[strongSwan] VPN client (l2tp) is failed to reconnect

Jayapal Reddy jayapalatiiit at gmail.com
Thu Oct 29 10:49:22 CET 2015 

Any one is facing the similar issues.
Also for site to site vpn case vpn tunnel is up and running. After
restarting one device the tunnel is failed come up automatically. After
restarting the ipsec the tunnel is coming up.

Thanks,
Jayapal

On Wed, Oct 28, 2015 at 4:55 PM, Jayapal Reddy <jayapalatiiit at gmail.com>
wrote:

> Hi,
>
> Any help on this please ??
>
> -Jayapal
>
> On Tue, Oct 27, 2015 at 12:27 PM, Jayapal Reddy <jayapalatiiit at gmail.com>
> wrote:
>
>> Hi,
>>
>> I am using the strongswan ipsec. I have the remote access vpn setup and
>> windows7 client behind NAT got connected successfully.
>> The problem comes on restart of ipsec device or configuration update of
>> the ipsec. After restarting my ipsec device vpn client is failed to
>> reconnect. If restart ipsec or down the connection it is able to reconnect.
>>
>> On restart or config update I am using the 'ipsec down L2TP-PSK' to down
>> the existing connections.
>>
>> I am giving the ipsec config and logs below.
>> Is this problem from the strongswan ipsec or configuration issue ?
>>
>> ipsec version:
>> # ipsec --version
>> Linux strongSwan U4.5.2/K3.2.0-4-amd64
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil, Switzerland
>> See 'ipsec --copyright' for copyright information.
>>
>>
>>  ..... /var/log/auth.log
>>
>> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
>> ignoring Vendor ID payload [Vid-Initial-Contact]
>> Oct 27 06:45:13 r-49-QA pluto[8032]: packet from 10.147.52.104:4500:
>> ignoring Vendor ID payload [IKE CGA version 1]
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500
>> #3: responding to Main Mode from unknown peer 10.147.52.104:4500
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500
>> #3: NAT-Traversal: Result using RFC 3947: peer is NATed
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[1] 10.147.52.104:4500
>> #3: Peer ID is ID_IPV4_ADDR: '10.1.1.237'
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>> #3: deleting connection "L2TP-PSK" instance with peer 10.147.52.104
>> {isakmp=#0/ipsec=#0}
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>> #3: sent MR3, ISAKMP SA established
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>> #4: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>> #4: responding to Quick Mode
>> Oct 27 06:45:13 r-49-QA pluto[8032]: "L2TP-PSK"[2] 10.147.52.104:4500
>> #4: IPsec SA established {ESP=>0x9bf54461 <0xce23acb0 NATOA=10.1.1.237}
>>
>>
>>
>>
>>
>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>> received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>> received Vendor ID payload [RFC 3947]
>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>> ignoring Vendor ID payload [FRAGMENTATION]
>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>> ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>> ignoring Vendor ID payload [Vid-Initial-Contact]
>> Oct 27 06:47:51 r-49-QA pluto[8032]: packet from 10.147.52.104:500:
>> ignoring Vendor ID payload [IKE CGA version 1]
>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
>> responding to Main Mode from unknown peer 10.147.52.104
>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5:
>> NAT-Traversal: Result using RFC 3947: peer is NATed
>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[3] 10.147.52.104 #5: Peer
>> ID is ID_IPV4_ADDR: '10.1.1.237'
>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104 #5:
>> deleting connection "L2TP-PSK" instance with peer 10.147.52.104
>> {isakmp=#0/ipsec=#0}
>> Oct 27 06:47:51 r-49-QA pluto[8032]: | NAT-T: new mapping
>> 10.147.52.104:500/4500)
>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: sent MR3, ISAKMP SA established
>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #6: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
>> Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #6: responding to Quick Mode
>> *Oct 27 06:47:51 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> <http://10.147.52.104:4500> #6: cannot install eroute -- it is in use for
>> "L2TP-PSK"[2] 10.147.52.104:4500 <http://10.147.52.104:4500> *#4
>> *Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> <http://10.147.52.104:4500> #5: Quick Mode I1 message is unacceptable
>> because it uses a previously used Message ID 0x01000000 (perhaps this is a
>> duplicated packet)*
>> Oct 27 06:47:52 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>> 10.147.52.104:4500
>> Oct 27 06:47:52 r-49-QA sshd[8410]: Accepted publickey for root from
>> 169.254.0.1 port 46419 ssh2
>> Oct 27 06:47:52 r-49-QA sshd[8410]: pam_unix(sshd:session): session
>> opened for user root by (uid=0)
>> Oct 27 06:47:53 r-49-QA sshd[8410]: pam_unix(sshd:session): session
>> closed for user root
>> Oct 27 06:47:53 r-49-QA sshd[8412]: Accepted publickey for root from
