Dopo aver abilitato la VPN tramite L2TP-IPsec, usando la guida sottostante, l’accesso su client Windows risulta impossibile anche se funziona perfettamente in Mac OS.
https://help.ubnt.com/hc/en-us/articles/204950294-EdgeRouter-L2TP-IPsec-VPN-Server
Per risolvere questo problema è necessario aggiungere una chiave REGEDIT.
Navigate to the Windows 10 registry (WIN+R) > regedit
Posizionarsi nel percorso sottostante:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Creare una chiave DWORD (32-bit):
AssumeUDPEncapsulationContextOnSendRule
Modificare la chiave DWORD inserendo il valore 2, e riavviare il pc.
L’ultimo passo è testare e verificare l’arrivo del traffico L2TP sull’interfaccia esterna. Dopo aver avviato la connessione VPN dal client, verificare la connessione utilizzando quanto segue utilizzando accedendo alla CLI:
1. Le associazioni di sicurezza IPsec (SAs):
show vpn ipsec sa
remote-access: #545, ESTABLISHED, IKEv1, b0a8c5df5ff1b225:a251946b15ebaaae
local '203.0.113.1' @ 203.0.113.1
remote '172.16.0.50' @ 192.0.2.1
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
established 351s ago
remote-access: #17, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
installed 8 ago
in cd49a319, 0 bytes, 0 packets
out 47a8a786, 0 bytes, 0 packets
local 76.237.8.193/32[udp/l2f]
remote 192.0.2.1/32[udp/l2f]
2. Gli utenti e le interfacce di accesso remoto:
show vpn remote-access
Active remote access VPN sessions:
User Time Proto Iface Remote IP TX pkt/byte RX pkt/byte
---------- --------- ----- ----- --------------- ------ ------ ------ ------
ubnt 00h01m22s L2TP l2tp0 192.168.100.240 4 58 86 7.4K
show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
l2tp0 10.255.255.0 u/u User: ubnt (192.168.100.240)
3. I log L2TP VPN:
show vpn log tail
[IKE] <14> 192.0.2.1 is initiating a Main Mode IKE_SA
[IKE] IKE_SA remote-access[14] established ...
[IKE] CHILD_SA remote-access{4} established with SPIs ...
[KNL] 10.255.255.0 appeared on ppp0
sudo swanctl --log
04[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (408 bytes)
04[IKE] 192.0.2.1 is initiating a Main Mode IKE_SA
12[IKE] remote host is behind NAT
09[CFG] looking for pre-shared key peer configs matching 203.0.113.1...192.0.2.1[172.16.0.50]
09[CFG] selected peer config "remote-access"
09[IKE] IKE_SA remote-access[15] established between ...
04[IKE] CHILD_SA remote-access{5} established with SPIs ...
05[KNL] 10.255.255.0 appeared on ppp0
4. Il traffico L2TP in arrivo sull’interfaccia WAN esterna:
sudo tcpdump -i eth0 -n udp dst port 500 or port 1701 or port 4500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 07:51:19.400846 IP 192.0.2.1.500 > xxx.xxx.xxx.xxx.500: isakmp: phase 1 I ident 07:51:19.405109 IP xxx.xxx.xxx.xxx.500 > 192.0.2.1.500: isakmp: phase 1 R ident 07:51:19.658508 IP 192.0.2.1.500 > xxx.xxx.xxx.xxx: isakmp: phase 1 I ident 07:51:19.715406 IP xxx.xxx.xxx.xxx > 192.0.2.1.500: isakmp: phase 1 R ident