I cannot get the L2TP/IPsec VPN working under 1.9. I'm testing with iOS 9. Sometimes when I'm already on the network over WiFi I can connect, but even that is sporadic. My ISP says they aren't blocking anything that would prevent it (but the tech I spoke with didn't know what the ESP protocol was so it's possible he's wrong).
Can someone look over my config and see if there's something obviously wrong? Could it be an issue with hardware offload?
eth1 is WAN, eth0 is LAN
firewall {
all-ping enable
broadcast-ping disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 1 {
action accept
description "Allow ICMP ping"
icmp {
type 8
}
protocol icmp
}
rule 2 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 3 {
action accept
description "Allow L2TP"
destination {
port 500,1701,4500
}
log disable
protocol udp
}
rule 4 {
action accept
description "Allow ESP"
log disable
protocol esp
}
rule 5 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.10.1/24
description Local
duplex auto
mtu 1500
speed auto
}
ethernet eth1 {
address dhcp
description Internet
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth0
wan-interface eth1
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.2
dns-server 192.168.10.5
domain-name internal
lease 86400
start 192.168.10.100 {
stop 192.168.10.149
}
}
}
use-dnsmasq disable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth1
type masquerade
}
}
}
system {
domain-name border.internal
host-name border
name-server 192.168.10.2
name-server 192.168.10.5
offload {
hwnat enable
ipsec enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth1
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username karl {
password xxx
}
}
mode local
}
client-ip-pool {
start 192.168.10.150
stop 192.168.10.170
}
dhcp-interface eth1
dns-servers {
server-1 192.168.10.2
server-2 192.168.10.5
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret xxx
}
ike-lifetime 3600
}
mtu 1492
}
}
}