Can L2TP connections to Untangle be processed by rack?

[joelcarlton]

Untangle 14.2.2

I am having an issue with bypassed traffic. I have searched to find a solution but most results are dealing with how to bypass; this issue is how to NOT bypass.

I am running L2TP on the Untangle and would like to filter those connections in the rack. I have been unable to do that because the L2TP connections are being bypassed. I have tested connections with "bypass all IPSec traffic" unchecked under Apps > IPSec VPN > IPSec Options. I have since learned that this isn't even necessary based on the IPsec_VPN wiki page.

"When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the Untangle server. ...
If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.
..
Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services."

Here is what I am seeing when I successfully VPN into the Untangle. Any other column from Layer 7 (Web Filter, Firewall, Application Control, etc.) is blank:

Code:

bypassed protocol policy_id policy_rule_id client_intf server_intf c_client_addr        c_client_port s_server_addr          s_server_port
TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 61809         Untangle wan public ip 1701
TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4582          Untangle wan public ip 4500
TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4606          Untangle wan public ip 500

Filder Rules:
I have not changed this from default because the VPN server is the Untangle and not a VPN server on the local network. According to wiki Filter_Rules"

"Filter rules apply to sessions transiting THROUGH the Untangle server. By default this ruleset is blank. Filter Rules are useful for blocking traffic going through the Untangle server."

Code:

None

Bypass Rules:
I have tested without these rules and with them enabled and set to process. I was thinking they might FORCE the traffic to NOT be bypassed. That does not seem to have an effect. Just like the search results I have found, most of the wiki Bypass_Rules deals with trying to bypass not trying to prevent bypass.

Code:

Proto=ESP                        : Process
Proto=UDP, Destination_Port=500  : Process
Proto=UDP, Destination_Port=4500 : Process
Proto=UDP, Destination_Port=1701 : Process

Access Rules:
I have allowed L2TP traffic in the WAN with little restriction. I have tested with my own rules in the top of the list and the built in rules towards the bottom. From the wiki it seems like this is the place to allow the connections:

"Access Filter rules apply to sessions destined to the Untangle server's local processes and only sessions destined to the Untangle server's local processes. These rules have no effect on sessions passing THROUGH Untangle and are only used to limit and secure access to local services on the Untangle server."

My rules at the top of the list:

Code:

Proto=ESP,                      , Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass
Proto=UDP, Destination_Port=500 , Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass
Proto=UDP, Destination_Port=4500, Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass
Proto=UDP, Destination_Port=1701, Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass

Builtin rules at the bottom of the list:

Code:

Proto=AH, ESP,                  : Pass
Proto=UDP, Destination_Port=500 : Pass
Proto=UDP, Destination_Port=4500: Pass
Proto=UDP, Destination_Port=1701: Pass

I am really at a loss for why this traffic is getting bypassed. Can anyone think of some other setting that could be effecting this?

[jcoffin]

L2TP traffic is split-tunnel so only traffic to the remote IPsec server. This is an issue with the L2TP. Xauth does full tunnel. Are the L2TP clients using WIndows OS?

[joelcarlton]

Any client: iPhone, iPad, Mac, Windows, and Linux.

The VPN is working fine and everything seems to be working fine. The issue is the sessions on the Untangle server are bypassed and therefore never getting pushed up the stack to Layer 7 and scanned by Web Filter, Firewall, and Application Control.

Clients are sending all traffic to the tunnel.

[joelcarlton]

Are you saying that traffic would not be bypassed while using xauth? Are you also saying that L2TP would always result in it's traffic being bypassed?

[jcoffin]

Sorry I was incorrect. L2TP does full tunnel. Unchecking "Bypass all IPsec traffic" in /admin/index.do#service/ipsec-vpn/ipsec-options and reconnecting does filter traffic. You can see this in the session viewer by adding the bypass column.

[joelcarlton]

I have already tested this and it did not seem to work.

I have tested connections with "bypass all IPSec traffic" unchecked under Apps > IPSec VPN > IPSec Options.
...
Here is what I am seeing when I successfully VPN into the Untangle. Any other column from Layer 7 (Web Filter, Firewall, Application Control, etc.) is blank:
Code:

Code:

bypassed protocol policy_id policy_rule_id client_intf server_intf c_client_addr        c_client_port s_server_addr          s_server_port
TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 61809         Untangle wan public ip 1701
TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4582          Untangle wan public ip 4500
TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4606          Untangle wan public ip 500

[jcoffin]

I would investigate why the sessions are bypassed. Or open a support ticket.

[joelcarlton]

I don't know how I would investigate this issue other than setting the settings in the web interface that the documentation states. I made sure the box was unchecked and followed all the other instructions. The docs state that L2TP is not bypassed so don't know what else is in play. Is it possible this is a bug?

Is there some other documentation out there that deals with investigating bypass traffic? Is there a technical troubleshooting document I could review?

[jcoffin]

Opening a Jira issue is not how to get this resolved as it is not reproducible. The IPsec bypass option is working on several installation I have tested on just today. If you have a support license, open a support ticket.

It is important to disconnect all L2TP connections before changing the setting and then reconnect to test.

[joelcarlton]

I checked the box, saved, tested.
I unchecked the box, saved, tested.
I rebooted, verified the box was unchecked, tested.

Always same result. Sessions are bypassed.

Screenshot 2019-09-23 01.50.51.png
Screenshot 2019-09-23 01.53.15.png

Can you explain why this differs with the Wiki? Does Untangle write the wiki or is that information provided by the community?

If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.
..
Also please note that this only applies to plain IPsec tunnels. Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services."