[strongSwan] [URGENT] windows lt2tp client failed to connect on ipsec restart
Jayapal Reddy
jayapalatiiit at gmail.com
Tue Dec 15 11:47:00 CET 2015
HI,
I am using the strongswan 4.5.2. I have remote access vpn connection. From
the windows connection is up and running. The problem starts when I
restart/update ipsec on my ipsec linux device. Windows client is behind the
nat.
Can some one please help me on how to solve this issue. I am struggling
with from past 2 weeks.
Related logs are at [1]
configuration[2]
[1]
Dec 15 10:34:26 r-47-QA pluto[2591]: interface ppp0 deactivated
Dec 15 10:34:26 r-47-QA pluto[2591]: 10.1.2.1 disappeared from ppp0
Dec 15 10:34:26 r-47-QA pluto[2591]: forgetting secrets
Dec 15 10:34:26 r-47-QA pluto[2591]: loading secrets from
"/etc/ipsec.secrets"
Dec 15 10:34:26 r-47-QA pluto[2591]: loading secrets from
"/var/lib/strongswan/ipsec.conf.inc"
Dec 15 10:34:26 r-47-QA pluto[2591]: loading secrets from
"/etc/ipsec.d/ipsec.any.secrets"
Dec 15 10:34:26 r-47-QA pluto[2591]: loaded PSK secret for %any
Dec 15 10:35:01 r-47-QA CRON[5134]: pam_unix(cron:session): session opened
for user root by (uid=0)
Dec 15 10:35:01 r-47-QA CRON[5134]: pam_unix(cron:session): session closed
for user root
Dec 15 10:36:01 r-47-QA CRON[5183]: pam_unix(cron:session): session opened
for user root by (uid=0)
Dec 15 10:36:01 r-47-QA CRON[5183]: pam_unix(cron:session): session closed
for user root
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
received Vendor ID payload [RFC 3947]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [FRAGMENTATION]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [IKE CGA version 1]
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[10] 10.147.52.172 #13:
responding to Main Mode from unknown peer 10.147.52.172
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[10] 10.147.52.172 #13:
NAT-Traversal: Result using RFC 3947: peer is NATed
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[10] 10.147.52.172 #13: Peer
ID is ID_IPV4_ADDR: '10.1.1.189'
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172 #13:
deleting connection "L2TP-PSK" instance with peer 10.147.52.172
{isakmp=#0/ipsec=#0}
Dec 15 10:36:11 r-47-QA pluto[2591]: | NAT-T: new mapping
10.147.52.172:500/4500)
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sent MR3, ISAKMP SA established
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #14:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #14:
responding to Quick Mode
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #14:
cannot install eroute -- it is in use for "L2TP-PSK"[9] 10.147.52.172:4500
#12
Dec 15 10:36:12 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 15 10:36:12 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.172:4500
Dec 15 10:36:14 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 15 10:36:14 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.172:4500
Dec 15 10:36:18 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 15 10:36:18 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.172:4500
[2]
# ipsec --version
Linux strongSwan U4.5.2/K3.2.0-4-amd64
root at r-47-QA:~# cat /etc/ipsec.d/l2tp.conf
#ipsec remote access vpn configuration
conn L2TP-PSK
authby=secret
pfs=no
rekey=yes
keyingtries=3
keyexchange=ikev1
forceencaps=yes
leftfirewall=yes
leftnexthop=%defaultroute
# ----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=10.147.52.174
#
left=10.147.52.174
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use: leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=%any
# If you want to allow multiple connections from any IP address,
# you can use: right=%any
#
rightprotoport=17/%any
#
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
rightsubnetwithin=10.1.2.2/8
auto=add
Thanks,
Jayapal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151215/0510aa54/attachment.html>
More information about the Users
mailing list