Connecting iphones via L2TP to SE server

[Rouzah]

Hello,

i have a very hard time connecting iphones to the SE VPN server on my Win 10 machine via L2TP. Two separate people tried to connect via their iphones to the server with the same result:



I could connect to the server with my android (has no L2TP) after downloading the OpenVPN app.

Which ports do i have to open for L2TP? Do i have to open port 443, as well? I have opened 4500 tcp/udp, 1701 tcp/udp, 500 tcp/udp

Is it even possible to connect SE to an iphone? Maybe there was iOS update.

[shakibamoshiri]

Hello,

i have a very hard time connecting iphones to the SE VPN server on my Win 10 machine via L2TP. Two separate people tried to connect via their iphones to the server with the same result:



I could connect to the server with my android (has no L2TP) after downloading the OpenVPN app.

Which ports do i have to open for L2TP? Do i have to open port 443, as well? I have opened 4500 tcp/udp, 1701 tcp/udp, 500 tcp/udp

Is it even possible to connect SE to an iphone? Maybe there was iOS update.

First
could be that your ISP has blocked L2TP protocol
So you can do nothing and switch different nets to test if others fail or no

Second
could be net issues from your point (client IP) to endpoint (Server IP)
So try trace-route from your IP to the SE server IP.
If you saw "packet loss" usually +10%, this could be the cause

Third
could be Firewall on SE server so make sure ports are open

[shakibamoshiri]

First
could be that your ISP has blocked L2TP protocol
So you can do nothing and switch different nets to test if others fail or no

Second
could be net issues from your point (client IP) to endpoint (Server IP)
So try trace-route from your IP to the SE server IP.
If you saw "packet loss" usually +10%, this could be the cause

Third
could be Firewall on SE server so make sure ports are open

I tested (1)
- the same SE server
- the same user and configuration
- the same network (slow network)

iPhone L2TP failed and gave me that error you posted
Android L2TP connected

I tested (2)
- the same SE server
- the same user and configuration
- the same network (fast network)

iPhone L2TP connected
Android L2TP connected

So it could be
- net speed
- iPhone issue

Also I have tested L2TP on Old Android devices with andoird-4.0.1 and L2TP worked well.

[Rouzah]

Thanks a lot for your help!



As you say it might be their net speed issue, but then again,i also asked a person with iphone here in Europe (fast connection) to connect to the L2TP server and they couldn't. Same error message.

How did you connect your iphone to the server? Is it an old iOs, maybe?

Firewall ports are open (win 10 firewall). Ports are forwarded in router, as well. I will call the ISP and ask if they have blocked L2TP.

And android doesnt have L2TP function anymore. Only IKEv2. I can't test connection to my server with my android (i only have android) via L2TP. I have latets android on my samsung. Is there a way to use L2TP on latest android version?

I will try traceroute somehow (not familiar with it).



I'm really stuck. I need help.

Do you have any suggestions?

[shakibamoshiri]

Thanks a lot for your help!



As you say it might be their net speed issue, but then again,i also asked a person with iphone here in Europe (fast connection) to connect to the L2TP server and they couldn't. Same error message.

How did you connect your iphone to the server? Is it an old iOs, maybe?

Firewall ports are open (win 10 firewall). Ports are forwarded in router, as well. I will call the ISP and ask if they have blocked L2TP.

And android doesnt have L2TP function anymore. Only IKEv2. I can't test connection to my server with my android (i only have android) via L2TP. I have latets android on my samsung. Is there a way to use L2TP on latest android version?

I will try traceroute somehow (not familiar with it).

I'm really stuck. I need help.

Do you have any suggestions?

With more testing I could solve it and it might be true for you .
My iPhone is old one (bought just for testing) and the WIFI connectivity is not stable, so I set IP manually for WIFI and there was a typo with subnet.
with the typo it gave me the exact same error as yours. First I thought it could be because of slow speed but more investigation I found the typo, fixed and L2TP connected.

So based on this it could be network misconfiguration

Android 11 has L2TP yet, so try it on old versions

[Rouzah]

Hello,

thanks for your help ! I really appreciate it!

Yes, i also have the suspicion that here might be something wrong in the server configs, especially in NAT settings.