>> 169.254.0.1 port 46420 ssh2
>> Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session
>> opened for user root by (uid=0)
>> Oct 27 06:47:53 r-49-QA sshd[8412]: pam_unix(sshd:session): session
>> closed for user root
>> Oct 27 06:47:53 r-49-QA sshd[8428]: Accepted publickey for root from
>> 169.254.0.1 port 46421 ssh2
>> Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session
>> opened for user root by (uid=0)
>> Oct 27 06:47:53 r-49-QA sshd[8428]: pam_unix(sshd:session): session
>> closed for user root
>> Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>> Oct 27 06:47:54 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>> 10.147.52.104:4500
>> Oct 27 06:47:54 r-49-QA sshd[8456]: Accepted publickey for root from
>> 169.254.0.1 port 46422 ssh2
>> Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session
>> opened for user root by (uid=0)
>> Oct 27 06:47:54 r-49-QA sshd[8456]: pam_unix(sshd:session): session
>> closed for user root
>> Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>> Oct 27 06:47:58 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>> 10.147.52.104:4500
>> Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session
>> opened for user root by (uid=0)
>> Oct 27 06:48:01 r-49-QA CRON[8466]: pam_unix(cron:session): session
>> closed for user root
>> Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>> Oct 27 06:48:06 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>> 10.147.52.104:4500
>> Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0x01000000 (perhaps this is a duplicated packet)
>> Oct 27 06:48:22 r-49-QA pluto[8032]: "L2TP-PSK"[4] 10.147.52.104:4500
>> #5: sending encrypted notification INVALID_MESSAGE_ID to
>> 10.147.52.104:4500
>> "
>>
>>
>>
>> ipsec configuration:
>>
>>
>> root at r-49-QA:~# cat /etc/ipsec.conf
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>>    nat_traversal=yes
>>    charonstart=yes
>>    plutostart=yes
>>
>> include /etc/ipsec.d/*.conf
>> root at r-49-QA:~#
>> root at r-49-QA:~# cat /etc/ipsec.d/l2tp.conf
>> #ipsec remote access vpn configuration
>> conn L2TP-PSK
>>         authby=psk
>>         pfs=no
>>         rekey=no
>>         keyingtries=3
>>         keyexchange=ikev1
>>         forceencaps=yes
>>         leftfirewall=yes
>>         leftnexthop=%defaultroute
>>         # ----------------------------------------------------------
>>         # The VPN server.
>>         #
>>         # Allow incoming connections on the external network interface.
>>         # If you want to use a different interface or if there is no
>>         # defaultroute, you can use:   left=10.147.52.102
>>         #
>>         left=10.147.52.102
>>         #
>>         leftprotoport=17/1701
>>         # If you insist on supporting non-updated Windows clients,
>>         # you can use:    leftprotoport=17/%any
>>         #
>>         # ----------------------------------------------------------
>>         # The remote user(s).
>>         #
>>         # Allow incoming connections only from this IP address.
>>         right=%any
>>         # If you want to allow multiple connections from any IP address,
>>         # you can use:    right=%any
>>         #
>>         rightprotoport=17/%any
>>         #
>>         # ----------------------------------------------------------
>>         # Change 'ignore' to 'add' to enable this configuration.
>>         #
>>         rightsubnetwithin=10.1.2.0/8
>>         auto=add
>>
>> #
>> # ipsec status L2TP-PSK
>> 000 "L2TP-PSK":
>> 10.147.52.102[10.147.52.102]:17/1701---10.147.52.1...%any[%any]:17/%any==={
>> 10.0.0.0/8}; unrouted; eroute owner: #0
>> 000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "L2TP-PSK"[2]: 10.147.52.102:4500
>> [10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
>> erouted; eroute owner: #4
>> 000 "L2TP-PSK"[2]:   newest ISAKMP SA: #3; newest IPsec SA: #4;
>> 000 "L2TP-PSK"[10]: 10.147.52.102:4500
>> [10.147.52.102]:17/1701---10.147.52.1...10.147.52.104:4500[10.1.1.237]:17/1701;
>> unrouted; eroute owner: #0
>> 000 "L2TP-PSK"[10]:   newest ISAKMP SA: #14; newest IPsec SA: #0;
>> 000
>> 000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_QUICK_R2 (IPsec SA
>> established); EVENT_SA_EXPIRE in 3040s; newest IPSEC; eroute owner
>> 000 #4: "L2TP-PSK"[2] 10.147.52.104:4500 esp.9bf54461 at 10.147.52.104 (0
>> bytes) esp.ce23acb0 at 10.147.52.102 (980 bytes, 472s ago); transport
>> 000 #3: "L2TP-PSK"[2] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3, ISAKMP
>> SA established); EVENT_SA_EXPIRE in 28240s; newest ISAKMP
>> 000 #14: "L2TP-PSK"[10] 10.147.52.104:4500 STATE_MAIN_R3 (sent MR3,
>> ISAKMP SA established); EVENT_SA_EXPIRE in 28772s; newest ISAKMP
>> 000
>> Security Associations:
>>   no match
>>
>>
>>
>> Thanks,
>> Jayapal
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151029/e3a5a433/attachment-0001.html>

More information about the Users mailing list