[strongSwan] can not reconnect from same ip

Morgan morgan1980 at gmail.com
Thu Apr 19 04:07:38 CEST 2012 

Hi,
    I installed strongswan 4.6.2 + xl2tpd 1.3.1 + ppp 2.4.5 for l2tp/ipsec
vpn server. after server started, i can connect only once from same ip.
here is the log:

first connecting:

pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[FRAGMENTATION 80000000]
pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: responding to Main Mode from
unknown peer x.x.x.x
pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: NAT-Traversal: Result using
RFC 3947: peer is NATed
pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: Peer ID is ID_IPV4_ADDR:
'192.168.11.12'
pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x #1: deleting connection
"L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)
pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: sent MR3, ISAKMP SA
established
pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: responding to Quick Mode
pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: IPsec SA established
{ESP=>0x04b36f2a <0xcc58ab3a NATOA=0.0.0.0}
pluto[10451]: 10.10.4.1 appeared on ppp0
pluto[10451]: 10.10.4.1 disappeared from ppp0
pluto[10451]: 10.10.4.1 appeared on ppp0
pluto[10451]: interface ppp0 activated

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


second connecting:

pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
[FRAGMENTATION 80000000]
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: responding to Main Mode from
unknown peer x.x.x.x
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: NAT-Traversal: Result using
RFC 3947: peer is NATed
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: discarding duplicate packet;
already STATE_MAIN_R2
pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: Peer ID is ID_IPV4_ADDR:
'192.168.11.12'
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x #3: deleting connection
"L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sent MR3, ISAKMP SA
established
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: responding to Quick Mode
pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: cannot install eroute --
it is in use for "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2
pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500: deleting connection
"L2TP-PSK-NAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x4b6223a8
(perhaps this is a duplicated packet)
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted
notification INVALID_MESSAGE_ID to x.x.x.x:4500
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x4b6223a8
(perhaps this is a duplicated packet)
pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted
notification INVALID_MESSAGE_ID to x.x.x.x:4500


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It seems that I meet the same problem as some post in openswan mailing
list:
https://lists.openswan.org/pipermail/users/2010-May/018707.html
It says that

"This is a bug that needs fixing......

*It somehow does not realise it should replace the existing (or just
terminated) IPsec SA."**
*

In strongswan change log , i found that

"Starting with strongswan-2.5,only a single IPsec SA is established per
host-pair connection."

I tried all possible values of "auto" in ipsec.conf, and problem remains
the same.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120419/1564cc99/attachment.html>

More information about the Users mailing list