No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


L2TP OVER IPSEC because the network segment collision lead to fail to dialin

Publication Date:  2012-10-31 Views:  409 Downloads:  0
Issue Description
Customer feedback when through the VPN CLIENT to make L2TP OVER IPSEC dialing at home, prompting error at the third step, unable to dialing passable.
Alarm Information
Handling Process
Far end through the public network address dialing directly, and can dialing success; modify the customer private network address to, can dialing success.
because there are many customers need to use L2TP OVER IPSEC to make intranet connection, so suggest that customers modify intranet segment as or, which is not commonly used in family broadband, avoid segment collision, leading to routing error.
Root Cause
Through the debug check the dialing process, find IPSEC tunnel can establish normally, but it break soon after the establishment of the IPSEC tunnel, and do not continue to L2TP dialing process.
In the dialing process, use display ipsec sa, and find the following information:
[USG5320]display ipsec sa
11:07:47  2011/11/08
  IPsec policy name: "map1"
  sequence number: 10
  mode: template
  vpn: 0
    connection id: 326
    rule number: 5
    encapsulation mode: tunnel
    tunnel local :    tunnel remote:
    flow      source: 17/1701
    flow destination: 17/35550
Flow destination address is, which cause our attention, the customer computer private network address is when use broadband dialing at home. Check the firewall routing, find the firewall exist a routing, and that is the customer intranet segment being used. It refers to back to the customer intranet SW.
Find the reasons of the problem now, can judge is because the customer intranet segment and broadband dialing intranet segment is same, leading to the firewall choose the wrong path when reply the packet, leading to L2TP over IPSEC consultation is not successful.