Hot!Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL router

Page: 12 > Showing page 1 of 2
Author
InventX
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/13 04:51:27
  • Status: offline
2017/02/15 15:55:01 (permalink) 5.4
0

Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL router

I use the Fortigate60E as firewall and router behind a DSL modem. The FGT is connected to the DMZ port of the DSL modem (FritzBox 7360). I'm able to log in to the FritzBox on port 442, and the management port of the FGT is HTTPS: 444. I'm also able to login to the FGT from a remote desktop. The Physical settup is: Internet (public IP) <--> Frtizbox (192.168.1.1) <-->  (192.168.1.20) Fortigate 60E <--> (192.168.2.1/24) Lan Clients. The Lan Clients is on port 2 (as Interface, not as LAN port).
port 2 (internal1) has static IP adress 192.168.2.1 with DHCP Server (s.i.p: 192.168.2.10, e.i.p: 192.168.2.254) no Secondary IP Address. The wan1 interface has addressing mode: DHCP (from FritzBox, which assigns static IP address: 192.168.1.20) with Acquired DNS 192.168.1.1 and Default Gateway: 192.168.1.1 (= FritzBox LAN port 1). Retrieve default gateway from server is on and Override internal DNS is also on.
 
I'm also able to port forward VOIP settings to a local PBX server and WebDav ports to a NAS in the local network.
When I create a IPSec tunnel with the IPSec Wizard and choose for Remote Access and Windows Native, and fill in all settings:
 
2) Incoming Interface: Wan1 (192.168.1.20), Pre-shared key, User Group (VPN-Users)
3) Local interface: Lan-Clients (192.168.2.1/24), Local Address: all, Client Address Range: 10.10.100.1-10.10.100.100, Subnet Mask: 255.255.255.255
 
 
When I try to connect from remote Client I see the tunnel is coming up, but the VPN Events only are showing negotiate failures on the IPSec phase 1 connector.

What should I do to make this work?? I've spend days searching the Forti Cookbook and forums and Youtube video's, but it won't work..

Please help!
#1

31 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5065
    • Scores: 316
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/16 01:22:27 (permalink)
    0
    There are a few things that I don't understand:
     
    1- you state that the FB is used as a modem but on the other hand it hands down a private IP address to the FGT - so it's routing, right?
    I'm familiar with a modem setup in front of the FGT where the modem is in 'brigde' or 'pass-through' mode and the PPPoE handling of the ADSL WAN line is completely done on the FGT. Here, the wan port receives the public IP address which makes many things less complicated. I'm not sure a FB can be put into that mode - you could  designate a LAN port of it as "exposed host". The transfer network between FB and FGT doesn't need to be dynamic at all, a static setup would be appropriate (but this is not the reason for the tunnel failure).
     
    2- the VPN needs to handle NAT traversal. I've got no clue whether a L2TP tunnel can do that, NAT-T is a IPsec feature.
     
    3- you need a static route on the FGT for the client LAN address space, i.e. 10.10.100.0/24, pointing to the tunnel interface. Otherwise, traffic with these source addresses will be dropped by the FGT as 'unknown'.
    BTW, the mask you posted is a /32 and good for nothing. Probably a typo.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/16 02:00:09 (permalink)
    0
    Hello Ede,
     
    Thank you for your reply.
    1 - Indeed the FB is a DSL modem connected with the DSL port to internet. The FGT is with its WAN1 port connected to LAN port 1 of the FB. The FGT is getting a internal IP, so indeed the FB is routing. But I also markt port1 of the FB as Exposed port, so thats why I can connect to the FGT from the public IP of the FB. Unfortunately I can't setup the FB in bridge or pass-through mode. This model doesn't support that. And beside that, the customer don't have the username/password for the DSL connection to setup the PPPoE settings in the FGT.
     
    2 - The tunnel I'm trying to create is a L2TP-IPSec tunnel, so I think this should be possible?
     
