<div class="gmail_extra">I have this problem when trying access to server from local natted client after once connected to server using my android<br>mobile device.I found that after once connected to server, the ipsec status shows that<br>
<br>000 "L2TP-PSK-NAT"[2]: server_ip:4500[server_ip]:17/1701---server_gw_ip...client_gw_ip:19033[client_net_ip]:17/0; erouted; eroute owner: #5<br><br>the client udp port 0 seems odd.this makes no more connection from the same nat can be established.<br>
<br>I dig a bit into the src, found that setting this port occurs in "src/pluto/ipsec_doi.c", function "quick_inI1_outR1".<br>the payload_digest<br>struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];<br>
<br>contains the port info.but it is 0. If i connect to server with ipod touch, the port is not 0 anymore, and i think it should be like this.<br><br>I dont know much about isakmp and ipsec. I guess the client port info should not get lost. <br>
I dont know how strongswan cooperate with xl2tpd. In xl2tpd log<br><br>xl2tpd[3212]: control_finish: Peer requested tunnel 46802 twice, ignoring second one.<br>xl2tpd[3212]: Connection established to client_gw_ip, 33404. Local: 15183, Remote: 46802 (ref=0/0). LNS session is 'default'<br>
xl2tpd[3212]: start_pppd: I'm running:<br>xl2tpd[3212]: "/usr/sbin/pppd"<br>xl2tpd[3212]: "passive"<br>xl2tpd[3212]: "nodetach"<br><br>xl2tpd does know the client udp port 33404 .and these logs appear after the pluto logs.<br>
<br>May <i>Tobias</i> or anyone give me one hint to dig deeper? much appreciate.<br>I am still struggling with this problem.<br><br><br><div class="gmail_quote">2012/4/19 Morgan <span dir="ltr"><<a href="mailto:morgan1980@gmail.com" target="_blank">morgan1980@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br> I installed strongswan 4.6.2 + xl2tpd 1.3.1 + ppp 2.4.5 for l2tp/ipsec vpn server. after server started, i can connect only once from same ip.<br>
here is the log:<br><br>first connecting:<br><br>pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]<br>
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: responding to Main Mode from unknown peer x.x.x.x<br>pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: NAT-Traversal: Result using RFC 3947: peer is NATed<br>
pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: Peer ID is ID_IPV4_ADDR: '192.168.11.12'<br>pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x #1: deleting connection "L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}<br>
pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)<br>pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: sent MR3, ISAKMP SA established<br>pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT<br>
pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: responding to Quick Mode<br>pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: IPsec SA established {ESP=>0x04b36f2a <0xcc58ab3a NATOA=0.0.0.0}<br>
pluto[10451]: 10.10.4.1 appeared on ppp0<br>
pluto[10451]: 10.10.4.1 disappeared from ppp0<br>pluto[10451]: 10.10.4.1 appeared on ppp0<br>pluto[10451]: interface ppp0 activated<br><br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<br><br>second connecting:<br><br>pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]<br>pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: responding to Main Mode from unknown peer x.x.x.x<br>
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: NAT-Traversal: Result using RFC 3947: peer is NATed<br>pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: discarding duplicate packet; already STATE_MAIN_R2<br>
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: Peer ID is ID_IPV4_ADDR: '192.168.11.12'<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x #3: deleting connection "L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}<br>
pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sent MR3, ISAKMP SA established<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT<br>
pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: responding to Quick Mode<br>pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: cannot install eroute -- it is in use for "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2<br>
pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500: deleting connection "L2TP-PSK-NAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4b6223a8 (perhaps this is a duplicated packet)<br>
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted notification INVALID_MESSAGE_ID to x.x.x.x:4500<br>pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4b6223a8 (perhaps this is a duplicated packet)<br>
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted notification INVALID_MESSAGE_ID to x.x.x.x:4500<br><br><br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
<br>It seems that I meet the same problem as some post in openswan mailing list: <br><a href="https://lists.openswan.org/pipermail/users/2010-May/018707.html" target="_blank">https://lists.openswan.org/pipermail/users/2010-May/018707.html</a><br>
It says that <br><br>"This is a bug that needs fixing......<br><pre><i>It somehow does not realise it should replace the existing (or just terminated) IPsec SA."</i><i><br></i></pre>In strongswan change log , i found that <br>
<br>"Starting with strongswan-2.5,only a single IPsec SA is established per host-pair connection."<br><br>I tried all possible values of "auto" in ipsec.conf, and problem remains the same.<br><br>
</blockquote></div><br></div>