[strongSwan] VPN client (l2tp) is failed to reconnect

Jayapal Reddy jayapalatiiit at gmail.com
Mon Nov 16 08:23:13 CET 2015


Can some one please respond if this issue is solved ?
Is this issue in strongswan version 4.5.2 ?

Thanks,
Jayapal

On Thu, Oct 29, 2015 at 3:19 PM, Jayapal Reddy <jayapalatiiit at gmail.com>
wrote:

> Any one is facing the similar issues.
> Also for site to site vpn case vpn tunnel is up and running. After
> restarting one device the tunnel is failed come up automatically. After
> restarting the ipsec the tunnel is coming up.
>
> Thanks,
> Jayapal
>
> On Wed, Oct 28, 2015 at 4:55 PM, Jayapal Reddy <jayapalatiiit at gmail.com>
> wrote:
>
>> Hi,
>>
>> Any help on this please ??
>>
>> -Jayapal
>>
>> On Tue, Oct 27, 2015 at 12:27 PM, Jayapal Reddy <jayapalatiiit at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am using the strongswan ipsec. I have the remote access vpn setup and
>>> windows7 client behind NAT got connected successfully.
>>> The problem comes on restart of ipsec device or configuration update of
>>> the ipsec. After restarting my ipsec device vpn client is failed to
>>> reconnect. If restart ipsec or down the connection it is able to reconnect.
>>>
>>> On restart or config update I am using the 'ipsec down L2TP-PSK' to
>>> down the existing connections.
>>>
>>> I am giving the ipsec config and logs below.
>>> Is this problem from the strongswan ipsec or configuration issue ?
>>>
>>> ipsec version:
>>> # ipsec --version
>>> Linux strongSwan U4.5.2/K3.2.0-4-amd64
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil, Switzerland
>>> See 'ipsec --copyright' for copyright information.
>>>
>>>
>>>  ..... /var/log/auth.log
>>>
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
>>> ignoring Vendor ID payload [Vid-Initial-Contact]
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
>>> ignoring Vendor ID payload [IKE CGA version 1]
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500
>>> #3: responding to Main Mode from unknown peer 10.147.52.104:4500
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500
>>> #3: NAT-Traversal: Result using RFC 3947: peer is NATed
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500
>>> #3: Peer ID is ID_IPV4_ADDR: '10.1.1.237'
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>>> #3: deleting connection "L2TP-PSK" instance with peer 10.147.52.104
>>> {isakmp=#0/ipsec=#0}
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>>> #3: sent MR3, ISAKMP SA established
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>>> #4: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>>> #4: responding to Quick Mode
>>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>>> #4: IPsec SA established {ESP=>0x9bf54461 <0xce23acb0 NATOA=10.1.1.237}
>>>
>>>
>>>
>>>
>>>
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>>> received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>>> received Vendor ID payload [RFC 3947]
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>>> ignoring Vendor ID payload [FRAGMENTATION]
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>>> ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>>> ignoring Vendor ID payload [Vid-Initial-Contact]
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>>> ignoring Vendor ID payload [IKE CGA version 1]
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
>>> responding to Main Mode from unknown peer 10.147.52.104
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
>>> NAT-Traversal: Result using RFC 3947: peer is NATed
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
>>> Peer ID is ID_IPV4_ADDR: '10.1.1.237'
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104 #5:
>>> deleting connection "L2TP-PSK" instance with peer 10.147.52.104
>>> {isakmp=#0/ipsec=#0}
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: | NAT-T: new mapping
>>> 10.147.52.104:500/4500)
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: sent MR3, ISAKMP SA established
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #6: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
>>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #6: responding to Quick Mode
>>> *Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> <http://10.147.52.104:4500> #6: cannot install eroute -- it is in use for
>>> "L2TP-PSK"[2] 10.147.52.104:4500 <http://10.147.52.104:4500> *#4
>>> *Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> <http://10.147.52.104:4500> #5: Quick Mode I1 message is unacceptable
>>> because it uses a previously used Message ID 0x01000000 (perhaps this is a
>>> duplicated packet)*
>>> Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>>> 10.147.52.104:4500
>>> Oct 27 06:47:52 r-49-QA sshd[8410]: Accepted publickey for root from
>>> 169.254.0.1 port 46419 ssh2
>>> Oct 27 06:47:52 r-49-QA sshd[8410]: pam_unix(sshd:session): session
>>> opened for user root by (uid=0)
>>> Oct 27 06:47:53 r-49-QA sshd[8410]: pam_unix(sshd:session): session
