Securifi Community Forum
Securifi Products => Almond+ => Topic started by: Lectoid on October 23, 2015, 12:22:42 pm
-
I can get PPTP VPN server working fine from my iPhone to the Almont+.
I can not get IPSec to work on my iPhone or windows PC (Don't have anything else to test with). For reference I set up sonicwalls at least once a month so I have an idea of how to set up VPN's.
On the Almond+, I have it set as:
VPN Server: IPSec Server
IPSec Policy: Pre-shared key
Pre-shared key: (secret)
Local Endpoint: (WAN IP address of almond+)
Local IP: 192.168.1.1
and below I set up a user and password for an account.
On the iPhone I have it set as:
Type: L2TP
Server: (WAN IP address of almond+)
account: (user)
password: (password)
Secret: (secret)
What am I missing? When I try to connect I get "The L2TP-VPN server did not respond. Try reconnecting..."
Is there a log I can view in the almond+? I didn't see any activity in the system log when working on this.
Thanks!!
-
Shouldn't you be using type "IPSec" on the phone, not "L2TP"?
-
I tried that, didn't work either. I researched this and I think I saw someone mention you use L2TP for this type.
If you go in to the OpenWRT part, then services, then VPN server. You will see L2TP under pre-shared key when the IPSec option is chosen.
-
@ Lectoid,
Which mode are you using the Almond+?
-
Just like a normal router. I thought there was a screen where you pick but I can't see it from the web interface. But like I said it's just set up like any home router would be.
-
Is anyone else having this issue?
-
@ Lectoid,
To diagnose the issue, is it possible for you to try connecting any other device apart from iPhone.
-
I mentioned in my first post I had also tried my windows PC. Let me see if I can get the specific error.
"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
PC VPN settings:
Server name: (WAN IP of Almond+)
VPN Type: Layer 2 tunneling protocol with IPsec (L2TP/IPsec)
- advanced settings - user preshared key for authentication: (secret)
user name: (user)
password: (pass)
-
If you are using IPSec on the Almond+, you should be using IPSec on the iPhone (or any other device) also.
I have the same issue, BTW. I can get L2TP to work, but not IPSec (same error as you are getting). I have seen others with the same issue on this forum also. I would suspect it related to my ISP, but I use various other IPSec connections with no issue, so I am guessing it's related to the Almond+.
-
Is there anyone that can help with this?
I have a new phone and still getting same errors. Almond + has 83 firmware on it now.
I also can't connect from my Windows PC. I've verified all the passwords. Went in to advanced settings of the VPN and set the preshared key.
Is there a log on the Almond+ I can view while trying to connect to see what the errors are?
I can get the PPTP to work, but that's not secure.
-
Is there anyone that can help with this?
I have a new phone and still getting same errors. Almond + has 83 firmware on it now.
I also can't connect from my Windows PC. I've verified all the passwords. Went in to advanced settings of the VPN and set the preshared key.
Is there a log on the Almond+ I can view while trying to connect to see what the errors are?
I can get the PPTP to work, but that's not secure.
Sorry missed this earlier.
I use VPNs on a regular basis, including with the Almond+ with Linux, Android and IOS clients.
On the A+ side;
IPSEC
PRE-SHARED
simple key phrase to start, basic alphanumeric, increase strength later
LOCAL ENDPOINT - verify external IP, I'm sure you have it right, just double check
LOCAL IP - pick something outside of the DHCP range, do not specify some Static Lease
On the Client side, starting with the iPhone (which IOS?)
TYPE L2TP
SERVER = WAN IP
ACCOUNT=usename, create a new one and make sure changes are saved or committed
RSA SECURE ID = OFF
PASSWORD=password for user
SECRET=keyphrase
SEND ALL TRAFFIC=ON
PROXY OFF
PC Client;
L2TP over IPSEC
Same as above
Android Client;
L2TP/IPSEC/PSK
L2TP secret (not used)
IPSec Identifier (not used)
IPSec Pre Shared Key
Do Not Specify DNS Search Domains, DNS Servers, Forwarding Routes
-
Server Did Not Respond means;
1) the VPN Server is not actually running, there is a Check Box that must be Checked
2) ports are blocked by the ISP
3) ports are blocked by a Firewall
Have you done any custom work on your Firewall settings?
May want to do a quick dump of your iptables to take a look or use OpenWRT and review the firewall setup. If you did make any changes in an effort to sort something, those changes may be creating an issue.
-
And of course, when testing from your phone, make sure WiFi is turned off and that you are actually using the cellular network to find your A+ WAN port.
-
There is LOTS of debug info in the System Log.
You may not recognize it if you haven't debugged VPN's before.
-
All of my experience with VPN's are with Sonicwalls, but that hasn't really helped me here.
I swear I read the Local IP was supposed to be the same as the routers LAN IP. Also I do have the VPN enabled.