    3 - I've tried to create the tunnel on several ways, thru the Wizard, as cusom VPN tunnel, with CLI. The only time the tunnel is getting up is when I created the tunnel with the wizard. The wizard also creates the Address (Eqraft_Goes_Range) as a IP Range (10.10.100.1-10.10.100.100) and creates two IPv4 Rules from VPN tunnel to Wan1 (NAT disabled, source and destination "All", Service: "L2TP") and from VPN tunnel to Lan Clients (NAT enabled, source: "Eqraft_Goes_Range", destination: "All", Service: "All") 

     
    Should I also create a static route? and how should that look like?
     
    Thank you for helping me.

    Attached Image(s)

    #3
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/17 05:56:12 (permalink)
    0
    Hi All,
     
    I've created a ticket with the support department, after some testing they tell me it isn't possible to create and use a L2TP-IPsec VPN tunnel, because this FGT is on the LAN site of a DSL modem/router....:
     
    Thank you for the nice update. As I research about your issue and figure it out Since your FGT is behind an internet modem(with a private IP) this L2TP/IPsec(Microsoft VPN) config is not supported. L2TP/IPSec on Windows only supports transport-mode(does not work well with port forwarding and NAT). Because of this, the FGT requires a routable public IP address on it's WAN interface.
     
    Can annybody tell me if it is possible or not? 
     
    If it isn't possible, how can I give remote workers the best way to connect to the private network? I've tried a SSL-VPN with the Forticlient, but then I get a symetric bandwith and the DSL line is 111Mbps download and 33 Mbps upload.... The SSL-VPN only could copy files from remote to local (and also from local to remote side) with +/- 28 Mbps..
     
    Hoping somebody can help..
    #4
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/20 03:58:37 (permalink)
    0
    Hi all,
     
    Does anybody know how I can test were it is going wrong? When I diagnose on the FGT with a sniffer on port 500 and 4500 I see (192.168.1.20 = IP of Wan1):
     
    Wan1 in (public IP of remote laptop).501 -> 192.168.1.20.500 :udp 408
    Wan1 out 192.168.1.20.500 -> (public IP of remote laptop).501 :udp 188
    Wan1 in (public IP of remote laptop).501 -> 192.168.1.20.500 :udp 260
    Wan1 out 192.168.1.20.500 -> (public IP of remote laptop).501 :udp 228
    Wan1 in (public IP of remote laptop).4501 -> 192.168.1.20.4500 :udp 72
    Wan1 out 192.168.1.20.4500 -> (public IP of remote laptop).4501 :udp 72
    Wan1 in (public IP of remote laptop).4501 -> 192.168.1.20.4500 :udp 64
    Wan1 in (public IP of remote laptop).4501 -> 192.168.1.20.4500 :udp 440
     
    and so on.
     
    I really need a solution for our customer for remote workers to connect to the company lan.
    But I can't figure it out where the problem is..
     
    #5
    jnliu_FTNT
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/11/05 14:37:12
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/20 09:35:29 (permalink)
    0
    Hi InventX,
     
    What is the FOS version you used on your FGT60E?
    L2TP over IPsec tunnel cannot established on FGT60E with FOS5.4.0 build5568, but it is fixed now.
    Please try the newest build.
     
    Thanks,
    Jining
    #6
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 02:14:46 (permalink)
    0
    Hi Jining,
     
    Thank you very much for your reply, and also for your statement it should work (with the newest build).
    The Firmware version I'm running and testing on is v5.4.3, build 5873. So I thinks that's ok?
     
    Looking forward to read how I can establish an safe connection for remote workers (without the FortiClient, SSL-VPN connection) to the local Lan.
     
    Regards,
    Leander.
    #7
    jnliu_FTNT
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/11/05 14:37:12
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 10:30:30 (permalink)
    0
    Hi Leander,
     
    Your FGT build should works.
    My Win7 L2TPoverIPSec works with FGT and I attached windows config screenshot, hope it can help.
    You can post your FGT CLI config if you still has problem.
     
     
    Thanks,
    Jining

    Attached Image(s)

    #8
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 10:38:57 (permalink)
    0
    Hi Jining,
     
    Those settings I also tried on the remote user. Can you confirm that your FGT is connected to a DLS router? So the Wan1 port of the FGT is connected to a Lan port of a DSL router and gets a private IP address instead of the public IP address? Because thats the situation I have. On our main office we have a FGT connected to the Internet with PPPoE and the Wan1 port of that FGT gets a Public IP address. With the same laptop of the remote worker I'm able to connect to the main office, but not to the 2nd office (with the FGT connected to a DSL router).
     
    Thanks,
    Leander.
    #9
    jnliu_FTNT
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/11/05 14:37:12
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 11:43:18 (permalink)
    0
    Hi Leander,
     
    I don't have DSL router in my test bed.
    Would you post packet capture files for port500 and 4500, and "d debug application ike -1" output on FGT if possible?
     
    Thanks,
    Jining
    #10
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 11:55:09 (permalink)
    0
    Hi Jining,
     
    Than I think that'll be the issue. If the FGT is connected to the Internet direct, we've no problem, If connected to DSL router (as an exposed host, so all ports will be forwarded to FGT), we have to deal with the double NAT problem.
     
    I've attached a log file when trying to connect with the L2TP-IPSec vpn to the FGT.
    Hope you can see someting in it?
     
    Thanks alot!
    #11
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 11:56:10 (permalink)
    0
    How can I log the packet capture files for both ports?
     
    #12
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 12:00:26 (permalink)
    0
    One more update:
     
    Setting up a PPTP connection isn't a problem. Also a SSL-VPN connection isn't a problem, only the L2TP-IPSec vpn connection is a problem.
    I have to little knowledge of VPN protocols to choose between these 3 protocols. After searching many days on the internet I find the IPSec (over L2TP) protocol should be the fastest one and maybe also the most secure one?
     
    Again thanks for the support!
    #13
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 12:03:46 (permalink)
    0
    Attached is a screenshot of the sniffer running at ports 500 and 4500, while trying to connect with the IPSec VPN tunnel.

    Attached Image(s)

    #14
    rwpatterson
    Expert Member
    • Total Posts : 7961
    • Scores: 152
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 12:15:29 (permalink)
    0
    Try changing the near end selector (network) to the public IP of the DSL box.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #15
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 12:19:36 (permalink)
    0
    Hello Bob, 
     
    Thank you for your reply! 
    I'm just a starter with Fortinet, and don't understand well what you mean... Can you please explain a bit more what you mean by changing the near end selector? How should I do that?
     
    Thank you.
    #16
    jnliu_FTNT
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/11/05 14:37:12
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/21 14:16:39 (permalink)
    0
    Hi Leander,
     
    From you debug, we can see ISAKMP SA negotiation failure.
     
    Would you post the following FGT config?
     
    show vpn ipsec phase1-interface
    show vpn ipsec phase2-interface
    show vpn l2tp
    #17
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/22 00:04:28 (permalink)
    0
    This is the VPN IPsec config right now..
     

    Attached Image(s)

    #18
    jnliu_FTNT
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/11/05 14:37:12
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/22 08:28:28 (permalink)
    0
    Hi Leander,
     
    Thanks for your config.
    It looks like phase1 proposal and dh group doesn't match the incoming one.
    I suggest you add the following proposal to phase1 and phase2 config and change phase1 dhgrp to 5.
      3des-sha256 aes128-sha256 aes192-sha256
     
    Regards,
    Jining
     
    #19
    InventX
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/13 04:51:27
    • Status: offline
    Re: Win. Native Rem. Acc. throug L2TP-IPSec VPN from Windows 10 to FGT60E behind DSL route 2017/02/23 01:48:10 (permalink)
    0
    Hi Jining,
     
    It looks like you've helped me one step further!!
    First I got a Phase1 negotiation error (see attached file), with the dhgrp set to 5 now phase 1 isn't giving a problem. But now I get a negotiation error on phase 2. I'll post that picture in the next post.
     
    Hope that can be solved also...
     
    Thank you!

    Attached Image(s)

    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2017 APG vNext Commercial Version 5.5