I have configured the firewall, L2TP, and IPSec settings as advised, but I am not able to connect to the VPN at all so have gone backwards, since I could connect to the VPN and get to the WebGUI on the RUT950.
Any ideas what I may be missing? When I connect using Windows VPN it says ‘The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer’.
I have tried enabling MS-CHAP authentication on the adapter, disabling firewall, etc, which doesn’t seem to work. PPTP is not working either.
One strange thing I have noticed is that the static WAN IP reported on the router is different to when I do an IP lookup on Google, but it won’t work with either IP anyway, and the one showing on Google I can’t ping whereas the one showing on the Teltonika I can.
Glad to see you have the new device. I can continue to assist in your troubleshooting.
I see from your IPSec logs that it is showing aborted at the moment. This should be fine, as until a tunnel is established it will show that message. Here is an example of my logs when I 1st spin up the tunnel before a client connects.
In general your settings shown should be fine to connect when directly connecting to our RUT devices via WAN IP, and where they are not behind any additional firewalls.
Would you be able to provide a network diagram of your topology you are working with?
I would like to confirm my settings provided to you against your topology use-case.
Is your RUT device WAN connection from an inserted SIM, or is it wired directly to an ISP?
Is the RUT device behind any other firewall or router device?
For clarification of my previous example, here is what my topology looks like. Where I can establish a VPN connection, have access to LAN devices behind the RUT & maintain internet access.
In this topology compared to yours the WAN IP should be a public static IP that is pingable from the remote client. And if it is not a static IP you would need to configure a DDNS.
Part of the reason I ask for clarification on your topology is that before you stated you were able to at least establish a VPN connection, while with the new device you are not able to.
This leads me to believe there is some kind of issue between your client machine being able to reach the RUT VPN server at its public IP.
Is your client machine able to ping the RUT public IP?
Are you sure the IP provided is static?
Additionally here is a screenshot of my Win 11 VPN settings to compare against
Many thanks for the response, was hoping it would all be good with the new device but I’m obviously missing something!
Our topology is the same as in the diagram you included, albeit with different IP’s, so I haven’t drawn up another. For testing purposes I am currently WFH, so get Internet connection via my ISP using their provided router (no custom config from myself). The Teltonika is currently in the office with no other firewalls etc connected, just a PC to one of the LAN ports.
The WAN connection for the RUT is provided by an inserted SIM.
I am able to ping the WAN IP currently, which I thought was a static IP but I have just reviewed the package assigned to the SIM and it appears an incorrect package may have been assigned! I will be in the office next week so will get a new SIM sorted, hopefully with the correct package this time, and test again.
Thank you for the confirmation on your topology.
Understood you will get back once you have had a chance to get a SIM with your static IP.
I think going forward for troubleshooting steps once you have that new SIM I would confirm you are able to route to that IP from your PC at home. A simple ping test should suffice for this portion.
I would also for this test temporarily disable any firewall on your home router, just in case any firewall rules on that device could cause issues. I would re-enable once you have finished testing.
Next I would test only your L2TP tunnel, without the IPSec binded to it. You should be able to establish the tunnel with this over the static IP even without having the IPSec providing the encryption.
Once we can confirm your tunnel can be established again, then we can add in the IPSec configuration to provide encryption.
Breaking these steps down like this can help us further narrow down any issues you may run into and tackle them step by step.
And hopefully get you up and running