[strongSwan] VPN client (l2tp) is failed to reconnect

Jayapal Reddy jayapalatiiit at gmail.com
Wed Oct 28 12:25:18 CET 2015


Hi,

Any help on this please ??

-Jayapal

On Tue, Oct 27, 2015 at 12:27 PM, Jayapal Reddy <jayapalatiiit at gmail.com>
wrote:

> Hi,
>
> I am using the strongswan ipsec. I have the remote access vpn setup and
> windows7 client behind NAT got connected successfully.
> The problem comes on restart of ipsec device or configuration update of
> the ipsec. After restarting my ipsec device vpn client is failed to
> reconnect. If restart ipsec or down the connection it is able to reconnect.
>
> On restart or config update I am using the 'ipsec down L2TP-PSK' to down
> the existing connections.
>
> I am giving the ipsec config and logs below.
> Is this problem from the strongswan ipsec or configuration issue ?
>
> ipsec version:
> # ipsec --version
> Linux strongSwan U4.5.2/K3.2.0-4-amd64
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
>
>
>  ..... /var/log/auth.log
>
> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
> ignoring Vendor ID payload [IKE CGA version 1]
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
> responding to Main Mode from unknown peer 10.147.52.104:4500
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
> NAT-Traversal: Result using RFC 3947: peer is NATed
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500 #3:
> Peer ID is ID_IPV4_ADDR: '10.1.1.237'
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #3:
> deleting connection "L2TP-PSK" instance with peer 10.147.52.104
> {isakmp=#0/ipsec=#0}
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #3:
> sent MR3, ISAKMP SA established
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
> NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
> responding to Quick Mode
> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500 #4:
> IPsec SA established {ESP=>0x9bf54461 <0xce23acb0 NATOA=10.1.1.237}
>
>
>
>
>
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> received Vendor ID payload [RFC 3947]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [FRAGMENTATION]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
> ignoring Vendor ID payload [IKE CGA version 1]
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
> responding to Main Mode from unknown peer 10.147.52.104
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
> NAT-Traversal: Result using RFC 3947: peer is NATed
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5: Peer
> ID is ID_IPV4_ADDR: '10.1.1.237'
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104 #5:
> deleting connection "L2TP-PSK" instance with peer 10.147.52.104
> {isakmp=#0/ipsec=#0}
> Oct 27 06:47:51 r-49-QA pluto[8032]: | NAT-T: new mapping
> 10.147.52.104:500/4500)
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sent MR3, ISAKMP SA established
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #6:
> NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #6:
> responding to Quick Mode
> *Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
> <http://10.147.52.104:4500> #6: cannot install eroute -- it is in use for
> "L2TP-PSK"[2] 10.147.52.104:4500 <http://10.147.52.104:4500> *#4
> *Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
> <http://10.147.52.104:4500> #5: Quick Mode I1 message is unacceptable
> because it uses a previously used Message ID 0x01000000 (perhaps this is a
> duplicated packet)*
> Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
> Oct 27 06:47:52 r-49-QA sshd[8410]: Accepted publickey for root from
> 169.254.0.1 port 46419 ssh2
> Oct 27 06:47:52 r-49-QA sshd[8410]: pam_unix(sshd:session): session opened
> for user root by (uid=0)
> Oct 27 06:47:53 r-49-QA sshd[8410]: pam_unix(sshd:session): session closed
> for user root
> Oct 27 06:47:53 r-49-QA sshd[8412]: Accepted publickey for root from
> 169.254.0.1 port 46420 ssh2
> Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session opened
> for user root by (uid=0)
> Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session closed
> for user root
> Oct 27 06:47:53 r-49-QA sshd[8428]: Accepted publickey for root from
> 169.254.0.1 port 46421 ssh2
> Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session opened
> for user root by (uid=0)
> Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session closed
> for user root
> Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x01000000 (perhaps this is a duplicated packet)
> Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
> Oct 27 06:47:54 r-49-QA sshd[8456]: Accepted publickey for root from
> 169.254.0.1 port 46422 ssh2
> Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session opened
> for user root by (uid=0)
> Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session closed
> for user root
> Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x01000000 (perhaps this is a duplicated packet)
> Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
> Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session opened
> for user root by (uid=0)
> Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session closed
> for user root
> Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x01000000 (perhaps this is a duplicated packet)
> Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
> Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0x01000000 (perhaps this is a duplicated packet)
> Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500 #5:
> sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.104:4500
> "
>
>
>
> ipsec configuration:
>
>
> root at r-49-QA:~# cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>    nat_traversal=yes
>    charonstart=yes
>    plutostart=yes
>
> include /etc/ipsec.d/*.conf
> root at r-49-QA:~#
> root at r-49-QA:~# cat /etc/ipsec.d/l2tp.conf
> #ipsec remote access vpn configuration
> conn L2TP-PSK
>         authby=psk
>         pfs=no
>         rekey=no
>         keyingtries=3
>         keyexchange=ikev1
>         forceencaps=yes
>         leftfirewall=yes
>         leftnexthop=%defaultroute
>         # ----------------------------------------------------------
>         # The VPN server.
>         #
>         # Allow incoming connections on the external network interface.
>         # If you want to use a different interface or if there is no
>         # defaultroute, you can use:   left=10.147.52.102
>         #
>         left=10.147.52.102
>         #
>         leftprotoport=17/1701
>         # If you insist on supporting non-updated Windows clients,
>         # you can use:    leftprotoport=17/%any
>         #
>         # ----------------------------------------------------------
>         # The remote user(s).
>         #
>         # Allow incoming connections only from this IP address.
>         right=%any
>         # If you want to allow multiple connections from any IP address,
>         # you can use:    right=%any
>         #
>         rightprotoport=17/%any
>         #
>         # ----------------------------------------------------------
>         # Change 'ignore' to 'add' to enable this configuration.
>         #
>         rightsubnetwithin=10.1.2.0/8
>         auto=add
>
> #
> # ipsec status L2TP-PSK
> 000 "L2TP-PSK":
> 10.147.52.102[10.147.52.102]:17/1701---10.147.52.1...%any[%any]:17/%any==={
> 10.0.0.0/8}; unrouted; eroute owner: #0
> 000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "L2TP-PSK"[2]: 10.147.52.102:4500
> [10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
> erouted; eroute owner: #4
> 000 "L2TP-PSK"[2]:   newest ISAKMP SA: #3; newest IPsec SA: #4;
> 000 "L2TP-PSK"[10]: 10.147.52.102:4500
> [10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
> unrouted; eroute owner: #0
> 000 "L2TP-PSK"[10]:   newest ISAKMP SA: #14; newest IPsec SA: #0;
> 000
> 000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_QUICK_R2 (IPsec SA
> established); EVENT_SA_EXPIRE in 3040s; newest IPSEC; eroute owner
> 000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 esp.9bf54461 at 10.147.52.104 (0
> bytes) esp.ce23acb0 at 10.147.52.102 (980 bytes, 472s ago); transport
> 000 #3: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3, ISAKMP
> SA established); EVENT_SA_EXPIRE in 28240s; newest ISAKMP
> 000 #14: "L2TP-PSK"[10] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3,
> ISAKMP SA established); EVENT_SA_EXPIRE in 28772s; newest ISAKMP
> 000
> Security Associations:
>   no match
>
>
>
> Thanks,
> Jayapal
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151028/8d59afa6/attachment-0001.html>


More information about the Users mailing list