[strongSwan] [URGENT] windows lt2tp client failed to connect on ipsec restart

Jayapal Reddy jayapalatiiit at gmail.com
Tue Dec 15 11:47:00 CET 2015 

HI,

I am using the strongswan 4.5.2. I have remote access vpn connection. From
the windows connection is up and running. The problem starts when I
restart/update ipsec on my ipsec linux device. Windows client is behind the
nat.

Can some one please help me on how to solve this issue. I am struggling
with from past 2 weeks.

Related logs are at [1]
configuration[2]



[1]
Dec 15 10:34:26 r-47-QA pluto[2591]: interface ppp0 deactivated
Dec 15 10:34:26 r-47-QA pluto[2591]: 10.1.2.1 disappeared from ppp0
Dec 15 10:34:26 r-47-QA pluto[2591]: forgetting secrets
Dec 15 10:34:26 r-47-QA pluto[2591]: loading secrets from
"/etc/ipsec.secrets"
Dec 15 10:34:26 r-47-QA pluto[2591]: loading secrets from
"/var/lib/strongswan/ipsec.conf.inc"
Dec 15 10:34:26 r-47-QA pluto[2591]: loading secrets from
"/etc/ipsec.d/ipsec.any.secrets"
Dec 15 10:34:26 r-47-QA pluto[2591]:   loaded PSK secret for %any
Dec 15 10:35:01 r-47-QA CRON[5134]: pam_unix(cron:session): session opened
for user root by (uid=0)
Dec 15 10:35:01 r-47-QA CRON[5134]: pam_unix(cron:session): session closed
for user root
Dec 15 10:36:01 r-47-QA CRON[5183]: pam_unix(cron:session): session opened
for user root by (uid=0)
Dec 15 10:36:01 r-47-QA CRON[5183]: pam_unix(cron:session): session closed
for user root
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
received Vendor ID payload [RFC 3947]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [FRAGMENTATION]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 15 10:36:11 r-47-QA pluto[2591]: packet from 10.147.52.172:500:
ignoring Vendor ID payload [IKE CGA version 1]
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[10] 10.147.52.172 #13:
responding to Main Mode from unknown peer 10.147.52.172
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[10] 10.147.52.172 #13:
NAT-Traversal: Result using RFC 3947: peer is NATed
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[10] 10.147.52.172 #13: Peer
ID is ID_IPV4_ADDR: '10.1.1.189'
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172 #13:
deleting connection "L2TP-PSK" instance with peer 10.147.52.172
{isakmp=#0/ipsec=#0}
Dec 15 10:36:11 r-47-QA pluto[2591]: | NAT-T: new mapping
10.147.52.172:500/4500)
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sent MR3, ISAKMP SA established
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #14:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #14:
responding to Quick Mode
Dec 15 10:36:11 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #14:
cannot install eroute -- it is in use for "L2TP-PSK"[9] 10.147.52.172:4500
#12
Dec 15 10:36:12 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 15 10:36:12 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.172:4500
Dec 15 10:36:14 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 15 10:36:14 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.172:4500
Dec 15 10:36:18 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 15 10:36:18 r-47-QA pluto[2591]: "L2TP-PSK"[11] 10.147.52.172:4500 #13:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.172:4500

[2]

# ipsec --version
Linux strongSwan U4.5.2/K3.2.0-4-amd64


root at r-47-QA:~# cat /etc/ipsec.d/l2tp.conf
#ipsec remote access vpn configuration
conn L2TP-PSK
        authby=secret
        pfs=no
        rekey=yes
        keyingtries=3
        keyexchange=ikev1
        forceencaps=yes
        leftfirewall=yes
        leftnexthop=%defaultroute
        # ----------------------------------------------------------
        # The VPN server.
        #
        # Allow incoming connections on the external network interface.
        # If you want to use a different interface or if there is no
        # defaultroute, you can use:   left=10.147.52.174
        #
        left=10.147.52.174
        #
        leftprotoport=17/1701
        # If you insist on supporting non-updated Windows clients,
        # you can use:    leftprotoport=17/%any
        #
        # ----------------------------------------------------------
        # The remote user(s).
        #
        # Allow incoming connections only from this IP address.
        right=%any
        # If you want to allow multiple connections from any IP address,
        # you can use:    right=%any
        #
        rightprotoport=17/%any
        #
        # ----------------------------------------------------------
        # Change 'ignore' to 'add' to enable this configuration.
        #
        rightsubnetwithin=10.1.2.2/8
        auto=add

Thanks,
Jayapal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151215/0510aa54/attachment.html>

More information about the Users mailing list