I was planning on using some for my bands album. Now my Iphone won't turn on and I'm being told to restore the phone. Have I lost all my Garageband songs?