Manuel Roccon

ICT & Cyber Security Specialist

Ubiquiti EdgeRouter – Problema VPN in Windows 8/10

Dopo aver abilitato la VPN tramite L2TP-IPsec, usando la guida sottostante, l’accesso su client Windows risulta impossibile anche se funziona perfettamente in Mac OS.

https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server

Per risolvere questo problema è necessario aggiungere una chiave REGEDIT.

Navigate to the Windows 10 registry (WIN+R) > regedit

Posizionarsi nel percorso sottostante:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

Creare una chiave DWORD (32-bit):

AssumeUDPEncapsulationContextOnSendRule

Modificare la chiave DWORD inserendo il valore 2, e riavviare il pc.

L’ultimo passo è testare e verificare l’arrivo del traffico L2TP sull’interfaccia esterna. Dopo aver avviato la connessione VPN dal client, verificare la connessione utilizzando quanto segue utilizzando accedendo alla CLI:

1. Le associazioni di sicurezza IPsec (SAs):

show vpn ipsec sa
remote-access: #545, ESTABLISHED, IKEv1, b0a8c5df5ff1b225:a251946b15ebaaae
local '203.0.113.1' @ 203.0.113.1
remote '172.16.0.50' @ 192.0.2.1
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
established 351s ago
remote-access: #17, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
installed 8 ago
in cd49a319, 0 bytes, 0 packets
out 47a8a786, 0 bytes, 0 packets
local 76.237.8.193/32[udp/l2f]
remote 192.0.2.1/32[udp/l2f]

2. Gli utenti e le interfacce di accesso remoto:

show vpn remote-access 
Active remote access VPN sessions:

User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
ubnt 00h01m22s L2TP l2tp0 192.168.100.240 4 58 86 7.4K

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
l2tp0 10.255.255.0 u/u User: ubnt (192.168.100.240)

3. I log L2TP VPN:

show vpn log tail
[IKE] <14> 192.0.2.1 is initiating a Main Mode IKE_SA
[IKE] IKE_SA remote-access[14] established ...
[IKE] CHILD_SA remote-access{4} established with SPIs ...
[KNL] 10.255.255.0 appeared on ppp0

sudo swanctl --log
04[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (408 bytes)
04[IKE] 192.0.2.1 is initiating a Main Mode IKE_SA
12[IKE] remote host is behind NAT
09[CFG] looking for pre-shared key peer configs matching 203.0.113.1...192.0.2.1[172.16.0.50]
09[CFG] selected peer config "remote-access"
09[IKE] IKE_SA remote-access[15] established between ...
04[IKE] CHILD_SA remote-access{5} established with SPIs ...
05[KNL] 10.255.255.0 appeared on ppp0

4. Il traffico L2TP in arrivo sull’interfaccia WAN esterna:

sudo tcpdump -i eth0 -n udp dst port 500 or port 1701 or port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:51:19.400846 IP 192.0.2.1.500 > xxx.xxx.xxx.xxx.500: isakmp: phase 1 I ident
07:51:19.405109 IP xxx.xxx.xxx.xxx.500 > 192.0.2.1.500: isakmp: phase 1 R ident
07:51:19.658508 IP 192.0.2.1.500 > xxx.xxx.xxx.xxx: isakmp: phase 1 I ident
07:51:19.715406 IP xxx.xxx.xxx.xxx > 192.0.2.1.500: isakmp: phase 1 R ident

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *