L2TP OVER IPSEC because the network segment collision lead to fail to dialin

Publication Date:  2012-10-31 Views:  193 Downloads:  0
Issue Description
Customer feedback when through the VPN CLIENT to make L2TP OVER IPSEC dialing at home, prompting error at the third step, unable to dialing passable.
Alarm Information
none
Handling Process
Far end through the public network address dialing directly, and can dialing success; modify the customer private network address to 172.16.100.100, can dialing success.
because there are many customers need to use L2TP OVER IPSEC to make intranet connection, so suggest that customers modify intranet segment as 10.0.0.0 or 172.16.0.0, which is not commonly used in family broadband, avoid segment collision, leading to routing error.
Root Cause
Through the debug check the dialing process, find IPSEC tunnel can establish normally, but it break soon after the establishment of the IPSEC tunnel, and do not continue to L2TP dialing process.
In the dialing process, use display ipsec sa, and find the following information:
[USG5320]display ipsec sa
11:07:47  2011/11/08
  -----------------------------
  IPsec policy name: "map1"
  sequence number: 10
  mode: template
  vpn: 0
  -----------------------------
    connection id: 326
    rule number: 5
    encapsulation mode: tunnel
    tunnel local : 200.133.33.73    tunnel remote: 200.136.15.97
    flow      source: 200.133.33.73/255.255.255.255 17/1701
    flow destination: 192.168.1.100/255.255.255.255 17/35550
Flow destination address is 192.168.1.100, which cause our attention, the customer computer private network address is 192.168.1.100 when use broadband dialing at home. Check the firewall routing, find the firewall exist a 192.168.1.0/24 routing, and that is the customer intranet segment being used. It refers to back to the customer intranet SW.
Find the reasons of the problem now, can judge is because the customer intranet segment and broadband dialing intranet segment is same, leading to the firewall choose the wrong path when reply the packet, leading to L2TP over IPSEC consultation is not successful.
Suggestions
none

END