Hi,
I've "successfully" set up IPSec/L2TP with Strongswan (at least being able to establish a connection, but haven't checked routing) on 3.0.0.4.376.47_0 and iOS 8 (IKEv1) with an ASUS rt-n66U.
However, I can only contact the server when I'm on the LAN, but not outside. I receive a "The VPN Server did not respond error."
1. Do I need to setup rules through iptables?
2. Do I put it in "nat-start"?
3. I've been manually launching IPSec ("ipsec start") through terminal, but I presume I would put this in init-start? Or would it be in post-mount as the Strongswan material is in my entware USB (actually it's on a Micro SD card)?
I tried:
1. Putting the ports in port forwarding (forwarding both TCP+UDP) (see below article, port 1071 is for ):
ALL TCP 500 10.69.20.1 500 VSERVER
ALL UDP 500 10.69.20.1 500 VSERVER
ALL TCP 1071 10.69.20.1 1071 VSERVER
ALL UDP 1071 10.69.20.1 1071 VSERVER
ALL TCP 50 10.69.20.1 50 VSERVER
ALL UDP 50 10.69.20.1 50 VSERVER
ALL TCP 51 10.69.20.1 51 VSERVER
ALL UDP 51 10.69.20.1 51 VSERVER
ALL TCP 4500 10.69.20.1 4500 VSERVER
ALL UDP 4500 10.69.20.1 4500 VSERVER
When that didn't work, I tried:
2. Setting the DMZ to my local IP address (assume it's 10.69.20.1).
Neither of these approaches worked.
My research for which port to open is from here:
http://blogs.technet.com/b/rrasblog...-unblock-for-vpn-traffic-to-pass-through.aspx
For L2TP:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path
IP Protocol Type=50 <- Used by data path (ESP)
For IKEv2:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv2 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path
IP Protocol Type=50 <- Used by data path (ESP)
• IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
• IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
• UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
I understand that L2TP/IPSec traffic looks just like IPSec traffic on the wire, so the firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50), but I tried opening IP protocol 51.
I've "successfully" set up IPSec/L2TP with Strongswan (at least being able to establish a connection, but haven't checked routing) on 3.0.0.4.376.47_0 and iOS 8 (IKEv1) with an ASUS rt-n66U.
However, I can only contact the server when I'm on the LAN, but not outside. I receive a "The VPN Server did not respond error."
1. Do I need to setup rules through iptables?
2. Do I put it in "nat-start"?
3. I've been manually launching IPSec ("ipsec start") through terminal, but I presume I would put this in init-start? Or would it be in post-mount as the Strongswan material is in my entware USB (actually it's on a Micro SD card)?
I tried:
1. Putting the ports in port forwarding (forwarding both TCP+UDP) (see below article, port 1071 is for ):
ALL TCP 500 10.69.20.1 500 VSERVER
ALL UDP 500 10.69.20.1 500 VSERVER
ALL TCP 1071 10.69.20.1 1071 VSERVER
ALL UDP 1071 10.69.20.1 1071 VSERVER
ALL TCP 50 10.69.20.1 50 VSERVER
ALL UDP 50 10.69.20.1 50 VSERVER
ALL TCP 51 10.69.20.1 51 VSERVER
ALL UDP 51 10.69.20.1 51 VSERVER
ALL TCP 4500 10.69.20.1 4500 VSERVER
ALL UDP 4500 10.69.20.1 4500 VSERVER
When that didn't work, I tried:
2. Setting the DMZ to my local IP address (assume it's 10.69.20.1).
Neither of these approaches worked.
My research for which port to open is from here:
http://blogs.technet.com/b/rrasblog...-unblock-for-vpn-traffic-to-pass-through.aspx
For L2TP:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path
IP Protocol Type=50 <- Used by data path (ESP)
For IKEv2:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv2 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path
IP Protocol Type=50 <- Used by data path (ESP)
• IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
• IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
• UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
I understand that L2TP/IPSec traffic looks just like IPSec traffic on the wire, so the firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50), but I tried opening IP protocol 51.
Last edited:
