Problem with L2TP/IPSec passthrough


#1

Hi!

I have Peplink Balance 20 with 7.0.1 build 3414 and I have bad troubles with L2TP/IPSec passthrough. I have one CISCO and one Huawei 4G router connected to Balance. There’s one Windows Server 2016 in LAN that works as VPN server. CISCO has IPSec passthrough enabled and it forwards all external traffic to Balance. SSTP based VPN connections from external network work fine.

The problem is with L2TP/IPSec connections. When connecting to Windows Server 2016 from LAN using L2TP/IPSec, everything works fine. Connections are established and they are stable. But I have had no luck getting these connections work from external network.

I tried to play with IPSec and related NAT settings. I tried IPSec passthrough. I also tried port forwarding and NAT mappings. All with no luck. All I get back is error “789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.”

What is the correct setup for Balance to make L2TP/IPSec passthrough so the Balance router just routes all this traffic to my Windows Server 2016 and doesn’t involve itself to this drama?


#2

It is certainly possible to use the Windows Server as the VPN server, but in my opinion thats the hard way. You need to open the required ports, create the server ID in the Balance, and set port forwarding to those ports go to the server’s LAN address.

The easy way is to use the L2TP server already built into your Balance 20. Just enable it there, easy and done. Don’t forget you need to open the firewall for devices connected to the Balance VPN, to see devices on your LAN. Firewall > access rules > inbound rules > source IP (enter your LAN IP range and subnet). Destination is typically “any” but if you want to limit VPN access to just your windows server and not other LAN devices you can limit the destination here. If you don’t open the firewall the devices will connect but won’t be able to access any LAN devices.


#3

It is certainly possible to use the Windows Server as the VPN server, but in my opinion thats the hard way. You need to open the required ports, create the server ID in the Balance, and set port forwarding to those ports go to the server’s LAN address.

I want users to use their domain accounts when connecting to network so there is no mess with another set of identities. I tried forwarding ports to Windows Server but it didn’t helped. I forgot to mention that Balance is used also as router for LAN. What do you mean under creating server ID in Balance?

The easy way is to use the L2TP server already built into your Balance 20. Just enable it there, easy and done.

As an emergency option I can consider it. But where I can enable L2TP server in Balance 20? I can’t find it anywhere. I can forward ports, I can enable IPSec passthrough and create network to network VPN. Where should I look?


#4

Just go to Network->Remote User Access, enable it and choose the correct VPN type.


#5

Please open a support ticket here to allow support team to check on the L2TP/IPSEC traffics that pass through the Balance device.


#6

Hi,

Im facing the same problem in peplink. Does this have a solution yet?

Thanks.


#7

@Ivan_Yacapin, the problem mostly related to the ISP or the settings on the related devices. I would suggest checking this with Network Capture at http://<LAN IP>/cgi-bin/MANGA/support.cgi to confirm whether the L2TP/IPSec connection from external reached WAN interface and sent out from LAN interface of Balance router.

Please contact local Peplink partner if you need further help.


#8

@TK_Liew, I am using Peplink Balance 210. I’ve setup a PPTP VPN SERVER using Mikrotik behind peplink and successfully get pass through Peplink. Now that I’ve change it to L2TP/IPSec I cant seem get pass through my Peplink.

Does peplink support l2tp/ipsec passthrough? If so, how can I configure it to allow my vpn server/client get in and out.

Thanks.


#9

@Ivan_Yacapin, please ensure L2TP/IPsec is disabled in Balance 210. Then, you need to port forward the ports for L2TP/IPSec to your L2TP/IPSec server. Ensure Inbound firewall allows those required ports.

As mentioned here, you may do the Network Capture to confirm where the L2TP/IPSec packet dropped if you still face the problem on L2TP/IPSec connection. You may get help from your purchasing point or local Peplink partner if you need further help. They can provide the better coverage.