[strongSwan] Remote access vpn windows7 l2tp client fail to connect back

Jayapal Reddy jayapalatiiit at gmail.com
Thu Nov 19 12:57:51 CET 2015


Hi,

I have router which as strongswan ipsec remote access vpn configuration.
I am able to connect from the windows7 which is behind nat to this vpn
device and traffic is also working.

The problem comes when reapply vpn config on edit.
 This includes the following steps:
1. Down the L2TP connection.
2. Reload the config.

During this process vpn connection is disconnected and IPSEC SA
established. Windows7 vpn connection is trying to connect (after some time
out) and connection is failed to come up.

Can some please help me on this. Is this problem from strongswan or client
issue.

After the config reapply:
root at r-94-QA:~# ipsec status
000 "L2TP-PSK":
10.147.52.107[10.147.52.107]:17/1701---10.147.52.1...%any[%any]:17/%any==={
10.0.0.0/8}; unrouted; eroute owner: #0
000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000

Please find the below logs: ipsec version 4.5.2
root at r-94-QA:~# tail -f /var/log/auth.log
Nov 19 11:40:53 r-94-QA sudo: pam_unix(sudo:session): session closed for
user root
Nov 19 11:40:53 r-94-QA pluto[18446]: "L2TP-PSK": deleting connection
Nov 19 11:40:53 r-94-QA pluto[18446]: added connection description
"L2TP-PSK"
Nov 19 11:40:53 r-94-QA pluto[18446]: interface ppp0 deactivated
Nov 19 11:40:53 r-94-QA pluto[18446]: 10.1.2.1 disappeared from ppp0
Nov 19 11:40:53 r-94-QA pluto[18446]: forgetting secrets
Nov 19 11:40:53 r-94-QA pluto[18446]: loading secrets from
"/etc/ipsec.secrets"
Nov 19 11:40:53 r-94-QA pluto[18446]: loading secrets from
"/var/lib/strongswan/ipsec.conf.inc"
Nov 19 11:40:53 r-94-QA pluto[18446]: loading secrets from
"/etc/ipsec.d/ipsec.any.secrets"
Nov 19 11:40:53 r-94-QA pluto[18446]:   loaded PSK secret for %any


Nov 19 11:41:29 r-94-QA pluto[18446]: packet from 10.147.52.104:4500:
received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Nov 19 11:41:29 r-94-QA pluto[18446]: packet from 10.147.52.104:4500:
received Vendor ID payload [RFC 3947]
Nov 19 11:41:29 r-94-QA pluto[18446]: packet from 10.147.52.104:4500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Nov 19 11:41:29 r-94-QA pluto[18446]: packet from 10.147.52.104:4500:
ignoring Vendor ID payload [FRAGMENTATION]
Nov 19 11:41:29 r-94-QA pluto[18446]: packet from 10.147.52.104:4500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Nov 19 11:41:29 r-94-QA pluto[18446]: packet from 10.147.52.104:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 19 11:41:29 r-94-QA pluto[18446]: packet from 10.147.52.104:4500:
ignoring Vendor ID payload [IKE CGA version 1]
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[1] 10.147.52.104:4500 #5:
responding to Main Mode from unknown peer 10.147.52.104:4500
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[1] 10.147.52.104:4500 #5:
NAT-Traversal: Result using RFC 3947: peer is NATed
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[1] 10.147.52.104:4500 #5:
Peer ID is ID_IPV4_ADDR: '10.1.1.170'
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[2] 10.147.52.104:4500 #5:
deleting connection "L2TP-PSK" instance with peer 10.147.52.104
{isakmp=#0/ipsec=#0}
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[2] 10.147.52.104:4500 #5:
sent MR3, ISAKMP SA established
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[2] 10.147.52.104:4500 #6:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[2] 10.147.52.104:4500 #6:
responding to Quick Mode
Nov 19 11:41:29 r-94-QA pluto[18446]: "L2TP-PSK"[2] 10.147.52.104:4500 #6:
IPsec SA established {ESP=>0xe5c71196 <0xc37b45df NATOA=10.1.1.170}
Nov 19 11:42:01 r-94-QA CRON[18888]: pam_unix(cron:session): session opened
for user root by (uid=0)
Nov 19 11:42:01 r-94-QA CRON[18888]: pam_unix(cron:session): session closed
for user root
Nov 19 11:43:14 r-94-QA sshd[18932]: Accepted publickey for root from
169.254.0.1 port 34840 ssh2
Nov 19 11:43:14 r-94-QA sshd[18932]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Nov 19 11:43:14 r-94-QA sshd[18932]: pam_unix(sshd:session): session closed
for user root
Nov 19 11:43:14 r-94-QA sshd[18940]: Accepted publickey for root from
169.254.0.1 port 34841 ssh2
Nov 19 11:43:14 r-94-QA sshd[18940]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Nov 19 11:43:14 r-94-QA sshd[18940]: pam_unix(sshd:session): session closed
for user root
Nov 19 11:43:41 r-94-QA pluto[18446]: packet from 10.147.52.104:500:
received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Nov 19 11:43:41 r-94-QA pluto[18446]: packet from 10.147.52.104:500:
received Vendor ID payload [RFC 3947]
Nov 19 11:43:41 r-94-QA pluto[18446]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Nov 19 11:43:41 r-94-QA pluto[18446]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [FRAGMENTATION]
Nov 19 11:43:41 r-94-QA pluto[18446]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Nov 19 11:43:41 r-94-QA pluto[18446]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 19 11:43:41 r-94-QA pluto[18446]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [IKE CGA version 1]
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[3] 10.147.52.104 #7:
responding to Main Mode from unknown peer 10.147.52.104
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[3] 10.147.52.104 #7:
NAT-Traversal: Result using RFC 3947: peer is NATed
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[3] 10.147.52.104 #7: Peer
ID is ID_IPV4_ADDR: '10.1.1.170'
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104 #7:
deleting connection "L2TP-PSK" instance with peer 10.147.52.104
{isakmp=#0/ipsec=#0}
Nov 19 11:43:41 r-94-QA pluto[18446]: | NAT-T: new mapping
10.147.52.104:500/4500)
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
sent MR3, ISAKMP SA established
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #8:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #8:
responding to Quick Mode
Nov 19 11:43:41 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #8:
cannot install eroute -- it is in use for "L2TP-PSK"[2] 10.147.52.104:4500
#6
Nov 19 11:43:42 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Nov 19 11:43:42 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
Nov 19 11:43:44 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Nov 19 11:43:44 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
Nov 19 11:43:48 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Nov 19 11:43:48 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
Nov 19 11:43:56 r-94-QA pluto[18446]: "L2TP-PSK"[4] 10.147.52.104:4500 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)

Thanks,
Jayapal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151119/089315bb/attachment-0001.html>


More information about the Users mailing list