LT2P VPN connection issues

I'm using Windows LTP/VPN (2019). The watchguard firewall has the appropriate ports (and more) open (500,1701,1723,4500,GRE,ESP,AH).

There's an issue with the VPN connections. I am able to connect to the VPN if I'm the first users. When subsequent users connect, I am unable to ping the VPN sever's local IP (10.x.x.x) through the VPN for about 30 seconds and neither is the 2nd VPN user. After the 30 seconds both clients pings start receiving replies from the pings.

When I try to connect with an Android phone that timeout period is long enough that the connection fails.

I setup the VPN exactly the same as other locations that are working. The only difference is the watchguard firewall. Does anyone know of a setting or issue on the Watchguard that could be the cause?

Thanks

Comments

  • *L2TP/IPSEC with PSK

  • For the record, what firewall model do you have and what XTM version is it running?

    Have you set up L2TP in the firewall config?
    If so,
    "When you activate Mobile VPN with L2TP, two policies are automatically created:
    . WatchGuard L2TP — This L2TP policy allows L2TP traffic to the Firebox.
    . Allow L2TP-Users — This policy allows the groups and users you configured for L2TP authentication to get access to resources on your network. By default, this policy allows access to all network resources.there is an automatically created policy"
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/l2tp/l2tp_vpn_policies_c.html

    So, you do not have to open other ports on the firewall to allow remote L2TP client access.

    If not, - then do so. Read the L2TP sections of the docs:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/l2tp/l2tp_vpn_about_c.html

    Have you added sufficient IP addrs to the L2TP IP addr pool for the max expected concurrent L2TP users ?

  • XTM515 with 11.11.2.B508770

    I'm not using the VPN on the watchguard. It's passing through to a Windows 2019 server VPN. The watchguard VPN wouldn't connect consistently with any device type. Currently the Windows clients connect consistently but it's odd that connection attempts cause other existing clients to also drop packets for about 30 seconds.

    There are 20 IPs available for VPN clients but we probably don't need more than 10. The most concurrent we've had is 3.

    There's a firewall policy on the watchguard for Any external to the Windows 2019 server with ports (500,1701,1723,4500,GRE,ESP,AH) open.

    I was thinking the watchgaurd could be the issue as the VPN on it was having issues and I have the same Windows VPN setup at other locations that don't have this issue. The only difference is the watchguard.

    Thanks

  • James_CarsonJames_Carson WatchGuard Representative

    If those policies still exist, the VPN is on inside the WatchGuard -- if you want to use another server, go into the VPN (VPN -> Mobile VPN -> L2TP) and turn it off. That should stop the firewall from terminating that traffic at the firewall.

    -James Carson
    WatchGuard Customer Support

  • James_CarsonJames_Carson WatchGuard Representative
    edited April 15

    Additionally, 11.11.2 is very old, and enhancements have been made to the VPNs since.

    While I'm perfectly happy to help support whatever works best for you, if you wanted the firewall to handle this and are doing it as a workaround, I'd suggest upgrading fireware on the firewall itself to 12.1.3 (the latest version for XTM 5 series devices) and trying with it there.

    -James Carson
    WatchGuard Customer Support

  • James_CarsonJames_Carson WatchGuard Representative
    edited April 15

    (edited the above into one post)

    -James Carson
    WatchGuard Customer Support

  • I have all the Watchguard's VPN's turned off. I'd like to upgrade the XTM but the system won't let me upgrade it without a key and I don't know if or when I could get a purchase approved for it considering it's a school. Thanks

Sign In to comment.