Results 1 to 2 of 2
  1. #1
    Join Date
    Feb 2009

    Default Setup Windows 2008 R2 Server with L2TP - Untangle stops requests

    I am trying to setup a Windows 2008 R2 Server with L2TP/IPsec

    I have it working locally but I cannot seem to get it externally accessible:-

    Forward Rules
    Inbound: VPN L2TP (500,4500) UDP
    Inbound: VPN L2TP (1701) UDP
    Inbound: VPN L2TP (ESP,AH)

    I created relevant the firewall rules too but still no luck.

    (I couldn't create ESP,AH under firewall rules)

    Just wondering what I am missing my guess is I might have to do a "Bypass Rules" for the VPN to work or untick "Enable" on the below Input Filter Rules

    - Allow L2TP
    - Allow NAT-T for IPsec
    - Allow IKE for IPsec
    - Allow AH/ESP for IPsec

    (Possibly Untangle assume you use their L2TP server instead of your own)

    Hopefully someone can help confirm what to do
    Last edited by jeremyl; 05-17-2017 at 12:52 AM.

  2. #2
    Master Untangler
    Join Date
    Mar 2017


    Do you use different addressing for the l2tp clients? If you can see packets with the correct IP address flowing from the l2tp server/internal (v)lan to untangle it might be just a routing problem. It usually is (not with untangle, I mean, in cases like this one).

    You simply need to add a static route in Config->Network->Routes for the vpn client subnet to be routed to the concentrator IP address. Usually vpn clients IPs are in a different subnet for which Untangle does not have an interface. So, it will try to route it to the default gw and it won't work. It needs to know where to forward the vpn packets.

    For instance, let's say you have 192.168.x.x in your LAN but your external l2tp user gets a 172.16.x.x IP. When she/he will try to contact a server in your 192.168.x.x from outside, if your l2tp server is not NATting, the server will reply to 172.16.x.x, Untangle will see it (since the internal server will route it to the default gw, through/to untangle) and route it to the default gw, while it should instead go the l2tp server to be tunnelled.

    Add a route. It probably isn't related to firewall/policy rules.

    Good luck,

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2