[strongSwan] VPN client (l2tp) is failed to reconnect
Jayapal Reddy
jayapalatiiit at gmail.com
Tue Oct 27 07:57:38 CET 2015
Hi,
I am using the strongswan ipsec. I have the remote access vpn setup and
windows7 client behind NAT got connected successfully.
The problem comes on restart of ipsec device or configuration update of the
ipsec. After restarting my ipsec device vpn client is failed to reconnect.
If restart ipsec or down the connection it is able to reconnect.
On restart or config update I am using the 'ipsec down L2TP-PSK' to down
the existing connections.
I am giving the ipsec config and logs below.
Is this problem from the strongswan ipsec or configuration issue ?
ipsec version:
# ipsec --version
Linux strongSwan U4.5.2/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
..... /var/log/auth.log
Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
ignoring Vendor ID payload [IKE CGA version 1]
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
responding to Main Mode from unknown peer 10.147.52.104:4500
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
NAT-Traversal: Result using RFC 3947: peer is NATed
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
Peer ID is ID_IPV4_ADDR: '10.1.1.237'
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #3:
deleting connection "L2TP-PSK" instance with peer 10.147.52.104
{isakmp=#0/ipsec=#0}
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #3:
sent MR3, ISAKMP SA established
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
responding to Quick Mode
Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
IPsec SA established {ESP=>0x9bf54461 <0xce23acb0 NATOA=10.1.1.237}
Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
received Vendor ID payload [RFC 3947]
Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
ignoring Vendor ID payload [IKE CGA version 1]
Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
responding to Main Mode from unknown peer 10.147.52.104
Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
NAT-Traversal: Result using RFC 3947: peer is NATed
Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5: Peer
ID is ID_IPV4_ADDR: '10.1.1.237'
Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104 #5:
deleting connection "L2TP-PSK" instance with peer 10.147.52.104
{isakmp=#0/ipsec=#0}
Oct 27 06:47:51 r-49-QA pluto[8032]: | NAT-T: new mapping
10.147.52.104:500/4500)
Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
sent MR3, ISAKMP SA established
Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #6:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #6:
responding to Quick Mode
*Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
<http://10.147.52.104:4500> #6: cannot install eroute -- it is in use for
"L2TP-PSK"[2] 10.147.52.104:4500 <http://10.147.52.104:4500> *#4
*Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
<http://10.147.52.104:4500> #5: Quick Mode I1 message is unacceptable
because it uses a previously used Message ID 0x01000000 (perhaps this is a
duplicated packet)*
Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
Oct 27 06:47:52 r-49-QA sshd[8410]: Accepted publickey for root from
169.254.0.1 port 46419 ssh2
Oct 27 06:47:52 r-49-QA sshd[8410]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Oct 27 06:47:53 r-49-QA sshd[8410]: pam_unix(sshd:session): session closed
for user root
Oct 27 06:47:53 r-49-QA sshd[8412]: Accepted publickey for root from
169.254.0.1 port 46420 ssh2
Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session closed
for user root
Oct 27 06:47:53 r-49-QA sshd[8428]: Accepted publickey for root from
169.254.0.1 port 46421 ssh2
Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session closed
for user root
Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
Oct 27 06:47:54 r-49-QA sshd[8456]: Accepted publickey for root from
169.254.0.1 port 46422 ssh2
Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session closed
for user root
Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session opened
for user root by (uid=0)
Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session closed
for user root
Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
"
ipsec configuration:
root at r-49-QA:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
nat_traversal=yes
charonstart=yes
plutostart=yes
include /etc/ipsec.d/*.conf
root at r-49-QA:~#
root at r-49-QA:~# cat /etc/ipsec.d/l2tp.conf
#ipsec remote access vpn configuration
conn L2TP-PSK
authby=psk
pfs=no
rekey=no
keyingtries=3
keyexchange=ikev1
forceencaps=yes
leftfirewall=yes
leftnexthop=%defaultroute
# ----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=10.147.52.102
#
left=10.147.52.102
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use: leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=%any
# If you want to allow multiple connections from any IP address,
# you can use: right=%any
#
rightprotoport=17/%any
#
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
rightsubnetwithin=10.1.2.0/8
auto=add
#
# ipsec status L2TP-PSK
000 "L2TP-PSK":
10.147.52.102[10.147.52.102]:17/1701---10.147.52.1...%any[%any]:17/%any==={
10.0.0.0/8}; unrouted; eroute owner: #0
000 "L2TP-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK"[2]: 10.147.52.102:4500
[10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
erouted; eroute owner: #4
000 "L2TP-PSK"[2]: newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "L2TP-PSK"[10]: 10.147.52.102:4500
[10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
unrouted; eroute owner: #0
000 "L2TP-PSK"[10]: newest ISAKMP SA: #14; newest IPsec SA: #0;
000
000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_EXPIRE in 3040s; newest IPSEC; eroute owner
000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 esp.9bf54461 at 10.147.52.104 (0
bytes) esp.ce23acb0 at 10.147.52.102 (980 bytes, 472s ago); transport
000 #3: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 28240s; newest ISAKMP
000 #14: "L2TP-PSK"[10] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_EXPIRE in 28772s; newest ISAKMP
000
Security Associations:
no match
Thanks,
Jayapal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151027/5cc29060/attachment-0001.html>
More information about the Users
mailing list