On Saturday, we were running SFOS 18.5.3 MR-3-Build408 on our XGS2100, and Mac/Android/iOS users were able to dial in to our L2TP VPN fine with their built-in clients (Windows 10 users had mixed results, some worked others didn't, some codec trickery, also Linux wouldn't work). While I was in the office on Saturday night, I decided to upgrade to v19 (build 317) as it advertised VPN enhancements which I thought could help with Windows clients.
Come Monday, now I realise the upgrade has broken L2TP for everybody. IPSec site-to-site VPNs appear to be fine but whenever anyone tries to dial in, the log shows:
2022-05-31 00:41:38Z 17[NET] <48> received packet: from 49.182.29.49[18836] to 172.18.8.254[500] (724 bytes)
2022-05-31 00:41:38Z 17[ENC] <48> parsed ID_PROT request 0 [ SA V V V V V V ]
2022-05-31 00:41:38Z 17[IKE] <48> received NAT-T (RFC 3947) vendor ID
2022-05-31 00:41:38Z 17[IKE] <48> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2022-05-31 00:41:38Z 17[IKE] <48> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2022-05-31 00:41:38Z 17[IKE] <48> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
2022-05-31 00:41:38Z 17[IKE] <48> received FRAGMENTATION vendor ID
2022-05-31 00:41:38Z 17[IKE] <48> received DPD vendor ID
2022-05-31 00:41:38Z 17[IKE] <48> 49.182.29.49 is initiating a Main Mode IKE_SA
2022-05-31 00:41:38Z 17[ENC] <48> generating ID_PROT response 0 [ SA V V V V V ]
2022-05-31 00:41:38Z 17[NET] <48> sending packet: from 172.18.8.254[500] to 49.182.29.49[18836] (180 bytes)
2022-05-31 00:41:38Z 20[NET] <48> received packet: from 49.182.29.49[18836] to 172.18.8.254[500] (252 bytes)
2022-05-31 00:41:38Z 20[ENC] <48> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2022-05-31 00:41:38Z 20[IKE] <48> local host is behind NAT, sending keep alives
2022-05-31 00:41:38Z 20[IKE] <48> remote host is behind NAT
2022-05-31 00:41:38Z 20[ENC] <48> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2022-05-31 00:41:38Z 20[NET] <48> sending packet: from 172.18.8.254[500] to 49.182.29.49[18836] (268 bytes)
2022-05-31 00:41:39Z 28[NET] <48> received packet: from 49.182.29.49[18837] to 172.18.8.254[4500] (108 bytes)
2022-05-31 00:41:39Z 28[ENC] <48> parsed ID_PROT request 0 [ ID HASH ]
2022-05-31 00:41:39Z 28[CFG] <48> looking for pre-shared key peer configs matching 172.18.8.254...49.182.29.49[10.11.76.81]
2022-05-31 00:41:39Z 28[CFG] <48> selected peer config "Company_Dial_In-1"
2022-05-31 00:41:39Z 28[IKE] <Company_Dial_In-1|48> IKE_SA Company_Dial_In-1[48] established between 172.18.8.254[172.18.8.254]...49.182.29.49[10.11.76.81]
2022-05-31 00:41:39Z 28[ENC] <Company_Dial_In-1|48> generating ID_PROT response 0 [ ID HASH ]
2022-05-31 00:41:39Z 28[NET] <Company_Dial_In-1|48> sending packet: from 172.18.8.254[4500] to 49.182.29.49[18837] (92 bytes)
2022-05-31 00:41:39Z 30[NET] <Company_Dial_In-1|48> received packet: from 49.182.29.49[18837] to 172.18.8.254[4500] (124 bytes)
2022-05-31 00:41:39Z 30[ENC] <Company_Dial_In-1|48> parsed INFORMATIONAL_V1 request 2689360589 [ HASH N(INITIAL_CONTACT) ]
2022-05-31 00:41:40Z 05[NET] <Company_Dial_In-1|48> received packet: from 49.182.29.49[18837] to 172.18.8.254[4500] (684 bytes)
2022-05-31 00:41:40Z 05[ENC] <Company_Dial_In-1|48> parsed QUICK_MODE request 3169867244 [ HASH SA No ID ID ]
2022-05-31 00:41:40Z 05[IKE] <Company_Dial_In-1|48> ### process_request invoking quick_mode_create
2022-05-31 00:41:40Z 05[IKE] <Company_Dial_In-1|48> ### quick_mode_create: 0x7ff3f80096d0 config (nil)
2022-05-31 00:41:40Z 05[IKE] <Company_Dial_In-1|48> ### process_r: 0x7ff3f80096d0 QM_INIT
