Page 1 of 3 123 LastLast
Results 1 to 10 of 23
  1. #1
    Newbie
    Join Date
    Sep 2019
    Posts
    11

    Default Can L2TP connections to Untangle be processed by rack?

    Untangle 14.2.2

    I am having an issue with bypassed traffic. I have searched to find a solution but most results are dealing with how to bypass; this issue is how to NOT bypass.

    I am running L2TP on the Untangle and would like to filter those connections in the rack. I have been unable to do that because the L2TP connections are being bypassed. I have tested connections with "bypass all IPSec traffic" unchecked under Apps > IPSec VPN > IPSec Options. I have since learned that this isn't even necessary based on the IPsec_VPN wiki page.

    "When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the Untangle server. ...
    If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.
    ..
    Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services."
    Here is what I am seeing when I successfully VPN into the Untangle. Any other column from Layer 7 (Web Filter, Firewall, Application Control, etc.) is blank:
    Code:
    bypassed protocol policy_id policy_rule_id client_intf server_intf c_client_addr        c_client_port s_server_addr          s_server_port
    TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 61809         Untangle wan public ip 1701
    TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4582          Untangle wan public ip 4500
    TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4606          Untangle wan public ip 500
    Filder Rules:
    I have not changed this from default because the VPN server is the Untangle and not a VPN server on the local network. According to wiki Filter_Rules"
    "Filter rules apply to sessions transiting THROUGH the Untangle server. By default this ruleset is blank. Filter Rules are useful for blocking traffic going through the Untangle server."
    Code:
    None
    Bypass Rules:
    I have tested without these rules and with them enabled and set to process. I was thinking they might FORCE the traffic to NOT be bypassed. That does not seem to have an effect. Just like the search results I have found, most of the wiki Bypass_Rules deals with trying to bypass not trying to prevent bypass.
    Code:
    Proto=ESP                        : Process
    Proto=UDP, Destination_Port=500  : Process
    Proto=UDP, Destination_Port=4500 : Process
    Proto=UDP, Destination_Port=1701 : Process
    Access Rules:
    I have allowed L2TP traffic in the WAN with little restriction. I have tested with my own rules in the top of the list and the built in rules towards the bottom. From the wiki it seems like this is the place to allow the connections:
    "Access Filter rules apply to sessions destined to the Untangle server's local processes and only sessions destined to the Untangle server's local processes. These rules have no effect on sessions passing THROUGH Untangle and are only used to limit and secure access to local services on the Untangle server."
    My rules at the top of the list:
    Code:
    Proto=ESP,                      , Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass
    Proto=UDP, Destination_Port=500 , Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass
    Proto=UDP, Destination_Port=4500, Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass
    Proto=UDP, Destination_Port=1701, Source_Interface=External 1,Interface 2,Interface 3,Interface 4,Interface 5 : Pass
    Builtin rules at the bottom of the list:
    Code:
    Proto=AH, ESP,                  : Pass
    Proto=UDP, Destination_Port=500 : Pass
    Proto=UDP, Destination_Port=4500: Pass
    Proto=UDP, Destination_Port=1701: Pass
    I am really at a loss for why this traffic is getting bypassed. Can anyone think of some other setting that could be effecting this?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,175

    Default

    L2TP traffic is split-tunnel so only traffic to the remote IPsec server. This is an issue with the L2TP. Xauth does full tunnel. Are the L2TP clients using WIndows OS?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Sep 2019
    Posts
    11

    Default

    Any client: iPhone, iPad, Mac, Windows, and Linux.

    The VPN is working fine and everything seems to be working fine. The issue is the sessions on the Untangle server are bypassed and therefore never getting pushed up the stack to Layer 7 and scanned by Web Filter, Firewall, and Application Control.

    Clients are sending all traffic to the tunnel.

  4. #4
    Newbie
    Join Date
    Sep 2019
    Posts
    11

    Default

    Are you saying that traffic would not be bypassed while using xauth? Are you also saying that L2TP would always result in it's traffic being bypassed?

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,175

    Default

    Sorry I was incorrect. L2TP does full tunnel. Unchecking "Bypass all IPsec traffic" in /admin/index.do#service/ipsec-vpn/ipsec-options and reconnecting does filter traffic. You can see this in the session viewer by adding the bypass column.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Newbie
    Join Date
    Sep 2019
    Posts
    11

    Default

    I have already tested this and it did not seem to work.

    I have tested connections with "bypass all IPSec traffic" unchecked under Apps > IPSec VPN > IPSec Options.
    ...
    Here is what I am seeing when I successfully VPN into the Untangle. Any other column from Layer 7 (Web Filter, Firewall, Application Control, etc.) is blank:
    Code:
    Code:
    bypassed protocol policy_id policy_rule_id client_intf server_intf c_client_addr        c_client_port s_server_addr          s_server_port
    TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 61809         Untangle wan public ip 1701
    TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4582          Untangle wan public ip 4500
    TRUE     UDP[17]  0         0              External[1] None[0]     vpn client public ip 4606          Untangle wan public ip 500

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,175

    Default

    I would investigate why the sessions are bypassed. Or open a support ticket.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Newbie
    Join Date
    Sep 2019
    Posts
    11

    Default

    I don't know how I would investigate this issue other than setting the settings in the web interface that the documentation states. I made sure the box was unchecked and followed all the other instructions. The docs state that L2TP is not bypassed so don't know what else is in play. Is it possible this is a bug?

    Is there some other documentation out there that deals with investigating bypass traffic? Is there a technical troubleshooting document I could review?

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,175

    Default

    Opening a Jira issue is not how to get this resolved as it is not reproducible. The IPsec bypass option is working on several installation I have tested on just today. If you have a support license, open a support ticket.

    It is important to disconnect all L2TP connections before changing the setting and then reconnect to test.
    Last edited by jcoffin; 09-22-2019 at 07:09 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Newbie
    Join Date
    Sep 2019
    Posts
    11

    Default

    I checked the box, saved, tested.
    I unchecked the box, saved, tested.
    I rebooted, verified the box was unchecked, tested.

    Always same result. Sessions are bypassed.

    Screenshot 2019-09-23 01.50.51.png
    Screenshot 2019-09-23 01.53.15.png

    Can you explain why this differs with the Wiki? Does Untangle write the wiki or is that information provided by the community?

    If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services.
    ..
    Also please note that this only applies to plain IPsec tunnels. Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services."
    Last edited by joelcarlton; 09-22-2019 at 11:01 PM.

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2