No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

VPN Client (LAC) on L2TP over IPSec, cannot reach HQ by PING

Publication Date:  2015-12-10 Views:  79 Downloads:  0
Issue Description

Topology:


Firewall Version:

Huawei Versatile Security Platform Software
Software Version: USG6300 V100R001C30SPC100  (VRP (R) Software, Version 5.30)
Copyright (C) 2014-2015 Huawei Technologies Co., Ltd..

Configuration:

#
interface GigabitEthernet0/0/1
ip address 201.X.X.X 255.255.255.248              
// Public IP-Address
ipsec policy policy
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit

interface GigabitEthernet0/0/3
ip address 192.168.2.248 255.255.255.0
service-manage ping permit

interface Virtual-Template1
ppp authentication-mode chap pap
ppp ipcp dns 8.8.8.8
ip address 10.1.1.1 255.255.255.0
remote address pool 1
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3

firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
add interface Virtual-Template1
#
security-policy
rule name 1
  source-zone untrust
  destination-zone trust
  source-address range 10.1.1.2 10.1.1.100
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
rule name 2
  source-zone trust
  destination-zone untrust
  source-address  192.168.2.0 255.255.255.0
  destination-address range 10.1.1.2 10.1.1.100
  action permit
rule name 3
  source-zone untrust
  destination-zone local
  destination-address 201.X.X.X mask 255.255.255.255
  action permit
#
l2tp enable
l2tp domain suffix-separator @
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1
#
aaa
authentication-scheme default

domain default
  service-type access
  ip pool 1 10.1.1.2 10.1.1.100
  reference user current-domain
  new-user deny-authentication
#
acl number 3000
rule 5 permit udp source-port eq 1701
rule 10 permit udp destination-port eq 1701
#
ike peer a
exchange-mode auto
pre-shared-key %$%$Ob3~Z%+AQVo|$7~{:n%*Qd[R%$%$
ike negotiate compatible
remote-id-type none
#
ipsec proposal tran1
encapsulation-mode auto
esp authentication-algorithm md5
esp encryption-algorithm des
#
ipsec policy-template policy_temp 1
security acl 3000
ike-peer a
alias policy_temp_1
proposal tran1
#

Symptom:

Even though, the L2TP tunnel has been established. PING from LAC (10.1.1.21) to HQ (192.168.2.248) is not successful. However, the interfce GE 0/0/1 is reachable.


[USG6300]display l2tp tunnel
Total tunnel = 1
LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
1        69        201.X.X.X  2113   1        DISC37.disc-mx.com
[USG6300]dis ike sa
12:18:05  2015/12/08
current ike sa number: 2
--------------------------------------------------------------------------------------------------
conn-id    peer                                    flag          phase vpn
--------------------------------------------------------------------------------------------------
58         201.X.X.X:2113                     RD|A          v1:2  public
57         201.X.X.X:2113                     RD|A          v1:1  public


  flag meaning
  RD--READY      ST--STAYALIVE     RL--REPLACED    FD--FADING    TO--TIMEOUT
  TD--DELETING   NEG--NEGOTIATING  D--DPD          M--ACTIVE     S--STANDBY
  A--ALONE



 

 

Solution

Root Cause:

USG was dropping ICMP packets, because the service-manage to allow PING, is not configured on the interface.

[USG6300-diagnose]display  firewall statistic  acl
Current Show sessions count: 1
Protocol(ICMP) SourceIp(10.1.1.21) DestinationIp(192.168.2.248)
SourcePort(4) DestinationPort(2048) VpnIndex(public)
                           RcvnFrag       RcvFrag        Forward     DisnFrag    DisFrag
Obverse(pkts) :     4                    0                    4                 0
Reverse(pkts) :      0                    0                    0                 0                0

Discard detail information:
  IF_SERVICE_MANAGER_PACKET_FILTER:     4

 

Solution:

Configure “service-manage ping permit” on interface Virtual-Template

[USG6300]interface Virtual-Template 1
[USG6300-Virtual-Template1]service-manage ping permit


After to get the service-manage configured on the interface, USG  forward the query from LAC.

[USG6300]interface Virtual-Template 1
[USG6300-Virtual-Template1]service-manage ping permit
After to get the service-manage configured on the interface, USG  forward the query from LAC.
[USG6300-diagnose]display firewall statistic acl
Current Show sessions count: 1
Protocol(ICMP) SourceIp(10.1.1.21) DestinationIp(192.168.2.248)
SourcePort(4) DestinationPort(2048) VpnIndex(public)
                          RcvnFrag    RcvFrag     Forward     DisnFrag    DisFrag
Obverse(pkts) :   54                 0                  23               31              0
Reverse(pkts) :   23                  0                   0                 0              0

Discard detail information:
  IF_SERVICE_MANAGER_PACKET_FILTER:     31

END