2022-05-31 00:41:40Z 05[IKE] <Company_Dial_In-1|48> received 28800s lifetime, configured 0s
2022-05-31 00:41:40Z 05[IKE] <Company_Dial_In-1|48> ### build_r: 0x7ff3f80096d0 QM_INIT
2022-05-31 00:41:40Z 05[ENC] <Company_Dial_In-1|48> generating QUICK_MODE response 3169867244 [ HASH SA No ID ID NAT-OA NAT-OA ]
2022-05-31 00:41:40Z 05[NET] <Company_Dial_In-1|48> sending packet: from 172.18.8.254[4500] to 49.182.29.49[18837] (204 bytes)
2022-05-31 00:41:40Z 32[NET] <Company_Dial_In-1|48> received packet: from 49.182.29.49[18837] to 172.18.8.254[4500] (92 bytes)
2022-05-31 00:41:40Z 32[ENC] <Company_Dial_In-1|48> parsed QUICK_MODE request 3169867244 [ HASH ]
2022-05-31 00:41:40Z 32[IKE] <Company_Dial_In-1|48> ### process_r: 0x7ff3f80096d0 QM_NEGOTIATED
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> ipsec_offload enabled
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> ipsec_offload interface Port2
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> received netlink error: Invalid argument (22)
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> unable to add SAD entry with SPI c525ab27 (FAILED)
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> ipsec_offload enabled
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> ipsec_offload interface Port2
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> received netlink error: Invalid argument (22)
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> unable to add SAD entry with SPI 041aa49e (FAILED)
2022-05-31 00:41:40Z 32[IKE] <Company_Dial_In-1|48> unable to install inbound and outbound IPsec SA (SAD) in kernel
2022-05-31 00:41:40Z 32[IKE] <Company_Dial_In-1|48> ### destroy: 0x7ff3f80096d0
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> deleting policy 172.18.8.254/32[udp/1701] === 49.182.29.49/32[udp] out failed, not found
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> deleting policy 49.182.29.49/32[udp] === 172.18.8.254/32[udp/1701] in failed, not found
2022-05-31 00:41:40Z 32[KNL] <Company_Dial_In-1|48> deleting policy 172.18.8.254/32[udp/1701] === 49.182.29.49/32[udp] out failed, not found
2022-05-31 00:41:40Z 32[IKE] <Company_Dial_In-1|48> sending DELETE for ESP CHILD_SA with SPI 041aa49e
2022-05-31 00:41:40Z 32[ENC] <Company_Dial_In-1|48> generating INFORMATIONAL_V1 request 4198724832 [ HASH D ]
2022-05-31 00:41:40Z 32[NET] <Company_Dial_In-1|48> sending packet: from 172.18.8.254[4500] to 49.182.29.49[18837] (92 bytes)
2022-05-31 00:42:03Z 16[IKE] <Company_Dial_In-1|48> sending keep alive to 49.182.29.49[18837]
2022-05-31 00:42:23Z 24[IKE] <Company_Dial_In-1|48> sending keep alive to 49.182.29.49[18837]
2022-05-31 00:42:38Z 25[NET] <Company_Dial_In-1|48> received packet: from 49.182.29.49[18837] to 172.18.8.254[4500] (108 bytes)
2022-05-31 00:42:38Z 25[ENC] <Company_Dial_In-1|48> parsed INFORMATIONAL_V1 request 3595034494 [ HASH D ]
2022-05-31 00:42:38Z 25[IKE] <Company_Dial_In-1|48> received DELETE for ESP CHILD_SA with SPI 041aa49e
2022-05-31 00:42:38Z 25[IKE] <Company_Dial_In-1|48> CHILD_SA not found, ignored
2022-05-31 00:42:38Z 08[NET] <Company_Dial_In-1|48> received packet: from 49.182.29.49[18837] to 172.18.8.254[4500] (124 bytes)
2022-05-31 00:42:38Z 08[ENC] <Company_Dial_In-1|48> parsed INFORMATIONAL_V1 request 2181057285 [ HASH D ]
2022-05-31 00:42:38Z 08[IKE] <Company_Dial_In-1|48> received DELETE for IKE_SA Company_Dial_In-1[48]
2022-05-31 00:42:38Z 08[IKE] <Company_Dial_In-1|48> deleting IKE_SA Company_Dial_In-1[48] between 172.18.8.254[172.18.8.254]...49.182.29.49[10.11.76.81]
Should I roll back to v18.5, or is this fixable?
This thread was automatically locked due to age.
