Hi,<br> I installed strongswan 4.6.2 + xl2tpd 1.3.1 + ppp 2.4.5 for l2tp/ipsec vpn server. after server started, i can connect only once from same ip.<br>here is the log:<br><br>first connecting:<br><br>pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]<br>
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: responding to Main Mode from unknown peer x.x.x.x<br>pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: NAT-Traversal: Result using RFC 3947: peer is NATed<br>
pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: Peer ID is ID_IPV4_ADDR: '192.168.11.12'<br>pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x #1: deleting connection "L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}<br>
pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)<br>pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: sent MR3, ISAKMP SA established<br>pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT<br>
pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: responding to Quick Mode<br>pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: IPsec SA established {ESP=>0x04b36f2a <0xcc58ab3a NATOA=0.0.0.0}<br>pluto[10451]: 10.10.4.1 appeared on ppp0<br>
pluto[10451]: 10.10.4.1 disappeared from ppp0<br>pluto[10451]: 10.10.4.1 appeared on ppp0<br>pluto[10451]: interface ppp0 activated<br><br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<br><br>second connecting:<br><br>pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: responding to Main Mode from unknown peer x.x.x.x<br>
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: NAT-Traversal: Result using RFC 3947: peer is NATed<br>pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: discarding duplicate packet; already STATE_MAIN_R2<br>
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: Peer ID is ID_IPV4_ADDR: '192.168.11.12'<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x #3: deleting connection "L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}<br>
pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sent MR3, ISAKMP SA established<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT<br>
pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: responding to Quick Mode<br>pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: cannot install eroute -- it is in use for "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2<br>
pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500: deleting connection "L2TP-PSK-NAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4b6223a8 (perhaps this is a duplicated packet)<br>
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted notification INVALID_MESSAGE_ID to x.x.x.x:4500<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4b6223a8 (perhaps this is a duplicated packet)<br>
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted notification INVALID_MESSAGE_ID to x.x.x.x:4500<br><br><br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<br>It seems that I meet the same problem as some post in openswan mailing list: <br><a href="https://lists.openswan.org/pipermail/users/2010-May/018707.html">https://lists.openswan.org/pipermail/users/2010-May/018707.html</a><br>
It says that <br><br>"This is a bug that needs fixing......<br><pre><i>It somehow does not realise it should replace the existing (or just terminated) IPsec SA."</i><i><br></i></pre>In strongswan change log , i found that <br>
<br>"Starting with strongswan-2.5,only a single IPsec SA is established per host-pair connection."<br><br>I tried all possible values of "auto" in ipsec.conf, and problem remains the same.<br><br>