[strongSwan] can not reconnect from same ip

Morgan morgan1980 at gmail.com
Mon Apr 23 08:33:55 CEST 2012 

I have this problem when trying access to server from local natted  client
after once connected to server using my android
mobile device.I found that after once connected to server, the ipsec status
shows that

000 "L2TP-PSK-NAT"[2]:
server_ip:4500[server_ip]:17/1701---server_gw_ip...client_gw_ip:19033[client_net_ip]:17/0;
erouted; eroute owner: #5

the client udp port  0 seems odd.this makes no more connection from the
same nat can be established.

I dig a bit into the src, found that setting this port occurs in
"src/pluto/ipsec_doi.c", function "quick_inI1_outR1".
the payload_digest
struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];

contains the port info.but it is 0. If i connect to server with ipod touch,
the port is not 0 anymore, and i think it should be like this.

I dont know much about isakmp and ipsec.  I guess the client port info
should not get lost.
I dont know how strongswan cooperate with xl2tpd. In xl2tpd log

xl2tpd[3212]: control_finish: Peer requested tunnel 46802 twice, ignoring
second one.
xl2tpd[3212]: Connection established to client_gw_ip, 33404.  Local: 15183,
Remote: 46802 (ref=0/0).  LNS session is 'default'
xl2tpd[3212]: start_pppd: I'm running:
xl2tpd[3212]: "/usr/sbin/pppd"
xl2tpd[3212]: "passive"
xl2tpd[3212]: "nodetach"

xl2tpd does know the client udp port 33404 .and these logs appear after the
pluto logs.

May *Tobias* or anyone give me one hint  to dig deeper? much appreciate.
I am still struggling with this problem.


2012/4/19 Morgan <morgan1980 at gmail.com>

> Hi,
>     I installed strongswan 4.6.2 + xl2tpd 1.3.1 + ppp 2.4.5 for l2tp/ipsec
> vpn server. after server started, i can connect only once from same ip.
> here is the log:
>
> first connecting:
>
> pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC
> 3947]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [FRAGMENTATION 80000000]
> pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: responding to Main Mode from
> unknown peer x.x.x.x
> pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: NAT-Traversal: Result using
> RFC 3947: peer is NATed
> pluto[10451]: "L2TP-PSK-noNAT"[1] x.x.x.x #1: Peer ID is ID_IPV4_ADDR:
> '192.168.11.12'
> pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x #1: deleting connection
> "L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
> pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)
> pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: sent MR3, ISAKMP SA
> established
> pluto[10451]: "L2TP-PSK-noNAT"[2] x.x.x.x:4500 #1: ignoring informational
> payload, type IPSEC_INITIAL_CONTACT
> pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: responding to Quick Mode
> pluto[10451]: "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2: IPsec SA established
> {ESP=>0x04b36f2a <0xcc58ab3a NATOA=0.0.0.0}
> pluto[10451]: 10.10.4.1 appeared on ppp0
> pluto[10451]: 10.10.4.1 disappeared from ppp0
> pluto[10451]: 10.10.4.1 appeared on ppp0
> pluto[10451]: interface ppp0 activated
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> second connecting:
>
> pluto[10451]: packet from x.x.x.x:500: received Vendor ID payload [RFC
> 3947]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> pluto[10451]: packet from x.x.x.x:500: ignoring Vendor ID payload
> [FRAGMENTATION 80000000]
> pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: responding to Main Mode from
> unknown peer x.x.x.x
> pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: NAT-Traversal: Result using
> RFC 3947: peer is NATed
> pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: discarding duplicate packet;
> already STATE_MAIN_R2
> pluto[10451]: "L2TP-PSK-noNAT"[3] x.x.x.x #3: Peer ID is ID_IPV4_ADDR:
> '192.168.11.12'
> pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x #3: deleting connection
> "L2TP-PSK-noNAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
> pluto[10451]: | NAT-T: new mapping x.x.x.x:500/4500)
> pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sent MR3, ISAKMP SA
> established
> pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: ignoring informational
> payload, type IPSEC_INITIAL_CONTACT
> pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: responding to Quick Mode
> pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500 #4: cannot install eroute --
> it is in use for "L2TP-PSK-NAT"[1] x.x.x.x:4500 #2
> pluto[10451]: "L2TP-PSK-NAT"[2] x.x.x.x:4500: deleting connection
> "L2TP-PSK-NAT" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
> pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message
> is unacceptable because it uses a previously used Message ID 0x4b6223a8
> (perhaps this is a duplicated packet)
> pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted
> notification INVALID_MESSAGE_ID to x.x.x.x:4500
> pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: Quick Mode I1 message
> is unacceptable because it uses a previously used Message ID 0x4b6223a8
> (perhaps this is a duplicated packet)
> pluto[10451]: "L2TP-PSK-noNAT"[4] x.x.x.x:4500 #3: sending encrypted
> notification INVALID_MESSAGE_ID to x.x.x.x:4500
>
>
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> It seems that I meet the same problem as some post in openswan mailing
> list:
> https://lists.openswan.org/pipermail/users/2010-May/018707.html
> It says that
>
> "This is a bug that needs fixing......
>
> *It somehow does not realise it should replace the existing (or just terminated) IPsec SA."**
> *
>
> In strongswan change log , i found that
>
> "Starting with strongswan-2.5,only a single IPsec SA is established per
> host-pair connection."
>
> I tried all possible values of "auto" in ipsec.conf, and problem remains
> the same.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120423/a7be6e03/attachment.html>

More information about the Users mailing list