Windows L2TP VPN Server Policy

Pretty rusty with my Juniper, it’s a SRX240H2 and I’m trying to open a firewall policy that will allow my remote VPN clients to access an L2TP VPN server I’ve configured in the LAN. All help documents point to setting this up on the Juniper itself, but I do not want to use Juniper’s VPN options, just want to use a standard Windows server for now.

I know I have a working VPN connection to the server as I can establish a connection to it internally, but from the public, I’m not having any luck at all. I’ve enabled the IKE-ESP ALG, and have a policy allowing UDP 500 [with ike-esp-nat ALG], UDP 4500, and TCP 1701 (not sure if this one is necessary yet). I don’t seem to be making any connection to the VPN server.

In this same environment, I’ve had luck with a Windows PPTP VPN, but looking to decommission it with a newer L2TP VPN.

Does anyone know if this hardware configuration possible? Thoughts?

You using a NAT policy at all? May need to NAT in the connection from the untrust interface to the internal server.

L2TPv2 in a basic sense is a simple protocol that runs over UDP 1701. I suspect there are some extra wrappers and additions that go with it to make at more consumer/retail centric (I worked with it extensively in a service-provider environment), which is why you have IKE, etc. But your policy should also include UDP/1701, which is the base protocol/port combination.

currently using a destination NAT (only because I’m out of IPs). Planning to switch to a static NAT after hours when I can move stuff around to see if that is it.

Switched to a static NAT and gave it a dedicated public IP. Unfortunately made no difference.

Sorry, I don’t follow. I took a look at my Zones and have nothing defined under Services or Protocols

No luck with TCP or UDP 1701. From what I can tell from the logs, it’s primarily using UDP 500 and 4500. Thanks!

Do you see the connection coming in at all when you attempt the connection - at SRX I mean. Obviously not on the server.

Yes. When logging, I see the sessions creating and closing on ports 500 and 4500. it’s using service names junos-ike and junos-ike-nat. I also tried allowing all in the policy and got the same results. It seems the ports are opened fine, its the handling of ESP and maybe AH that I don’t understand.

Can you paste the output for that flow minus the public IP information? should be something like show security flow session destination-port 500

SRX240H2> show security flow session destination-port 500

Session ID: 28974, Policy name: VPN-2022/17, Timeout: 36, Valid

In: 174.X.X.90/500 → 162.X.X.228/500;udp, If: ge-0/0/0.0, Pkts: 2, Bytes: 692

Out: 10.1.0.28/500 → 174.X.X.90/500;udp, If: vlan.1, Pkts: 2, Bytes: 496

Total sessions: 1

Hmm. Looks like a normal flow. I would say maybe time to turn on flow trace options for that traffic and see if maybe the ALG or something else is being blocked.

Afaik from having to set up IPSec passthroughs, we needed a NAT policy to carry the traffic to the endpoint and a security policy to allow the traffic that was being NAT’d. Does your internal endpoint see any of the traffic at all?

Thanks for all of your help, I figured it out! Turns out it had nothing to do with the Juniper (so much time wasted today). A Windows L2TP VPN server inside a NAT is not enabled by default in Windows… Instead, I just needed to set this Windows Registry (+ restart) on the client side…

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
“AssumeUDPEncapsulationContextOnSendRule”=dword:00000002

So anyone that is looking to do this, here is a decent setup for the Juniper:

And details on that Windows registry:

Fantastic! Glad you were able to figure out your problem