[strongSwan] L2TP/IPSec Connect/Disconnect Problems

Noel Kuntze noel at familie-kuntze.de
Sun Oct 12 20:55:43 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Milen,

Judging from the QUICK_MODE message sent by the client and received by strongSwan,
I'd say your clients have some problem.
Using dpd (dead peer detection) will help you. Activate it with "dpdaction=clear" on the gateway.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 12.10.2014 um 20:32 schrieb Milen Pankov:
> Hi Noel,
>
> Sorry about the openswan thing, it is a typo. I am using strongswan.
> The problem is it is the same user trying to reconnect, that's why he
> uses the same credentials. I suppose his previous connection stays
> active on the system.
>
> Milen
>
>
> On 12.10.2014 21:28, Noel Kuntze wrote:
>>
>> Hello Milen,
>>
>> This is the strongswan mailing list, not the openswan one. There is
>> no guarantee that you will get help here.
>>
>> Based on the third message in the log excerpt, I think you need to
>> allow identical IDs or give your users different credentials.
>>
>> Mit freundlichen Grüßen/Regards, Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592
>> 3839 298F 63EC 6658
>>
>> Am 12.10.2014 um 20:14 schrieb Milen Pankov:
>>> Hi,
>>
>>> I have problems using l2tp/ipsec connections with openswan/xl2tp.
>>> Users using the connection frequently disconnect and after that
>>> cannot connect anymore. Here is a log example from a user that
>>> failed to connect after a disconnect:
>>
>>> 2014-08-09 23:20:30: "l2tp"[2422] public_ip:4500 #2738:
>>> NAT-Traversal: received 2 NAT-OA. using first, ignoring others
>>> 2014-08-09 23:20:30: "l2tp"[2422] public_ip:4500 #2738:
>>> responding to Quick Mode 2014-08-09 23:20:30: "l2tp"[2422]
>>> public_ip:4500 #2738: cannot install eroute -- it is in use for
>>> "l2tp"[2419] public_ip:4500 #2735 2014-08-09 23:20:30:
>>> "l2tp"[2422] public_ip:4500: deleting connection "l2tp" instance
>>> with peer public_ip {isakmp=#0/ipsec=#0} 2014-08-09 23:20:32:
>>> "l2tp"[2419] public_ip:4500 #2734: Quick Mode I1 message is
>>> unacceptable because it uses a previously used Message ID
>>> 0x02000000 (perhaps this is a duplicated packet) 2014-08-09
>>> 23:20:32: "l2tp"[2419] public_ip:4500 #2734: sending encrypted
>>> notification INVALID_MESSAGE_ID to public_ip:4500 2014-08-09
>>> 23:20:35: "l2tp"[2419] public_ip:4500 #2734: Quick Mode I1
>>> message is unacceptable because it uses a previously used Message
>>> ID 0x02000000 (perhaps this is a duplicated packet)
>>
>>> Can you help me with this?
>>
>>> Regards, Milen _______________________________________________
>>> Users mailing list Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________ Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUOs6vAAoJEDg5KY9j7GZYL6sP/AjQExXEQYUxuBkSNpIxCacg
WD5DfEE4LB9mccAjiBRefrUSO/MNKOLxJcFbt0Gt9dQ5niHo4wxyFJEzgVYdXk1s
SWqQfyt07buLX7qG3ULfqlrfVrVNre+xFjkndKkYI+blGr7Lz9FchEWxOAAP5WIo
jtZ5knQPy6JxuH8WiF6wtqq23GHwJHFVgHMFjvNyD/YwTTYDEFSoTaqNcmGXuNpt
E28C8anzc1/9hhPegd4z/O26cW31N2+M4jGEcBmTXjrlSRd1YC6srYtbWVShmL7u
f041ccFjaHxTTPXAquRsV56C2hW/Vl79QB7D7sqSBF6KHTfinIm7+a2Ins5oXImg
dn5sTvSdO2OFxWNQRutYSzq8d0VlXuD6p1SEs7L09RL3p2/RwgFeNGUVsa+Hq4Oo
X/bCCFeqAycC5biyEkg56b4/1wejRvxFlUXveJrC6qT0vits+OsclnAUOwlG4SD3
kNSlXIl38xR/wS4J8+6/UHyXgPtjJAYFeGtQcQJ8OzUFdb14IFKXmZb6cOMTCNRd
W3Wv8P5bGIS9sVW2CLt4bYB+EKKRRXCXRakGJkYZCv2yO3UfSZlDOBpadhN3KHnh
2AA8+u/yeFiVJKAo2Z/1e+S88K1DIW0O8PtYTysiAuFcb6tw+XMtnIRF2qOIwmoo
Drw0QMaoSrwzEROVBavG
=o0Wr
-----END PGP SIGNATURE-----




More information about the Users mailing list