- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MG21 and User VPN
I have an MX64W and an cellular gateway MG21 connected to wan-port.
The SIM-card in the MG21 has a public IP (not a NAT-IP).
I try to activate user VPN but has no luck making it work.
The MX64 has an address from the MG21 (172.31.128.4).
I have setup av port forward on the MG21
UDP 500, UDP 4500 and TCP 1701 from MG to 172.31.128.4.
Allowed remote IP: all
But still no luck.
I am not even sure that this is going to work.
Can someone who has made this work pls tell me what I am doing wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make a packet capture on the mg wan interface. Then try connect to the client vpn. Look in the capture is you see connections from that client public ip.
If you dont see them maybe the provider filter traffic from that ports
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I see connections from my computers public IP to the cellular public IP.
Something is happening but not sure what.
User Datagram Protocol, Src Port: 1011, Dst Port: 500
User Datagram Protocol, Src Port: 500, Dst Port: 1011
User Datagram Protocol, Src Port: 64916, Dst Port: 4500
User Datagram Protocol, Src Port: 4500, Dst Port: 64916
Among others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you see here is "normal" IKE exchange when there is NAT involved. That looks ok. Any event-logs for client-VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see something similar when you capture on the MX WAN interface? It really has to, but better confirm.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I see pretty much the same.
User Datagram Protocol, Src Port: 500, Dst Port: 1011
User Datagram Protocol, Src Port: 64916, Dst Port: 4500
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you have to look at the mx event log. It should have some logging about the connection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I have.
For example
msg: <l2tp-over-ipsec-1|10> closing CHILD_SA net-1{31} with SPIs c46d0b0c(inbound) (0 bytes) 2101bf06(outbound) (0 bytes) and TS 172.31.128.4/32[udp/l2f] === [my-public-ip][udp/l2f] |
msg: <l2tp-over-ipsec-1|10> closing CHILD_SA net-1{31} with SPIs c46d0b0c(inbound) (0 bytes) 2101bf06(outbound) (0 bytes) and TS 172.31.128.4/32[udp/l2f] === [my-public-ip][udp/l2f] |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Delete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The log shows this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like it is working now.
I found something about AssumeUDPEncapsulationContextOnSendRule
Put it in the registry with value 3, rebooted and tried again.
Voila, it works 🙂
Thank you for your help in troublshooting.
i learned alot actually.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another Test: Is the public IP that the MG reports the same as the IP on the MG interface? Just because there is a public IP on the interface does not automatically say that there is no NAT at the provider involved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the SIM-card was getting a NAT-address at first.
I contacted the provider and they changed it.
From an 10.x.x.x address to an 37.3.x.x address.
I have another SIM-card with same setup from same provider in a ASUS 4G-router, and that works fine.