Re: RV340W L2TP/IPSec VPN through Windows builtin client unable to access remote subnet

dedomraz · ‎04-17-2019

Hello,

I have already RMA a Cisco RV320 for not being able to setup L2TP Server and NetBIOS problems.

This time I've been experiencing problems for several days trying to set the L2TP/IPSec VPN server correctly. I'm past the problems with L2TP/IPSec regedit issue: https://support.microsoft.com/en-gb/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows

I was able to successfully connect to the router with L2TP/IPSec Windows builtin client following this setup:

IPSec settings: 3DES encryption, SHA-1 authentication and DH Group 2 for phase 1 and phase 2 , other is default

L2TP Server settings: practically default with PSK(without any special chars, just A-Z,a-z,0-9)

Windows builtin client: general - 5.6.7.8, security - type L2TP/IPSec, data encryption - maximum, allow these protocols - PAP ONLY, networking - IPv4 - advanced properties UNCHECK use default gw on remote network

RV340W is on Firmware Version: 1.0.02.16 so the new GUI

I'm unable either ping nor see the remote subnet network, nor the router's local network IP address.

local subnet - router1(local) - WAN(internet) - router2(remote/office) - remote subnet

local subnet 192.168.1.0/24 - 1.2.3.4 - internet - 5.6.7.8 - VPN subnet 192.168.3.0/24 - remote subnet 192.168.1.0/24

route print after being connected on builtin Windows L2TP/IPSec:

Active Routes:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 10
5.6.7.8 255.255.255.255 192.168.1.1 192.168.1.2 11
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.2 266
192.168.1.2 255.255.255.255 On-link 192.168.1.2 266
192.168.1.255 255.255.255.255 On-link 192.168.1.2 266
192.168.3.0 255.255.255.0 192.168.3.1 192.168.3.2 11

remote router's route print:

0.0.0.0/0 5.6.7.8 4 WAN1 Static
0.0.0.0/0 192.168.2.1 6 WAN2 Static

5.6.7.1/29 - 4 WAN1 Connected                           <- remote router's gw
192.168.1.0/24 - 0 VLAN1 Connected
192.168.2.0/24 - 6 WAN2 Connected
192.168.3.2/32 - 0 ppp0 Connected

I was then able to connect with anyconnect cisco client through SSL VPN Server with split tunnel including 192.168.1.0/24 subnet and was able to ping remote subnet IPs but was not able to resolve network devices by their name(ie. i can ping remote NAS via 192.168.1.7 but not via sharename -> same with accessing them, ie. i can access \\192.168.1.7 but cant access \\sharename)

I was not able to setup Shrewsoft's VPN connector, nor SonicWall, nor any other VPN connector following the old GUI instructions.

My main problem is, that i dont want to use any other vpn connector than device or OS have built in(both Windows and OSX, iOS as well). So possibly across all the devices it would be best to use L2TP/IPSec VPN. I cant use default gw on remote network, because of the traffic. I need to keep the remotely connected clients to the offices to use their VPN connection only for the data directed to the office network.

I have to say as well, that I have set this type of VPNs through several types of services - Windows SBS 2011, Windows Server 2016, Mikrotik routers, Fortigate Fortinet router and I have NEVER experienced these much problems that i have with Cisco RVXXX routers. Sadly, but truly.

Can anybody have working solution for this? Or I can look for another new router?

Thank you for helping me out.

BR,

Martin Luknar

dedomraz · ‎04-19-2019

Hi,

I made the PPTP VPN server working by disabling the MPPE and setting it to None.

Tho i probably found the ping/not seeing the remote subnet problem in the Logs:

error network pppd: Cannot determine ethernet address for proxy ARP

Still cant edit the Routing table on pppX interfaces. Is it possible to somehow tell the router how to work with the ppp interfaces? Because clearly, he is not rooting the network right.

BR