I changed it to a known unused one ouside my DHCP and I still get the errors both on LTE and Wi-Fi (Wi-Fi is a different IP scheme)
I guess I can bring my A+ to work and try it on an open WAN port we use for testing, because I know no ports are blocked there.
IOS has always been the latest public release.
I think I mentioned it, but PPTP does work.
I haven't made any real changes to my A+ past port forwards, none of which are for IPSec or L2TP. Even deleted them all to be sure.
-
All of my experience with VPN's are with Sonicwalls, but that hasn't really helped me here.
That's cool, SonicWalls are good stuff.
The debug info on the Almond+ will not look familiar. I will grab a screen shot of a sample connect and disconnect and post it up. May not get it done until tomorrow. Then you can look at a known good sample and compare it to your info.
The basic info you shared (though system logs would be more helpful at this point) makes me wonder if you are getting through to your A+ from the outside at all. The puzzling thing is, you ARE able to connect using a different method. So really, in the logs, we should see the connect attempt and a specific reason for the failure. Not a generic, can't connect to the server kind of message.
I swear I read the Local IP was supposed to be the same as the routers LAN IP.
Depend on the VPN software, you can actually specify which IP to use, static, DHCP allocated, etc. on a per client basis.
But yes, the Local IP is that of the router. Changing it to something else should have forced another error which would show up in the system log.
When you change it to something else, go ahead and test your PPTP connection and watch it fail, then check the System Logs. Then change it back to the local IP of the router, watch the successful connect in the System logs with PPTP and then watch the connect attempt with IPSec in the logs.
Also I do have the VPN enabled.
Had to ask. Often the simple things are overlooked.
I changed it to a known unused one ouside my DHCP and I still get the errors both on LTE and Wi-Fi (Wi-Fi is a different IP scheme)
For now, let's stick with the LTE debug.
Being on a separate WiFi network but still behind the A+ (if that's what you are talking about) leads to route debugging and we'd need to verify a number of things. So the easiest way to proceed is debugging from a network that is absolutely on the other side of the Interweb from your residential ISP. IF you mean a WiFi network at a different location, work, friend, family, etc. then it should be fine though you do run the risk of some funky routing stuff creating problems, it is unlikely. I am using my VPN from a dozen remote locations, using several different ISPs, behind a fistful of different routers/networks/firewalls. All of them do exactly what they should, allow me to tunnel as needed.
I guess I can bring my A+ to work and try it on an open WAN port we use for testing, because I know no ports are blocked there.
If you can, that'd be great. Though IF the issue is with any of your firewall mods on the A+, anticipate similar results.
IOS has always been the latest public release.
Brave Soul. I lag back a dot release or two until it is well baked in the public soak. 8)
I think I mentioned it, but PPTP does work.
Which makes me think 2 things.
You must be hitting the Server with the initial connect attempt and the debug logs should show it OR a firewall/iptables/routing mod has hosed up some basic functionality.
I haven't made any real changes to my A+ past port forwards, none of which are for IPSec or L2TP. Even deleted them all to be sure.
Haha "real" changes. Port Forwarding can crush you when dynamically allocated ports get called. Do you uPnP turned on?
When deleting, there is deleting and then there is deleting.
Which interface do you use for your mods?
Web Interface?
OpenWRT?
Command Line?
Last thought AND Last Resort, and this is a risky one, so proceed with your own best judgement.
Create a separate "test" user id/password combo.
PM me the details and I will try a remote test and look at local debug info.
Probably better off contacting Securifi Tech Support before doing this, you have no idea who folks are on a forum and I sure wouldn't let a stranger into my "house". But I'll make the offer because you seem to be struggling a bit with this. Your call.
-
not sure if this affects you but from my experience AT&T blocks L2TP on LTE, so you might want to test first with just a PC. you really should be getting more informative logs. i would use a linux client on this as i can get more verbose messages from the connecting side.
or you can just go openvpn.
-
not sure if this affects you but from my experience AT&T blocks L2TP on LTE, so you might want to test first with just a PC. you really should be getting more informative logs. i would use a linux client on this as i can get more verbose messages from the connecting side.
or you can just go openvpn.
Absolutely a LINUX client would provide great debug info.
Even if you are using a Windows PC, you can load a VM setup and boot an o/s flavor of your choice.
Sprint and Verizon have not blocked anything needed for establishing a VPN in my experience. 3G/4G LTE
-
Just as a followup to this;
IOS 9.x broke a lot of IPSec VPNs
The betas for 9.1.x and 9.2.x did not fix the problem.
The release versions of IOS 9.1.x and 9.2.1 have not fixed the problem.
Stay with IOS 8.3.x or 8.4.x if you want IPSec VPN working with your Almond+
This problem is not limited to the Almond+, many other networking products have experienced this issue.