Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2878
Views
0
Helpful
12
Replies

RV325 IPSec VPN Site-to-Site and L2TP

barnes.greg
Level 1
Level 1

‎02-28-2017 05:04 AM - edited ‎03-05-2019 08:07 AM

Hi, I have 3 sites, head office and 2 branch offices all with RV325's. site-to-site VPN configured between all sites.

We've recently needed to try and implement L2TP in place of PPTP, (thanks apple) at the head office with preshared key, but as soon as we put in the port forwards to the RAS server, the VPN's fail to connect. Or one branch VPN connects and the other fails. The logs in the RV325 don't indicate anything, other than maybe [Tunnel Disconnected] I suspect because we have to forward IPsec UDP 500 as once removed things return to normal.

Current firmware is 1.3.2.20

Any and all assistance appreciated.

Thanks

Greg

Labels:
0 Helpful
12 Replies 12

Georg Pauwen
VIP
VIP

‎02-28-2017 07:06 AM

Hello Greg,

I assume the L2TP connection is between (Apple) end hosts ? Do you have L2TP Passthrough enabled (VPN --> VPN Passthrough --> L2TP Passthrough) ?

0 Helpful

barnes.greg
Level 1
Level 1
In response to Georg Pauwen

‎02-28-2017 12:32 PM

Hi Georg,

Yes the L2TP connection is for end hosts ("i" devices or laptops on hotspot due to the ios 10 removing and blocking PPTP)
Passthrough is enabled, (L2TP, IPSec and PPTP)
Thanks, Greg

0 Helpful

Georg Pauwen
VIP
VIP
In response to barnes.greg

‎02-28-2017 01:13 PM

Hello Greg,

to be honest I am not sure about how Apple implements L2TP, but normally you would need to port forward UDP 500, 4500, and 1701.

0 Helpful

barnes.greg
Level 1
Level 1
In response to Georg Pauwen

‎02-28-2017 01:20 PM

Thanks Georg, that is correct those ports need to be forwarded, and work for the L2TP endpoints. But once those port forwards are in I get unusual and unpredictable behaviour on the site-to-site IPsec VPN's for the branches. Ta Greg

0 Helpful

Georg Pauwen
VIP
VIP
In response to barnes.greg

‎02-28-2017 01:57 PM

Greg, sorry for the confusion: you are saying when you remove port forwarding, both  the site to site VPNs as well as the L2TP client connections do work ?

I researched the documentation, and according to Ciscp, no port forwarding at all is necessary for passthrough to work...

0 Helpful

barnes.greg
Level 1
Level 1
In response to Georg Pauwen

‎02-28-2017 02:24 PM

Thats OK Georg, may have been my explanation.

Without the port forwards, L2TP connection from endpoints does not work.
Without the port forward how would the router know where to send the L2TP traffic to our RAS server for the connections?

the site-to-site VPN's work fine without the port forwards, as they are terminated by the RV325

Thanks Greg.

0 Helpful

Georg Pauwen
VIP
VIP
In response to barnes.greg

‎02-28-2017 03:09 PM

Greg,

so apparently something is messing with the IPSec site to site VPN when port forwarding is enabled. I have looked through the docs, but there are no other options when it comes to configuring passthrough. Do you have NAT Traversal enabled on both sides (VPN --> Gateway to Gateway --> Advanced Settings) ?

I have come across a few cases where the firmware causes issues, if possible, try downgrading to 1.2.1.14...

0 Helpful

barnes.greg
Level 1
Level 1
In response to Georg Pauwen

‎03-01-2017 12:51 AM

It would seem, i will experiment with the NAT Traversal on the VPN after-hours when i can, as this is currently not enabled.

Not sure a firmware downgrade is an option, but will give it thought if needed.

Thanks Georg.

0 Helpful

Georg Pauwen
VIP
VIP
In response to barnes.greg

‎03-01-2017 01:23 AM

Hello Greg,

in the meantime, I'll check if  macOS throws something in there that causes the VPN to get disrupted. Which version are your clients running, 10.12.2 ?

0 Helpful

barnes.greg
Level 1
Level 1
In response to Georg Pauwen

‎03-01-2017 10:58 PM

Varies on 10.x and above. Typically these are iPads and iPhones used to hotpsot.

NAT-T has had no positive effect.

Thanks Greg

0 Helpful

Georg Pauwen
VIP
VIP
In response to barnes.greg

‎03-02-2017 12:27 AM

Greg,

there are not many options to configure on the iPad/iPhone end I guess.

If possible, try and disable the Firewall on the RV325 (Firewall --> General). If that makes a difference, we need to find out which rule in there causes the problem.

0 Helpful

garry.holmberg1
Level 1
Level 1

‎04-16-2017 03:54 AM

Had a similar experience when migrating from old Sonicwall to RV320.  There was an existing Verizon Cellular extender appliance which required port 500 among others to be forwarded to the extender appliance.  Later we had a need to implement site to site IPSec tunnel.  Tunnel could be established but pings only worked in one direction (from site with Verizon extender to HQ).  As soon as we disabled port forwarding on port 500 the tunnel worked in both directions.

Port 500 is identified in the RV320 as IPSEC, so that was the one and only port we disabled and fortunately that worked.

I would contact Cisco small bus tech support if the issue hasn't been resolved.  

If it has been resolved would be very interested in fix.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card