Zentyal Server 3.2 - Configuring the VPN L2TP/IPSec PSK Server

[ax]

Hello everyone,

I need your lights for a small problem setting up a L2TP/IPSec PSK VPN server.

Here is my setup:

My network architecture:

            (Public IP01) --- ISP01 (192.168.3.254) --- (192.168.3.253)
WAN ---                                                                                      Zentyal Server (192.168.1.254) --- (192.168.1.0/24) LAN
            (Public IP02) --- ISP02 (192.168.4.254) --- (192.168.4.253)

On the ISP01 router : 2 NAT rules configured like this

• Public IP01 500 192.168.3.253 500
• Public IP01 4500 192.168.3.253 4500

L2TP/IPSec PSK VPN server configuration :

IPSec module installed, enabled and configured :

• Public IP Address : 192.168.3.253
• Remote Address : Any address
• Secret PSK : test
• Tunnel IP : 192.168.1.253
• Primary Server Name : local Zentyal DNS
• Range : 192.168.1.240 - 192.168.1.250
• User : test
• Password : test

VPN users will connect through the ISP01.

I see incoming/outgoing requests on Firewall with Wireshark for ISAKMP protocol.

When i try to telnet my Public IP01 with the 500 and/or 4500 ports there are no responses.

I don't understand why everything doesn't work perfectly : /. Maybe it's a mistake in my Windows VPN configuration client ?

Need some help from you to solve this simple boring problem

[nstojanoski]

Hello,

I also have problem with L2TP PSK.

So far I've figure out that only the first client can browse/ping the network. I can connect multiple clients but ONLY THE FIRST can communicate inside the network.

Have you managed to solve this problem?

Regards,
Nikola

[nstojanoski]

I've noticed that it's a firewall issue.

When i connect the second client i CAN'T ping anything from the client, but i can access the client services from the local network.

The strange thing is that the first connected client can access the local network, but all other connected clients are blocked by the firewall they can't access the local network, but PC's from the local network can access their services.

I've noticed that only the first ip is in inospoofmodules and fnospoofmodules chains when other clients are connected their IP is not in the chains so the problem is in the firewall not in the configuration.

Anyone can help with this?

Regards

[jjm1982]

I would attempt to add the IP range 192.168.1.240 - 192.168.1.250 to both the inospoofmodules and fnospoofmodules chains manually. I'm not quite sure if you can do this in the web gui; if not you can write a firewall.postservice script in the /etc/zentyal/hooks directory and add the IP range (copying the particular parameters as how the firs clients connects) to the chains. What this will do is add the IP's to these proper chains every time the zentyal firewall service is restarted. In essence, whenever a client connects they should have the ability to browse the network.

This of course would just be a work around for what appears to a bug. I suggest opening a ticket; if one isn't open already, and providing details about your issue.

[nstojanoski]

Thanks jjm1982

I've managed to fix my L2TP issues, and reported the bug and solution here: http://trac.zentyal.org/ticket/7788 also I've installed PPTP server and use it until there is more stable release.

Here is a howto for those who need PPTP: http://www.vionblog.com/zentyal-3-2-pptp-server/

Regards,
Nikola

[JhonQ]

Dead link!  http://trac.zentyal.org/ticket/7788
can you please help me how did you solve this issue?

[Seb]

This ended up at https://tracker.zentyal.org/issues/305 and it looks like it got fixed a couple of months ago in https://github.com/Zentyal/zentyal/pull/1360/files

It looks like it should be fixed in the latest version.