We are having issues with our L2TP VPN Remote Access.
Our setup:
ER-PRO (v1.8.0) with:
eth0 – WAN 1 (PPPoE, static IP) – ISP 1
eth1 – WAN 2 (static IP) – ISP 2
eth2 – LAN private
eth2.20 – VLAN GUEST
Load-Balancing between the two WANs (WAN 2 failover only).
IPSEC site-to-site VPN to Azure (PPPoE as interface and Azure gateway as peer).
L2TP/IPSEC VPN server for remote access with WAN 1 IP as outside-address and ISP 1 gateway as outside-nexthop.
Current situation:
The l2tp clients can successfully establish a VPN connection and access the office local network. So far so good. But accessing the internet through the VPN connection doesn’t work. The web pages cannot be loaded. DNS works fine, the addresses are successfully resolved. Traceroute shows that sometimes ISP 2 gateway is used and sometimes ISP 1 gateway, although it should always be ISP 1.
Furthermore, we’d like to be able to access Azure VMs from the l2tp clients. Accessing the Azure VM within the on-premise network works fine.
(If WAN 1 fails, it is ok, if the VPN does not work anymore)
Appreciate your help.
Heinrich
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 40 {
action modify
modify {
lb-group G
}
}
}
name GUEST_IN {
default-action accept
description "For guest vlan"
rule 10 {
action accept
description "Accept Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop PRIVATE_NETS"
destination {
group {
network-group PRIVATE_NETS
}
}
protocol all
}
}
name GUEST_LOCAL {
default-action drop
description "For guest vlan"
enable-default-log
rule 10 {
action accept
description "Accept DNS"
destination {
port 53
}
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 3 {
action accept
description "Allow IKE for Remote VPN Server"
destination {
port 500
}
log disable
protocol udp
}
rule 4 {
action accept
description "Allow L2TP for Remote VPN Server"
destination {
port 1701
}
log disable
protocol udp
}
rule 5 {
action accept
description "Allow ESP for Remote VPN Server"
log disable
protocol esp
}
rule 6 {
action accept
description "Allow NAT-T for Remote VPN Server"
destination {
port 4500
}
log disable
protocol udp
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet - WAN"
duplex auto
pppoe 0 {
default-route none
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password xxxxxxx
user-id xxxxxxx
}
speed auto
}
ethernet eth1 {
address z.z.z.134/30
description "Internet - WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 192.168.0.1/24
description Local
duplex auto
firewall {
in {
modify balance
}
}
speed auto
vif 20 {
address 192.168.2.1/24
description "Local - Guest"
firewall {
in {
modify balance
name GUEST_IN
}
local {
name GUEST_LOCAL
}
}
}
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface eth1 {
failover-only
}
interface pppoe0 {
route {
table 1
}
}
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe0 {
}
}
route 0.0.0.0/0 {
next-hop z.z.z.133 {
}
}
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe0 {
}
}
route 192.168.16.0/24 {
next-hop y.y.y.14 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN_GUEST {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 195.186.1.162
dns-server 192.168.2.1
lease 14400
start 192.168.2.10 {
stop 192.168.2.243
}
}
}
shared-network-name LAN_INTERN {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 195.186.1.162
dns-server 192.168.0.1
lease 86400
start 192.168.0.10 {
stop 192.168.0.243
}
static-mapping OKI-MC562-PRINTER {
ip-address 192.168.0.25
mac-address 00:25:36:96:5D:BE
}
static-mapping OKI-MC562-RECHNUNGEN {
ip-address 192.168.0.40
mac-address 00:80:87:8C:19:EF
}
static-mapping OKI-MC562-SMALL {
ip-address 192.168.0.14
mac-address 00:25:36:8E:8B:A1
}
static-mapping hpstorage {
ip-address 192.168.0.11
mac-address 48:5b:39:f3:e6:d5
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth2.20
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5001 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
name-server 195.186.1.162
name-server 195.186.4.162
name-server 8.8.8.8
offload {
hwnat disable
ipv4 {
forwarding enable
pppoe enable
}
}
...
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group esp-azure {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike-azure {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface pppoe0
}
nat-traversal disable
site-to-site {
peer y.y.y.14 {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
default-esp-group esp-azure
ike-group ike-azure
ikev2-reauth inherit
local-address x.x.x.7
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group esp-azure
local {
prefix 192.168.0.0/24
}
remote {
prefix 192.168.16.0/24
}
}
}
}
}
l2tp {
remote-access {
authentication {
local-users {
username foo {
password xxxxxx
}
}
mode local
}
client-ip-pool {
start 10.10.10.102
stop 10.10.10.130
}
dns-servers {
server-1 192.168.0.1
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
ike-lifetime 3600
}
mtu 1492
outside-address x.x.x.7
outside-nexthop x.x.x.68
}
}
}