>>> closed for user root
>>> Oct 27 06:47:53 r-49-QA sshd[8412]: Accepted publickey for root from
>>> 169.254.0.1 port 46420 ssh2
>>> Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session
>>> opened for user root by (uid=0)
>>> Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session
>>> closed for user root
>>> Oct 27 06:47:53 r-49-QA sshd[8428]: Accepted publickey for root from
>>> 169.254.0.1 port 46421 ssh2
>>> Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session
>>> opened for user root by (uid=0)
>>> Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session
>>> closed for user root
>>> Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>>> Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>>> 10.147.52.104:4500
>>> Oct 27 06:47:54 r-49-QA sshd[8456]: Accepted publickey for root from
>>> 169.254.0.1 port 46422 ssh2
>>> Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session
>>> opened for user root by (uid=0)
>>> Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session
>>> closed for user root
>>> Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>>> Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>>> 10.147.52.104:4500
>>> Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session
>>> opened for user root by (uid=0)
>>> Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session
>>> closed for user root
>>> Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>>> Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>>> 10.147.52.104:4500
>>> Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>>> Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>>> 10.147.52.104:4500
>>> "
>>>
>>>
>>>
>>> ipsec configuration:
>>>
>>>
>>> root at r-49-QA:~# cat /etc/ipsec.conf
>>> # ipsec.conf - strongSwan IPsec configuration file
>>>
>>> config setup
>>>    nat_traversal=yes
>>>    charonstart=yes
>>>    plutostart=yes
>>>
>>> include /etc/ipsec.d/*.conf
>>> root at r-49-QA:~#
>>> root at r-49-QA:~# cat /etc/ipsec.d/l2tp.conf
>>> #ipsec remote access vpn configuration
>>> conn L2TP-PSK
>>>         authby=psk
>>>         pfs=no
>>>         rekey=no
>>>         keyingtries=3
>>>         keyexchange=ikev1
>>>         forceencaps=yes
>>>         leftfirewall=yes
>>>         leftnexthop=%defaultroute
>>>         # ----------------------------------------------------------
>>>         # The VPN server.
>>>         #
>>>         # Allow incoming connections on the external network interface.
>>>         # If you want to use a different interface or if there is no
>>>         # defaultroute, you can use:   left=10.147.52.102
>>>         #
>>>         left=10.147.52.102
>>>         #
>>>         leftprotoport=17/1701
>>>         # If you insist on supporting non-updated Windows clients,
>>>         # you can use:    leftprotoport=17/%any
>>>         #
>>>         # ----------------------------------------------------------
>>>         # The remote user(s).
>>>         #
>>>         # Allow incoming connections only from this IP address.
>>>         right=%any
>>>         # If you want to allow multiple connections from any IP address,
>>>         # you can use:    right=%any
>>>         #
>>>         rightprotoport=17/%any
>>>         #
>>>         # ----------------------------------------------------------
>>>         # Change 'ignore' to 'add' to enable this configuration.
>>>         #
>>>         rightsubnetwithin=10.1.2.0/8
>>>         auto=add
>>>
>>> #
>>> # ipsec status L2TP-PSK
>>> 000 "L2TP-PSK":
>>> 10.147.52.102[10.147.52.102]:17/1701---10.147.52.1...%any[%any]:17/%any==={
>>> 10.0.0.0/8}; unrouted; eroute owner: #0
>>> 000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>>> 000 "L2TP-PSK"[2]: 10.147.52.102:4500
>>> [10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
>>> erouted; eroute owner: #4
>>> 000 "L2TP-PSK"[2]:   newest ISAKMP SA: #3; newest IPsec SA: #4;
>>> 000 "L2TP-PSK"[10]: 10.147.52.102:4500
>>> [10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
>>> unrouted; eroute owner: #0
>>> 000 "L2TP-PSK"[10]:   newest ISAKMP SA: #14; newest IPsec SA: #0;
>>> 000
>>> 000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_QUICK_R2 (IPsec SA
>>> established); EVENT_SA_EXPIRE in 3040s; newest IPSEC; eroute owner
>>> 000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 esp.9bf54461 at 10.147.52.104 (0
>>> bytes) esp.ce23acb0 at 10.147.52.102 (980 bytes, 472s ago); transport
>>> 000 #3: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3,
>>> ISAKMP SA established); EVENT_SA_EXPIRE in 28240s; newest ISAKMP
>>> 000 #14: "L2TP-PSK"[10] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3,
>>> ISAKMP SA established); EVENT_SA_EXPIRE in 28772s; newest ISAKMP
>>> 000
>>> Security Associations:
>>>   no match
>>>
>>>
>>>
>>> Thanks,
>>> Jayapal
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151116/5f544c3b/attachment-0001.html>


More information about the Users mailing list