cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
0
Helpful
3
Replies

BUG: RV340 Firmware 1.0.03.20 L2TP allows 1 tunnel, breaks others.

BYTEBUILDERS
Level 1
Level 1

Tested today, not further tested yet:

Using Windows built-in L2TP client connection on:  Windows 7/10 and Windows XP.

 

Networks:  192.168.0.0/24 (VLAN1), 192.168.1.0/24 (VLAN2), 192.168.2.0/24 (VLAN3), 192.168.4.1-192.168.4.19 (IPSec), 192.168.5.1-192.168.5.25 (L2TP)

 

What happens:

 

  1. Windows 7/10/XP connects to L2TP Server.
  2. Pings 192.168.1.1 (all 3 versions work)
  3. Another Windows 7/10/XP connects to the L2TP Server on a different user/password.
  4. The Windows 7/10/XP machine from 1 above, can no longer access remote network resources.
  5. Disconnecting all Windows 7/10/XP PCs, leaves the L2TP down for about 30 seconds before others can connect.

I have access to a reverse connecting PC on the site the RV340 is at, so I can have it call my desk and stay active on the RV340s page while I try 2 connections, but would need to know from the tech support here, what you need from the logs.

3 Replies 3

nagrajk1969
Spotlight
Spotlight

Hi 

 

Are your 2 windows-l2tp-clients connected behind the SAME NAT-ROUTER????

 

Meaning is the deployment connectivity as below?

 

(local-vlan-subnets)----lan[RV340]wan1----internet------(wan/nat)[NAT-Router](lan/192.168.20.1)----(2-Windows-L2P-Clients)

 

I think the issue you are observing especially and ONLY with L2TP-wIPsec tunnels, is becos both your windows-l2tp-clients are connected behind the same nat-router...

- This is an issue that is present with any and all L2TP-with-IPsec servers on Linux. They cannot support in above scenario...period

 

1. So the ONLY alternative in the same setup would be to instead establish pure IPSec-VPN Tunnels using Client-to-Site profiles on the RV340....and on the Windows-7/10 (and NOT on XP), you may use the built-in Windows-IKEv2 client

- For this you HAVE to additionally configure a Radius server behind RV340, for the EAP-authentication required for the IKEv2-VPN-clients

 

2. Else another alternative is to to use 3rd Party IKEv1-VPN-Clients on all of the Windows (7/10/XP) such as Shrewsoft, or Greenbow

and on the RV340 configure a C2S server for IKEv1 clients.....Here in this case the user-auth will be XAUTH for which the local-user-accounts on RV340 is also supported...and you need not have a Radius-server...

 

So in summary for you to continue to work using L2TP-wIPsec only...ensure that each of the windows clients is connecting from behind different NAT-Routers..

 

Note: This is a universal problem with ALL l2tp-wIPsec servers ON LINUX...not specifically on RV340 ONLY...

 

 

 

The location has VLANs (as originally posted), the machines are not in the same location (remote), no vlans at this location.

 

The biggest problem is, we were wanting to utilize the built in L2TP connection to avoid using Shewsoft, etc, to reduce confusion with users working remotely, as we can setup their device remotely to connect and show them how to do so, then it isn't a large trouble for them to use it, but Shrewsoft and others are at best confusing to most people we deal with, Shrewsoft being the lighter of the bunch for confusion, but still, people expect to click something and then Connect and it works, sadly, not many of them offer that, as well as trying to keep this Mac capable as well.  Plus with having the L2TP configured the way we have it, we run into the oddity that if any other user connects, it drops the previous ones and if all disconnect, there is a good 30 seconds where no L2TP connections are accepted, that itself is the issue that is the biggest.  Just because LINUX doesn't support concurrent L2TP connections, means that this option should be removed or fixed, if it isn't capable of hitting the L2TP limits specified.  So this still is a bug, it either needs to go or be fixed, offering an option in any product that doesn't function properly isn't good business.

nagrajk1969
Spotlight
Spotlight

Hi

 

>>>just because LINUX doesn't support concurrent L2TP connections

No No, i did not mean that the L2TP-wIPsec server does not support concurrent connections....if you read again my points i said the L2TP-wIPsec Server DOES NOT SUPPORT multiple remote-l2tp-ipsec-clients who are connected behind the "same nat router"

 

(vlan-network) ----[RV340]wan1(10.10.10.101)----(internet)-----20.20.20.100[Nat-Router]172.16.1.1--------(multiple-l2tp-wIpsec-clients connected here)

 

1. So when the windows-l2tpclients are as connected above...behind the same nat-router (with public-ip 20.20.20.100), then the issue of the second l2tp-client connection resulting in first-client getting disconnected will happen. 

 

2. Based on your description of the issue, its my understanding of how your deployment might be...

 

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: