No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


L2TP over IPSec VPN NAT traversal problem lead to the client can't dial VPN successfully

Publication Date:  2012-11-08 Views:  114 Downloads:  0
Issue Description
A Broadcasting & Television company uses two USG5330 to make VRRP, VPN Client version is V100R001C02SPC001. Network topology is as follows.

Figure 1 FW networking topology
Now the problem is that: customers use VPN client software to dial the external VPN in our network laboratory through, but it is impassable, prompting the information "the third step: complete IKE negotiation", then prompt connection error, "error reason: tunnel keep-alive timeout or negotiation timeout." But the same account and VPN client test in dealer network, dialing pass.
Alarm Information
Handling Process
Just dial the L2TP, if pass, it is the firewall return routing configuration problem, or packet is dropped as other reasons in the middle network equipment.
Results: cannot dial pass the L2TP, prompting information is the same as before.
Then check the firewall configuration, find that do not configure NAT traversal under the IKE peer, maybe it caused by the NAT traversal problem.
Open NAT traversal in the FW and VPN client, then dial, and pass.
Root Cause
The result is different use the same account dialing VPN client in different network environment, prove the FW VPN configuration is no problem, and network environment have problem. There are two reasons: the intermediate device filters the packet; or FW do not configure the return route.
In the above network scene, customers want to establish IPSec tunnel from private internal network to distal firewall, the export have NAT equipment, then involves the IPSec and NAT cooperation, the client and distal firewall want to make NAT traversal negotiation, that is to say, the devices of both tunnel end have NAT traversal ability.
Because the negotiation IKE problem of NAT traversal and IPSec message encapsulation change, security protocol can only use ESP, operating mode can only use tunnel model, IKE negotiation must be aggressive mode, and only initiate negotiation from the blow end.