When NAT is running, i see:

n1.png

n2.png

n3.png

Also, one thing that i noticed is that the IP of the NAT server in my router is different than the IP of NAT in SE settings.

[Rouzah]

It seems that i cannot post more than 3 screenshots in one post, so i must make a second post.

Here you see that the SE NAT ip in router is different than the ip in SE NAT configs:

nat cfg.png

in router:



Do you see anything wrong in the configs here?

Thanks

[shakibamoshiri]

It seems that i cannot post more than 3 screenshots in one post, so i must make a second post.

Here you see that the SE NAT ip in router is different than the ip in SE NAT configs:

nat cfg.png

in router:



Do you see anything wrong in the configs here?

Thanks

No, there is no issue with this NAT

The error you posted mainly means your devices cannot find/get to SE server.
As I said,, try the same user configuration
- with different network
- with different device

[Rouzah]

Thanks for your reply,

1. which ports did you open in router/firewall for L2TP to work?

2. In my router settings, i see 3 devises. My PC, phone and SecNat " securenat-da28e5... " as you see in the screenshot. Do i have to open any ports for " securenat-da28e5... " in the router? I have only opened ports for my PC "DESKTOP-...".

decices_in_router.png

PS: Also i asked my ISP if they have blocked L2TP. I am waiting for their reply! That being said, if i check L2TP Ports, i see that they're successfully have been opened in router/firewall. So maybe this means that my ISP has not blocked L2TP.

edit: my ISP just called me. They don't block anything.

[shakibamoshiri]

Thanks for your reply,

1. which ports did you open in router/firewall for L2TP to work?

2. In my router settings, i see the " securenat-da28e5... " as you see in the screenshot. Do i have to open any ports for it?

PS: Also i asked my ISP if they have blocked L2TP. I am waiting for their reply! That being said, if i check L2TP Ports, i see that they're successfully have been opened in router/firewall. So maybe this means that my ISP has not blocked L2TP.

edit: my ISP just called me. They don't block anything.

You did not mention which OS you have; or you run SE server on?

A4Q1
My FW is open, but usually I open these ports
- dns => 53
- dhcp => 67-68
- http => 80
- https => 443
- telnet => 992
- ? => 500
- ? => 4500

SE server by defaults listens on these ports
- TCP 443, 992, 1194, 5555
- UDP: 1194

A4Q2
I do not have a custom router; are you using SE server behind your own router ? or a VM (virtual machine) provider?
If you run SE server on your local machine or local network then "yes" you should enable something which is called:
- virtual servers or
- port forwarding
on your router to allowing incoming traffic for required ports.

If I were you
-> setting up SE server and try to connect via L2TP (just local test and local network, no FW)
-> if everything went well, then the same configuration somewhere else with some other networks (you can copy: vpn_server.config file or save it via SE manager)

A4E
Good news they did not block it, but we should not trust them and you should test it.

[Rouzah]

Hello shakibamoshiri,

thank you very much for your reply! I really appreciate it!

I am using a Windows 10 Pro x64 machine. My own PC here. So yes, a local machine.
My router is Fritzbox 6660 Cable
I did port forwarding in my router. I tested with port checking services and the ports were successfully open. As i said i forwarded ports for my PC in Lan, not for SecNat in Lan.

You did not have to forward/open 1701? This is the port for L2TP, right?

PS: I installed OpenVPN app on my android and i could connect to the SE server. But i need the app-free method. Legacy L2TP.


You said:

"If I were you
-> setting up SE server and try to connect via L2TP (just local test and local network, no FW)"

How can i do this? My android doesn't have L2TP. Is there a web/windows service to do this test?

edit: i even completely shut off my router firewall (full expose) and shut off windows firewall, then asked the person with the iphone to connect.. and he got still the same 'unreachable' error message.

edit2: your encryption algorithm setting was at default AES128-SHA? I read iphones were finicky about this setting.

What is there left? Why can't this server connect via L2TP (unreachable)?
- isp doesnt block l2tp
- router + firewall full open
- Nat is on

[shakibamoshiri]

Hello shakibamoshiri,

thank you very much for your reply! I really appreciate it!

I am using a Windows 10 Pro x64 machine. My own PC here. So yes, a local machine.
My router is Fritzbox 6660 Cable
I did port forwarding in my router. I tested with port checking services and the ports were successfully open. As i said i forwarded ports for my PC in Lan, not for SecNat in Lan.

