Bi-directional L2TP: is it possible?

  • Hello,

    I have a lab installation which looks like

    PC1 - router1 - netscreen - PC2

    I initiate the l2tp tunnel from PC1 to netscreen, it gets ip adress, and everything works fine. I can ping PC2 and ssh to it through the tunnel.
    But PC2 wont ping PC1 when the tunnel is up, even after adding bidirectional policy:

    NS-> get pol
    Total regular policies 2, Default deny.
        ID From    To      Src-address  Dst-address  Service              Action State  ASTLCB
        3 Untrust  Trust    Any          Dial-Up VPN  ANY                  Tunnel enabled –-X-X
        1 Trust    Untrust  Dial-Up VPN  Any          ANY                  Tunnel enabled —X-X

    Do you think it is possible to make l2tp tunnel bidirectional in this sense? From the docs and KB it is not even clear that l2tp tunnel can be bidirectional, so even just answer yes or no will make me happy 🙂

    – Peter

  • administrators

    Most webcams use H.323.  If you turn on the ALG stuff in your netscreen, it should work just fine while still allowing your users to sit behind the firewall.  In fact, there is a fairly good selection of protocols that that ALG stuff supports now, and chances are your applications will be in there, unless it’s some weird home-grown app.

    As far as bidirectional L2TP.  I cannot see a reason this wouldn’t work.  However, I don’t have it set up to test on right now.  Doesn’t anyone on this board have an L2TP vpn set up that they can test on??

  • Some applications require this - like webcam and some more. In fact, it’s not my network, Im just a guy to make it working. I know that simple dialup ipsec vpn can be bidirectional, so why not with l2tp?

  • administrators

    Why do you need to allow incoming connections for your users?  IMO, this is a security risk, as when they are connected via L2TP they are no longer protected by the firewall.  So you’ve got a bunch of machines (presumably windows) which sit out on the net unprotected, and then reside on your internal network.  This is trouble just waiting to happen, you might as well just remove the firewall.  🙂

    Is there a particular protocol or application that you are having trouble with?

  • Hi,

    DIP could be ok, but as I understand, its impossible to allow incoming sessions to a DIP, i.e.
    LAN–Netscreen(DIP pool)–Inet
    when LAN PC goes to the inet and gets an ip from pool (say, PAT is disabled), can I allow incoming connections? I think no, am I right?

    As for MIPs, it seems rather painful to configure them all, and change config every time we want to connect a new user or delete old one. We have users in different subnets, so tricks like address shifting will not help.

    As for L2TP, is what I described at least possible, or sessions can never be initiated to the address in the ip pool? Do you think its a silly idea to use L2TP in this way? (btw, we want it working for ~200 users and use NS-204)


  • administrators

    If you want to have the machines to have a public IP when they go to the net, why not use a DIP pool or a MIP instead of forcing the users to VPN to the NetScreen?

  • No, that’s okay: PC1 is in Trust zone, PC2 is in Untrust. The idea is to provide some users with real IP addresses when they go to the internet.

    So in my small network PC1 represents a LAN host, PC2 is an inet server. But I would like to allow incoming connections to PC1 from PC2.

    Any more ideas?


  • administrators

    Isn’t the “Dialup VPN” object the IP pool for your VPN users?  In this case, your Untrust->Trust policy should have Dialup VPN as the source, and vice versa for the Trust->Untrust policy.

  • Hi,

    Sorry, Im not sure what IPs are you talking about… Because PC1 pings PC2, it sems to me that IPs and ip routes are okay…
    Please tell what you think.


  • administrators

    It appears you have your source and destination IP’s reversed.  Try switching them around.