LT2P VPN on 8900AX-1600 R2

[charliem]

There's a username and password for the VPN, but a pre-shared key for the tunnel. The 8900 is set up using these instructions:

1. Login to the router
2. Click on 'VPN >> VPN Account'
3. Add a name for your reference
4. Enter a username/password this will be used for authentication
5. Make sure the 'Tunnel' is enabled and 'Connection Type' is set to 'Remote Accecss'
6. Click on 'Add'
7. Click on 'IPSec'
8. Click on 'Add'
9. Enable 'L2TP over IPSec'
10. Enter a Connection Name for your reference
11. Tick the 'Anonymous' option for 'Remote Security Gateway'
12. Enter a 'Pre-Shared Key' this will be used for the tunnel
13. Click on 'Apply'
14. You will be reverted back to the 'IPSec' page
15. Enable 'NAT Traversal' and click on 'Apply'
16. Click on 'L2TP >> L2TP Server'
17. Enable 'L2TP'
18. WAN Interface should be 'Default or IPSec Tunnel'
19. Auth.Type = Chap
20. IP Addresses Assigned to Peer = a IP address outside the DHCP range eg 192.168.1.200
21. Click on 'Apply'

Windows machine can connect fine using this:

a.jpg

android setting are as follows.

android2.jpg

I imagine it might be to do with the authentication type, but there appears to be no way to amend this (this is an Android One phone, so stock Android). Can you see anything in the above screenshot that is incorrect wrt the android settings?

I didn't quite follow your question above - were you suggesting setting up the router differently with just a VPN - whilst I'm sure this would work, it defeats the more secure solution I have set up at present.

Thanks!

[billion_fan]

There's a username and password for the VPN, but a pre-shared key for the tunnel. The 8900 is set up using these instructions:

1. Login to the router
2. Click on 'VPN >> VPN Account'
3. Add a name for your reference
4. Enter a username/password this will be used for authentication
5. Make sure the 'Tunnel' is enabled and 'Connection Type' is set to 'Remote Accecss'
6. Click on 'Add'
7. Click on 'IPSec'
8. Click on 'Add'
9. Enable 'L2TP over IPSec'
10. Enter a Connection Name for your reference
11. Tick the 'Anonymous' option for 'Remote Security Gateway'
12. Enter a 'Pre-Shared Key' this will be used for the tunnel
13. Click on 'Apply'
14. You will be reverted back to the 'IPSec' page
15. Enable 'NAT Traversal' and click on 'Apply'
16. Click on 'L2TP >> L2TP Server'
17. Enable 'L2TP'
18. WAN Interface should be 'Default or IPSec Tunnel'
19. Auth.Type = Chap
20. IP Addresses Assigned to Peer = a IP address outside the DHCP range eg 192.168.1.200
21. Click on 'Apply'

Windows machine can connect fine using this:

a.jpg
android setting are as follows.

android2.jpg

I imagine it might be to do with the authentication type, but there appears to be no way to amend this (this is an Android One phone, so stock Android). Can you see anything in the above screenshot that is incorrect wrt the android settings?

I didn't quite follow your question above - were you suggesting setting up the router differently with just a VPN - whilst I'm sure this would work, it defeats the more secure solution I have set up at present.

Thanks!

So I assume you have not added a exception group rule (see attached screen shot)

Have you tried to add another VPN account with less characters for the password ?? (maybe worth trying to setup one with the username = test1 and password = test1, to see if you can establish a connection)

The phone settings look fine to me

[charliem]

I've tried a few things with this, but no joy.
Yes, I've set up a different VPN account/password, each using under 8 regular characters
I have been using 'excepction' groupers, but have turned it off for testing. It makes little difference as the connection was being made, as per the log I posted, but it doesn't manage to set up a session.

Are we not bothered by the messages such as:
initial Aggressive Mode message from 21x.xxx.xxx.xxx but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
or
Feb 10 23:26:43 authpriv warn pluto[27258]: packet from 21x.xxx.xxx.xxx :1011: received Vendor ID payload [RFC 3947] method set to=115
Feb 10 23:26:43 authpriv warn pluto[27258]: packet from 21x.xxx.xxx.xxx :1011: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
or it always ending negotiation with:
Feb 10 23:26:51 daemon debug xl2tpd[27696]: check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Feb 10 23:26:51 daemon debug xl2tpd[27696]: handle_packet: bad control packet!
Feb 10 23:26:56 daemon notice xl2tpd[27696]: Maximum retries exceeded for tunnel 34077. Closing.
Feb 10 23:26:56 daemon info xl2tpd[27696]: Connection 64337 closed to 21x.xxx.xxx.xxx, port 39xxx (Timeout)

Not that I know what they mean!

[charliem]

To add to the post above, I've also tried enabling a PPTP VPN.

Unlike L2TP, this works, but if it gives any clues to problem solving:
A) The only encryption available from Android 9.0 is "PPP encryption (MPPE)"
B) This requires Auth type (in PPTP section of router settings) to be set to "MS-CHAPv2"

It doesn't go anywhere toward getting L2TP running though!

I don't know if it is of any relevance, but the only authentication (in L2TP section of router settings) are pap or chap.

[billion_fan]

To add to the post above, I've also tried enabling a PPTP VPN.

Unlike L2TP, this works, but if it gives any clues to problem solving:
A) The only encryption available from Android 9.0 is "PPP encryption (MPPE)"
B) This requires Auth type (in PPTP section of router settings) to be set to "MS-CHAPv2"

It doesn't go anywhere toward getting L2TP running though!

I don't know if it is of any relevance, but the only authentication (in L2TP section of router settings) are pap or chap.

I will check with our engineers and get back to you

[billion_fan]

To add to the post above, I've also tried enabling a PPTP VPN.

Unlike L2TP, this works, but if it gives any clues to problem solving:
A) The only encryption available from Android 9.0 is "PPP encryption (MPPE)"
B) This requires Auth type (in PPTP section of router settings) to be set to "MS-CHAPv2"

It doesn't go anywhere toward getting L2TP running though!

I don't know if it is of any relevance, but the only authentication (in L2TP section of router settings) are pap or chap.

I will check with our engineers and get back to you

I have just tested the L2TP over IPsec with a One plus 5T running android v9.0

Everything worked fine. (see attached screen shots)

[billion_fan]

I also tested it with my Samsung note 3 running older android version 5, and it works fine (same credentials)