OpenWrt Forum Archive

Topic: Open ports for L2TP VPN client (VPN Passthrough)

The content of this topic has been archived on 30 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,

I have a router with Chaos Chalmer installed. Everything is fine, but I'm not able to connect to my office's VPN.
With another router everything works fine, so it's clearly OpenWRT somehow blocking the connection.

I tried to open port 1701 through Luci (Any TCP, UDP, From any host in any zone with source port 1701, To any host, port 1701 in any zone) but this doesn't seem to sort any effect.

Am I opening the ports right? Is there anything else I need to do?

I have tried to find some guides, but all the tutorials focus on how to create a VPN server: I just want to connect to an existing server instead.

Try adding this in /etc/config/firewall and restarting the firewall:

# allow IPsec/ESP and ISAKMP passthrough
config rule                           
        option name             Allow-ESP-RFC6092
        option src              wan          
        option dest             lan         
        option proto            esp                 
        option target           ACCEPT            
                                        
config rule                                
        option name             Allow-IKE-RFC6092
        option src              wan       
        option dest             lan                    
        option dest_port        500           
        option proto            udp                
        option target           ACCEPT  

IPSEC over NAT-T usually use port 4500 (UDP, maybe TCP as well) instead of ESP since the latter canät be NAT:ed.

I've the same problem as "d_abbatelli" but I'm NOT able to connect in MY ONE NETWORK. I have a NAS running  L2TP VPN and configure the follow ports: 500,1701,4500.
But how I need to go further in my router settings?  I've tryed to forward the ports in my router but it's not working. The NAS is connected to my LAN port of the Archer C7 1750AC V2 router with OpenWrt Chaos Calmer 15.05-rc3 .

Pleas anyone help!

(Last edited by michael.meersschaert on 21 Feb 2017, 22:37)

d_abbatelli, which kind of VPN have you tried to connect?
michael.meersschaert, have you forwarded udp?

(Last edited by ulmwind on 21 Feb 2017, 22:56)

ulmwind udp & tcp

michael.meersschaert, it is interesting. Are you sure, that you've done it? Does your NAS have web-interface? Try to forward port of web interface and make sure, that it works.

(Last edited by ulmwind on 21 Feb 2017, 23:07)

ulmwind, everything is correctly. The only thing what I should need is VPN Passthrough for the protocol L2TP I think? But how i need to do this?

michael.meersschaert, try to open esp:
https://blogs.technet.microsoft.com/rra … s-through/
For L2TP:

    IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv1 (IPSec control path)
    IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv1 (IPSec control path)
    IP Protocol Type=ESP (value 50)   <- Used by IPSec data path

9ulmwind], I opened the ESP protocol but i can't find any log of connections in my NAS's VPN

michael.meersschaert have you got positive result redirecting traffic to NAS web-interface?

(Last edited by ulmwind on 22 Feb 2017, 23:41)

ulmwind, I'm not so good in this so i don't know what you mean, sorry hmm

This is my firewall config settings:

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'udp'
    option src_dport '1701'
    option dest_port '1701'
    option name 'IPSec'
    option dest_ip '192.168.1.100'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'udp'
    option src_dport '500'
    option dest_ip '192.168.1.100'
    option dest_port '500'
    option name 'IPSec II'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option src_dport '4500'
    option dest_ip '192.168.1.100'
    option dest_port '4500'
    option name 'IPSec III'
    option proto 'tcp'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'ah'
    option target 'ACCEPT'

When i try to connect on my Windows computer, it gives me the follow:
A network connection between your computer at the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Admin to ensure that the sertificate being used for authentication is valid.

And i still can't find a log in my NAS VPN-server (looked on the NAS's web-interface)

michael.meersschaert, try to forward http port:

config redirect
        option src       wan
        option src_dport 80
        option proto     tcp
        option dest      lan
        option dest_ip   192.168.1.100

Make sure, it works (you can login to web interface of NAS from WAN side).
After that make the same thing with esp and ah:

config redirect
        option src       wan
        option proto     esp
        option dest      lan
        option dest_ip   192.168.1.100

I am not sure about the last, but it should be safe to try it.

The discussion might have continued from here.