Hello all.
I have recently changed NBN/VDSL provider from Aussie Broadband (DHCP) to TPG (PPPoE VLAN2) and reconfigured the CHR for the pppoe connection. Everything is working fine, local network to wan, connections from remote devices to the sstp and l2tp ipsec servers on the same CHR but connections to the IKEv2 server has all of a sudden stopped working, they simply wont connect (Android phone and multiple Windows 10 machines).
ISP is not blocking any ports and IKEv2 config has not changed.
Does anyone know if there is an issue / bug with establishing connections using IKEv2 when the WAN interface is PPPoE?
I am going to try set up another modem to handle the pppoe connection then port forward UDP 500, 4500 to the CHR and see if that works tonight. Suggested from this post with possible similar issue viewtopic.php?t=154743
"LE: Well, I've tested the above. I've put the PPPoE client on another router, gave the current one internet through eth-wan, so yeah, double NAT.
And, IT WORKS, atleast for Windows 10, I get the route specified in split include added and I can reach my RaspberryPI behind it.
LE2: I wish it was something in my config broken, as it seems to be a bug I won't be able to make the switch by the end of the year.
stripped debug:"
Re: Cannot connect to IKEv2 Server behind pppoe WAN connection, SSTP and L2TP IPSec servers work fine.
As the problem is specifically related to IKEv2, I suppose you are using certificates for authentication, causing the IKEv2 negotiation packets to exceed (by a lot) the usual MTU of 1500. This is not the case with L2TP/IPsec which typically uses pre-shared key authentication at IPsec level.
If the MTU information on the two ends of a link differs, packets sent from the end with higher MTU to the end with lower MTU may not get through.
With the usual 1500-byte MTU on an Ethernet interface, the MTU of a PPPoE interface attached to such an Ethernet interface cannot exceed 1496 bytes unless MLPPP is supported by both the server and the client.
So try to set the mtu of the Ethernet interface to which the /interface pppoe-client row is attached to e.g. 1520, and the mrru of the /interface pppoe-client row itself to 1500, and see whether that helps.
/interface pppoe-client monitor pppoe-out1 once will show you the actual mtu and mru values.
If the MTU information on the two ends of a link differs, packets sent from the end with higher MTU to the end with lower MTU may not get through.
With the usual 1500-byte MTU on an Ethernet interface, the MTU of a PPPoE interface attached to such an Ethernet interface cannot exceed 1496 bytes unless MLPPP is supported by both the server and the client.
So try to set the mtu of the Ethernet interface to which the /interface pppoe-client row is attached to e.g. 1520, and the mrru of the /interface pppoe-client row itself to 1500, and see whether that helps.
/interface pppoe-client monitor pppoe-out1 once will show you the actual mtu and mru values.
Re: Cannot connect to IKEv2 Server behind pppoe WAN connection, SSTP and L2TP IPSec servers work fine.
Cheers sindy, you pointed me in the right direction..
Turns out the pppoe connection defaulted to a MRU of 1500 not 1492 and I overlooked it :-/, changed itand all working a treat.
Something so simple, its just been one of those days.
Thanks again :-)
Turns out the pppoe connection defaulted to a MRU of 1500 not 1492 and I overlooked it :-/, changed itand all working a treat.
Something so simple, its just been one of those days.
Thanks again :-)