You did not have to forward/open 1701? This is the port for L2TP, right?

PS: I installed OpenVPN app on my android and i could connect to the SE server. But i need the app-free method. Legacy L2TP.


You said:

"If I were you
-> setting up SE server and try to connect via L2TP (just local test and local network, no FW)"

How can i do this? My android doesn't have L2TP. Is there a web/windows service to do this test?

edit: i even completely shut off my router firewall (full expose) and shut off windows firewall, then asked the person with the iphone to connect.. and he got still the same 'unreachable' error message.

edit2: your encryption algorithm setting was at default AES128-SHA? I read iphones were finicky about this setting.

What is there left? Why can't this server connect via L2TP (unreachable)?
- isp doesnt block l2tp
- router + firewall full open
- Nat is on

First you did not tell
1. where do you run (have setup) SE server
- on a cloud provider (e.g Digital-Ocean)
- on a VM with public IP address
- on your own computer with your ISP IP address
- etc

1. where does the client try to connect from ?
- on your home network
- completely somewhere else
- etc

My router is Fritzbox 6660 Cable

if SE server is running on your local machine you need to modify routers settings, otherwise no need

You did not have to forward/open 1701? This is the port for L2TP, right?

No, I never used this port and cannot remember it was required by SE server

PS: I installed OpenVPN app on my android and i could connect to the SE server. But i need the app-free method. Legacy L2TP.

If OpenVPN could connected, L2TP can connect too (if Enabled)

setting up SE server and try to connect via L2TP (just local test and local network, no FW)

I thought this is you case
Just install SE server on you machine and access it locally.
For example your IP is 192.168.1.100
You install SE server on your machine and 192.168.1.100 will be your SE server IP address
After setting up SE server configuration (for test purposes) you can connect to 192.168.1.100 using
- L2TP
- OpenVPN
- WireGuard (if you used SE server DE version)

your encryption algorithm setting was at default AES128-SHA

Yes, this is default. And this is not the issue and no need to change it.

What is there left? Why can't this server connect via L2TP

Answer question 1 and 2 I asked

[Rouzah]

Hello shakibamoshiri ,

thank you for your reply!

Here are the answers that you need. If you have more questions, don't hesitate to ask, please.

1. where do you run (have setup) SE server?
On my own computer with my ISP IP address.


2. where does the client try to connect from ?
The clients are completely somewhere else. One is in Europe. The other one in the middle east.



if SE server is running on your local machine you need to modify routers settings, otherwise no need
I did port forwarding in the router. Do i need to do other changes in the router?

PS: Of course L2TP and L2TP/IPsec are enabled in SE.

letp se.png

[shakibamoshiri]

Hello shakibamoshiri ,

thank you for your reply!

Here are the answers that you need. If you have more questions, don't hesitate to ask, please.

1. where do you run (have setup) SE server?
On my own computer with my ISP IP address.


2. where does the client try to connect from ?
The clients are completely somewhere else. One is in Europe. The other one in the middle east.



if SE server is running on your local machine you need to modify routers settings, otherwise no need
I did port forwarding in the router. Do i need to do other changes in the router?

PS: Of course L2TP and L2TP/IPsec are enabled in SE.

letp se.png

I answered your question
https://www.vpnusers.com/viewtopic.php?f=7&t=68078
and I think it could solve your issue . wait till the answer is approved and shown.

then update ether here or there

[Rouzah]

Thanks a lot for your reply,

i answered you in the other thread.


I have one question, though. Is there any other software (other than SE) that has legacy L2TP protocol (client does not need app)?

[shakibamoshiri]

Thanks a lot for your reply,

i answered you in the other thread.


I have one question, though. Is there any other software (other than SE) that has legacy L2TP protocol (client does not need app)?

1. Yes, there is a project on Github
see the list
https://github.com/search?o=desc&q=vpn& ... positories

project
https://github.com/hwdsl2/setup-ipsec-vpn

I did not test this but as the starts implies many have used it

2. mikrotik RouterOS
https://mikrotik.com/
I have tested
it is easy to setup (if you can buy or install it locally)
Note that you do not have to buy the router (hardware) you can download in install their OS which is call RouterOS