T3200M L2TP VPN using TL-R600VPN

Reply
xBCTel
Neighbour

TL-R600VPN provides VPN servers for both PPTP and L2TP/IPSec ... I have been able to get the PPTP Server to work ... but .... L2TP (the preferred mode of of operation) is not working ... reading through the Telus Neighbourhood there seems to be a common thread of L2TP connection issues ... I haven't found anyone with a solution other then either changing Service Providers or Services ... Is there any notion of Telus providing a workable update for the T3200M or providing another modem that will provide a workable VPN solution?

 

Details:

T3200M F/W 31.164L.16 provides 3 options which theoretically should provide the ability for L2TP to work ... however ... all 3 options fail to work, each with their own quirks.

 

1) DMZ ... the T3200M is NOT providing a pure DMZ ... DMZ is supposed to be completely transparent to the downstream device ie this device should see the INTERNET IP address ... the T3200M is apparently still doing a NAT translation to an INTRANET IP Address assigned to the downstream device which I understand isn't allowed with the L2TP protocol (the TL-R600VPN explicitly states that in MUST NOT have a NAT between the Internet and the WAN port for L2TP to work)

 

2) under Firewall - Port Forwarding ... the T3200M can forward ports UDP 500 and UDP 4500, but doesn't provide any way to add a protocol 50 ESP 

 

3) under Firewall - Applications ... the T3200M provides an IPSEC L2TP application that presumably provides the required port forwarding with rules that include the Protocol 50 ESP ...  BUT ... looking at the port forwarding after this application is applied only shows port 500 was forwarded (suggesting the rules weren't fully applied) ... AND ... if the T3200M reboots, both the Application and the Port Forwarding settings are destroyed (if these settings aren't static, then Applications aren't reliable) 

 

As stated above, PPTP does work but isn't recommended due to its known security vulnerabilities ... PPTP is provided via Advanced ALG PPTP Enable + Port Forwarding Port TCP 1723 to your VPN Server device

 

 

  • For PPTP:
    • IP Protocol=TCP, TCP Port number=1723   <- Used by PPTP control path
    • IP Protocol=GRE (value 47)   <- Used by PPTP data path
  • For L2TP:
    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path

 

 

 

rc
Ambassador

Have you tried port bridge mode on the actiontec? 

xBCTel
Neighbour

Ok, interesting, so, PORT 1 in bridged mode, appears to do what I expected DMZ to do ... with one caveat ... the T3200M Dashboard is now unavailable to the downstream router. Presume the modem will now have to be set for remote access.



 

rc
Ambassador

Your options to access  the actiontec dashboard are by connecting to it via it's  WiFi network or a remote connection.

 

As you found out makers of consumer routers miss use the DMZ term and do not provide a "true DMZ".

xBCTel
Neighbour

Thanks ... as all LAN functions are delegated to downstream devices, WIFI included, the Actiontec T3200M (Wifi turned Off)  is just being used as a modem for Internet use, so will have to either enable remote Management OR physically move the WAN from Port 1 to Port 2 when I need to access the Dashboard ... if it weren't for the TV devices plugged in to the T3200M (PVR and Cisco Wireless extender for TV boxes)  I could probably bypass the TM3200M altogether. Not sure what RULES Telus has added to the T3200M, regardless, I would rather not tie up 1G ports on my downstream router or share bandwidth via the WAN port, even if it were possible to move these to the LAN side of MY router

xBCTel
Neighbour

update ... this Telus router has no option for remote management available to us (the users) so the only way to manage the router once in bridged mode is to manually plug a pc in to one of the other LAN ports on the Telus router