Customer feedback when through the VPN CLIENT to make L2TP OVER IPSEC dialing at home, prompting error at the third step, unable to dialing passable.
Far end through the public network address dialing directly, and can dialing success; modify the customer private network address to 172.16.100.100, can dialing success.
because there are many customers need to use L2TP OVER IPSEC to make intranet connection, so suggest that customers modify intranet segment as 10.0.0.0 or 172.16.0.0, which is not commonly used in family broadband, avoid segment collision, leading to routing error.
Through the debug check the dialing process, find IPSEC tunnel can establish normally, but it break soon after the establishment of the IPSEC tunnel, and do not continue to L2TP dialing process.
In the dialing process, use display ipsec sa, and find the following information:
[USG5320]display ipsec sa
IPsec policy name: "map1"
sequence number: 10
connection id: 326
rule number: 5
encapsulation mode: tunnel
tunnel local : 18.104.22.168 tunnel remote: 22.214.171.124
flow source: 126.96.36.199/255.255.255.255 17/1701
flow destination: 192.168.1.100/255.255.255.255 17/35550
Flow destination address is 192.168.1.100, which cause our attention, the customer computer private network address is 192.168.1.100 when use broadband dialing at home. Check the firewall routing, find the firewall exist a 192.168.1.0/24 routing, and that is the customer intranet segment being used. It refers to back to the customer intranet SW.
Find the reasons of the problem now, can judge is because the customer intranet segment and broadband dialing intranet segment is same, leading to the firewall choose the wrong path when reply the packet, leading to L2TP over IPSEC consultation is not successful.