No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

Mobile Phone Failed a Dialup using L2TP over IPSec VPN in a Virtual Firewall Environment

Publication Date:  2014-01-06  |   Views:  1809  |   Downloads:  0  |   Document ID:  EKB1000038766


Issue Description

At a site, when a user uses a mobile phone to initiate a dialup using L2TP over IPSec in a virtual firewall environment, the connection fails to be set up. The dialup succeeds on a physical interface with the same IPSec policy. The mobile phone has the Android 4.1 or higher operating system installed. If Android 4.0 is used, a fault may occur.

Alarm Information

The tunnel cannot be set up.
[USG5500-GigabitEthernet0/0/1]disp ike sa
13:55:32  2013/03/07
current sa Num :0

Handling Process

The key configurations are as follows:
firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction inbound
firewall packet-filter default permit interzone vpn-instance vpn trust untrust direction outbound
//Configure the virtual firewall to forward untrusted packets.
l2tp enable
//Enable L2TP.
ip vpn-instance vpn
route-distinguisher 100:1
//Configure a VPN instance.
acl number 3003 vpn-instance vpn
rule 5 permit udp source-port eq 1701
//Configure an open L2TP interface 1701.
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike peer test1
pre-shared-key %$%$&Mn<T@fDlGof8S>]F3BFa)}t%$%$
ike-proposal 1
sa binding vpn-instance vpn zone untrust
//Based on the previous experience, set the Diffie-Hellman (DH) group, configure IKE, and bind the virtual instance to the corresponding zone.

ipsec proposal prop63145831613
encapsulation-mode transport          
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy-template tpl63145831961 1
security acl 3003
ike-peer test1
proposal prop63145831613
sa duration traffic-based 1843200
sa duration time-based 3600
ipsec policy test1 2 isakmp template tpl63145831961

//Configure an IPSec VPN policy template.

interface Virtual-Template0
ppp authentication-mode chap pap
ppp timer negotiate 10
ppp ipcp dns
alias L2TP_LNS_0

ip binding vpn-instance vpn

ip address
remote address pool     
//Bind a virtual interface to the VPN instance.
interface GigabitEthernet0/0/1
alias VPN (public)
ip binding vpn-instance vpn
ip address
ipsec policy test1
//Bind the public interface bound to the IPSec VPN policy template to the VPN instance.
interface GigabitEthernet0/0/2
alias VPN (private)
ip binding vpn-instance vpn     
ip address
//Bind the private interface bound to the IPSec VPN policy template to the VPN instance.

firewall zone vpn-instance vpn trust
set priority 85
add interface GigabitEthernet0/0/2
firewall zone vpn-instance vpn untrust
set priority 5
add interface GigabitEthernet0/0/1
add interface Virtual-Template0

l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0 vpn-instance vpn
tunnel name svn
//Configure an L2TP group, and bind the group to the virtual interface and the VPN instance.
The server has no route to the L2TP pool. Therefore, the dialup traffic cannot reach on the private network.

After NAT is performed on the network, dialup users can ping

nat-policy interzone vpn-instance vpn trust untrust inbound                                                                       
policy 0                                                                                                                         
  action source-nat                                                                                                               
  policy source 0                                                                                                    
  easy-ip GigabitEthernet0/0/2

Root Cause

Check the configuration. It is found that the virtual template 0 is not configured and the L2TP group configuration is incomplete.

interface Virtual-Template 0                                                                                              
ppp authentication-mode chap pap                                                                                               
ppp timer negotiate 10                                                                                                         
ppp ipcp dns                                                                                                     
alias L2TP_LNS_0      
ip binding vpn-instance vpn       
ip address                                                                                        
remote address pool  

l2tp-group 1                                                                                                                    
undo tunnel authentication       
allow l2tp virtual-template 0 vpn-instance vpn                                         
 tunnel name svn
Add the required configurations. It is found that the IPSec VPN connection can be set up after a test.

[USG5500]disp ike sa
14:32:46  2013/03/07
current ike sa number: 2
conn-id    peer                    flag          phase vpn
41204     RD            v1:2  vpn
41203     RD            v1:1  vpn