Unable to get IPsec to connect from Windows 10

[Quantiq]

Hello,

I have an Untangle firewall and I cannot get IPsec to connect from a windows 10 machine.

I have bought licenses and enabled IPsec. Setup the secret key/local directory and setup my Windows Devices correctly as per the Untangle Documentation.

When I try connecting a Windows machine it just sits there saying "Connecting to x.x.x.x" then after 2 minutes errors with "The l2tp connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

If however I try to connect from INSIDE the network (internal adaptor) it connects fine?

Running a packet trace on port 500 when trying to connect from external (when it fails) I get the following result (Firewall IP hidden)

15:32:34.519240 IP 94.197.120.174.53682 > x.x.x.x.500: isakmp: phase 1 I ident
15:32:34.520934 IP x.x.x.x.500 > 94.197.120.174.53682: isakmp: phase 1 R ident
15:32:35.380240 IP 94.197.120.174.53682 > x.x.x.x.500: isakmp: phase 1 I ident
15:32:35.380904 IP x.x.x.x.500 > 94.197.120.174.53682: isakmp: phase 1 R ident
15:32:36.380232 IP 94.197.120.174.53682 > x.x.x.x.500: isakmp: phase 1 I ident
15:32:36.380838 IP x.x.x.x.500 > 94.197.120.174.53682: isakmp: phase 1 R ident
15:32:39.410182 IP 94.197.120.174.53682 > x.x.x.x.500: isakmp: phase 1 I ident
15:32:39.410810 IP x.x.x.x.500 > 94.197.120.174.53682: isakmp: phase 1 R ident

Connecting to the VPN while on the internal network gives this result

15:34:52.123596 IP 10.31.11.163.500 > x.x.x.x.500: isakmp: phase 1 I ident
15:34:52.125217 IP x.x.x.x.500 > 10.31.11.163.500: isakmp: phase 1 R ident
15:34:52.126323 IP 10.31.11.163.500 > x.x.x.x.500: isakmp: phase 1 I ident
15:34:52.136917 IP x.x.x.x.500 > 10.31.11.163.500: isakmp: phase 1 R ident
15:34:52.138139 IP 10.31.11.163.500 > x.x.x.x.500: isakmp: phase 1 I ident[E]
15:34:52.139015 IP x.x.x.x.500 > 10.31.11.163.500: isakmp: phase 1 R ident[E]
15:34:52.140239 IP 10.31.11.163.500 > x.x.x.x.500: isakmp: phase 2/others I oakley-quick[E]
15:34:52.140923 IP x.x.x.x.500 > 10.31.11.163.500: isakmp: phase 2/others R oakley-quick[E]
15:34:52.141585 IP 10.31.11.163.500 > x.x.x.x.500: isakmp: phase 2/others I oakley-quick[E]

Anyone able to help me resolve?

Thanks

Nick

[sky-knight]

That looks like general connection failures. This would be normal internally, as Untangle will only respond to external connections for VPNs by default.

We need a screenshot of the VPN Config tab of your IPSec VPN module, make sure you remove the IPSec Secret first!

[Quantiq]

That looks like general connection failures. This would be normal internally, as Untangle will only respond to external connections for VPNs by default.

We need a screenshot of the VPN Config tab of your IPSec VPN module, make sure you remove the IPSec Secret first!

Capture.JPG

[sky-knight]

Interesting, and the Server Listen address matches an IP address on your External interface?

[Quantiq]

Interesting, and the Server Listen address matches an IP address on your External interface?

Yes we only have the one external interface and the listen address matches our external IP/external address

Thanks

Nick

[sky-knight]

Your server's configuration appears correct, I'm assuming that listen address is a real IP, and it doesn't start with 10., 172., or 192.

The rest of the documentation for configuring the VPN client on Windows 10 is here: https://support.untangle.com/hc/en-u...-configuration

The error seems to indicate the server name or address field on the client does not match the server listen address, or a DNS name that resolves to the server listen address.

And once again you cannot test from inside the Untangle protected network. Also, fair warning... there are ISPs that block L2TP, this is stupidly common on public wifi too. I usually configure both L2TP and OpenVPN for my road warriors because one of them usually works. But, I had an exec in a conference center in Dallas once, where they managed to block L2TP, OpenVPN, ScreenConnect, AND RDP... I gave up and told her to use her cell phone, *poof* problems solved.

[Quantiq]

Ok I've narrowed the problem down.

It's windows 10 build 1909 that is the problem.

If I use windows 10 build 1803 it connects fine, so I need to see what's happening there. Once resolved I'll report back a fix.

Thanks for your input so far.

Nick

[Quantiq]

Ok I've narrowed the problem down.

It's windows 10 build 1909 that is the problem.

If I use windows 10 build 1803 it connects fine, so I need to see what's happening there. Once resolved I'll report back a fix.

Thanks for your input so far.

Nick

Right this is wrong, now the 1803 Windows 10 won't connect either, must have been a fluke it got through the first time.

Back to troubleshooting the firewall....

[sky-knight]

Not necessarily... There is a problem with 1903, and given that 1909 is all of 1 build number different, I'd expect the problem to be there too.

Try opening the control panel, then clicking Network and Sharing Center, then change adapter settings. There should be an adapter in there for your L2TP, right click on that, and connect from there. There is a known issue with all versions of Windows 10 1809 and forward that causes the new GUI tools to not connect properly, the only known work around is to dig into the control panel and connect from there.

This article has another path that looks good to work, I'm going to have to remember this because it includes the details needed to make a desktop shortcut to quickly access the old GUI.

https://www.tachytelic.net/2019/06/v...0-1903-update/

But seriously, junk like this is why I don't use L2TP anymore. Meraki does puts you through the same garbage. The Windows VPN client is trash, poorly supported, and buggy. It's been that way for decades. Sure, you have to take the time to install an OpenVPN client on machines that need them, but with RMM tools that doesn't take up much time, in my case it consumes far less time than configuring the built in crap. And once done the user just needs to right click, connect.

[Quantiq]

Not necessarily... There is a problem with 1903, and given that 1909 is all of 1 build number different, I'd expect the problem to be there too.

Try opening the control panel, then clicking Network and Sharing Center, then change adapter settings. There should be an adapter in there for your L2TP, right click on that, and connect from there. There is a known issue with all versions of Windows 10 1809 and forward that causes the new GUI tools to not connect properly, the only known work around is to dig into the control panel and connect from there.

Yeah we'd tried that before and no luck.

The only reason we want it on is we currently use the OpenVPN connection but from our new office in Manila it drops all the time.

I know it's the internet in Manila, not the firewall, BUT I need to be able to prove it and show I've tried another method or they will keep saying it's me not their rubbish internet.

Is just very odd that a computer will connect then 5 min later with no settings changed refuse?