Mobile Phone Failed a Dialup using L2TP over IPSec VPN in a Virtual Firewall Environment

Publication Date:  2014-01-06 Views:  436 Downloads:  0
Issue Description
At a site, when a user uses a mobile phone to initiate a dialup using L2TP over IPSec in a virtual firewall environment, the connection fails to be set up. The dialup succeeds on a physical interface with the same IPSec policy. The mobile phone has the Android 4.1 or higher operating system installed. If Android 4.0 is used, a fault may occur.
Alarm Information
The tunnel cannot be set up.
[USG5500-GigabitEthernet0/0/1]disp ike sa
13:55:32  2013/03/07
current sa Num :0
Handling Process
The key configurations are as follows:
firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction inbound
firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction outbound
//Configure the virtual firewall to forward untrusted packets.
l2tp enable
//Enable L2TP.
ip vpn-instance vpn
route-distinguisher 100:1
//Configure a VPN instance.
acl number 3003 vpn-instance vpn
rule 5 permit udp source-port eq 1701
//Configure an open L2TP interface 1701.
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike peer test1
pre-shared-key %$%$&Mn<T@fDlGof8S>]F3BFa)}t%$%$
ike-proposal 1
sa binding vpn-instance vpn zone untrust
//Based on the previous experience, set the Diffie-Hellman (DH) group, configure IKE, and bind the virtual instance to the corresponding zone.

#
ipsec proposal prop63145831613
encapsulation-mode transport          
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy-template tpl63145831961 1
security acl 3003
ike-peer test1
proposal prop63145831613
sa duration traffic-based 1843200
sa duration time-based 3600
#
ipsec policy test1 2 isakmp template tpl63145831961

//Configure an IPSec VPN policy template.

interface Virtual-Template0
ppp authentication-mode chap pap
ppp timer negotiate 10
ppp ipcp dns 202.99.160.68
alias L2TP_LNS_0

ip binding vpn-instance vpn

ip address 10.66.10.126 255.255.255.240
remote address pool     
//Bind a virtual interface to the VPN instance.
interface GigabitEthernet0/0/1
alias VPN (public)
ip binding vpn-instance vpn
ip address 60.2.200.230 255.255.255.252
ipsec policy test1
//Bind the public interface bound to the IPSec VPN policy template to the VPN instance.
#
interface GigabitEthernet0/0/2
alias VPN (private)
ip binding vpn-instance vpn     
ip address 10.66.8.3 255.255.255.248
//Bind the private interface bound to the IPSec VPN policy template to the VPN instance.

firewall zone vpn-instance vpn trust
set priority 85
add interface GigabitEthernet0/0/2
#
firewall zone vpn-instance vpn untrust
set priority 5
add interface GigabitEthernet0/0/1
add interface Virtual-Template0

l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0 vpn-instance vpn
tunnel name svn
//Configure an L2TP group, and bind the group to the virtual interface and the VPN instance.
The server has no route to the L2TP pool. Therefore, the dialup traffic cannot reach 10.66.8.47 on the private network.

After NAT is performed on the network, dialup users can ping 10.66.8.47.

nat-policy interzone vpn-instance vpn trust untrust inbound                                                                       
policy 0                                                                                                                         
  action source-nat                                                                                                               
  policy source 10.66.10.117 0                                                                                                    
  easy-ip GigabitEthernet0/0/2

Root Cause
Check the configuration. It is found that the virtual template 0 is not configured and the L2TP group configuration is incomplete.

interface Virtual-Template 0                                                                                              
ppp authentication-mode chap pap                                                                                               
ppp timer negotiate 10                                                                                                         
ppp ipcp dns 202.99.160.68                                                                                                     
alias L2TP_LNS_0      
ip binding vpn-instance vpn       
ip address 10.66.10.126 255.255.255.240                                                                                        
remote address pool  

l2tp-group 1                                                                                                                    
undo tunnel authentication       
allow l2tp virtual-template 0 vpn-instance vpn                                         
 tunnel name svn
Add the required configurations. It is found that the IPSec VPN connection can be set up after a test.

[USG5500]disp ike sa
14:32:46  2013/03/07
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
41204      117.136.15.97:43884     RD            v1:2  vpn
41203      117.136.15.97:43884     RD            v1:1  vpn


                                      
   
Suggestions
None.

END