This article will show how to troubleshoot your L2TP VPN over IPSec tunnel using USG FLEX / ATP / VPN Series if you're having problems. It shows what to do if you have incorrect username or password, phase 1 mismatch, phase 2 mismatch, subnet overlap, can reach gateway/firewall but not LAN clients, when VPN connection is blocked, and if Windows cannot connect to L2TP.
Table of Content
1) Gateway Troubleshooting
1.1 Incorrect username or password
1.2 Phase 1 Mismatch
1.3 Subnet Overlap
1.4 Can Reach Gateway but not LAN Clients
1.5 Allow the VPN Protocols in the Firewall Rules
1.6 VPN included in the IPsec_VPN Zone
1.7 Selecting the correct WAN connection
1.7 Other Configuration Issues
2) Windows Troubleshooting
2.1 Configuring your PC with MS-CHAPv2
2.2 Quit SecuExtender IPSec VPN Client
2.3 Make sure the IKEEXT service is running
1) Gateway Troubleshooting
The following provides information on how to troubleshoot common issues that we have identified while setting up the L2TP over IPSec VPN.
1.1 Incorrect username or password
If you see [alert] log messages such as below, please check Firewall L2TP Allowed User or User/Group Settings. Client device settings must use the same Username and Password as configured in the Firewall to establish the L2TP VPN
1.2 Phase 1 Mismatch
If you see [info] or [error] log message such as below, please check Firewall's Phase 1 Settings. Client device settings must use the same Pre-Shared Key as configured in Firewall's to establish the IKE SA.
1.2 Phase 2 Mismatch
If you see that the Phase 1 IKE SA process has been completed but still get [info] log message as below, please check Firewall's Phase 2 Settings. The firewall unit must set the correct Local Policy to establish the IKE SA.
1.3 Subnet Overlap
When you configure VPNs, you need to ensure that the L2TP Address Pool does not conflict with any existing LAN1, LAN2, DMZ, or WLAN zones, even if they are not in use.
1.4 Can Reach Gateway but not LAN Clients
If you cannot access devices in the local network, verify that the devices in the local network set the USG’s IP as their default gateway to utilize the L2TP tunnel.
1.5 Allow the VPN Protocols in the Firewall Rules
Make sure the Firewall units’ security policies allow IPSec VPN traffic. Make sure that you have allowed the following ports for your IPsec traffic (including from WAN to Zywall): IKE uses UDP port 500, NAT-T uses UDP port 4500, ESP uses IP protocol 50 and AH uses IP protocol 51.
1.6 VPN included in the IPsec_VPN Zone
Verify that the Zone is set correctly in the VPN Connection rule. This should be set to IPSec_VPN Zone so that security policies are applied properly.
1.7 Selecting the correct WAN connection
- If you are using PPPoE connection, than make sure to configure the same: "Configuration > VPN > IPSec VPN > VPN Gateway > WIZ_L2TP_VPN" where My address should be selected as “wan_ppp” in Interface - see the snap below;
1.8 Other Configuration Issues
Other common configuration issues are detailed here:
2) Windows Troubleshooting
2.1 Configuring your PC with MS-CHAPv2
On Windows 10, navigate to Settings (Control Panel) -> Network & Internet -> Change adapter settings
Go to Security and then choose "Allow these protocols" and select "Unencrypted password (PAP) and Microsoft CHAP Version 2 (MS-CHAPv2)
2.2 Quit SecuExtender IPSec VPN Client
If the connection isn't even opening and you cannot see anything in the logs of the firewall. Make sure that the IPsec VPN Client is not running in the background as this interfere with the built-in L2TP connection.
If it's running in the background, please close the application and try to connect again.
2.3 Make sure the IKEEXT service is running
If you cannot connect from your PC, but from other devices, this might be because the IKE service is not running in the background.
Please navigate to the Task Manager by clicking ctrl-alt-del and then click task manager.
Get in contact with our Support team if you are experiencing another type of issue not covered here.
Comments
0 commentsPlease sign in to leave a comment.