I have been running L2TP over IPSec successfully for a while now and it always worked very well. I had Verizon FiOS internet service for months and was provisioned for Ethernet. My ASG was plugged directly into the ONT and got a public IP via DHCP. So only one side of the connection was NATed.
However, recently I switched to Verizon FiOS TV which requires the use of their Actiontec MI424WR Router. Now both sides are NATed.
I reconfigured ASG for a static private IP address on it's external inteface and plugged it into the Router. I set up the router such that the ASG IP address is the "DMZ Host". All previously available services are still available (SMTP, FTP, HTTPS, PPTP), but now L2TP over IPSec doesn't work.
I'm trying to make the connection from a Windows XP SP2 machine. The same machine that has worked successfully in the past.
Below is the IPSec VPN log for my failed connection attempt.
IP addresses have been consistently altered to protect the dim-witted (me).
2008:12:01-11:34:45 firewall1 pluto[28008]: packet from 69.95.208.18:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
2008:12:01-11:34:45 firewall1 pluto[28008]: packet from 69.95.208.18:500: ignoring Vendor ID payload [FRAGMENTATION]
2008:12:01-11:34:45 firewall1 pluto[28008]: packet from 69.95.208.18:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2008:12:01-11:34:45 firewall1 pluto[28008]: packet from 69.95.208.18:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2008:12:01-11:34:45 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[19] 69.95.208.18 #11: responding to Main Mode from unknown peer 69.95.208.18
2008:12:01-11:34:45 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[19] 69.95.208.18 #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
2008:12:01-11:34:45 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[19] 69.95.208.18 #11: Peer ID is ID_FQDN: '@sms97500.***-inc.net'
2008:12:01-11:34:45 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18 #11: deleting connection "D_REF_eRCEjIRFRJ_1" instance with peer 69.95.208.18 {isakmp=#0/ipsec=#0}
2008:12:01-11:34:45 firewall1 pluto[28008]: | NAT-T: new mapping 69.95.208.18:500/4500)
2008:12:01-11:34:45 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: sent MR3, ISAKMP SA established
2008:12:01-11:34:45 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: cannot respond to IPsec SA request because no connection is known for 98.118.88.224/32===192.168.10.1:4500:17/1701...69.95.208.18:4500[@sms97500.***-inc.net]:17/%any
2008:12:01-11:34:45 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: sending encrypted notification INVALID_ID_INFORMATION to 69.95.208.18:4500
2008:12:01-11:34:46 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x70139627 (perhaps this is a duplicated packet)
2008:12:01-11:34:46 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: sending encrypted notification INVALID_MESSAGE_ID to 69.95.208.18:4500
2008:12:01-11:34:48 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x70139627 (perhaps this is a duplicated packet)
2008:12:01-11:34:48 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: sending encrypted notification INVALID_MESSAGE_ID to 69.95.208.18:4500
2008:12:01-11:34:52 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x70139627 (perhaps this is a duplicated packet)
2008:12:01-11:34:52 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: sending encrypted notification INVALID_MESSAGE_ID to 69.95.208.18:4500
2008:12:01-11:35:00 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x70139627 (perhaps this is a duplicated packet)
2008:12:01-11:35:00 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: sending encrypted notification INVALID_MESSAGE_ID to 69.95.208.18:4500
2008:12:01-11:35:16 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x70139627 (perhaps this is a duplicated packet)
2008:12:01-11:35:16 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: sending encrypted notification INVALID_MESSAGE_ID to 69.95.208.18:4500
2008:12:01-11:35:48 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500 #11: received Delete SA payload: deleting ISAKMP State #11
2008:12:01-11:35:48 firewall1 pluto[28008]: "D_REF_eRCEjIRFRJ_1"[20] 69.95.208.18:4500: deleting connection "D_REF_eRCEjIRFRJ_1" instance with peer 69.95.208.18 {isakmp=#0/ipsec=#0}
This thread was automatically locked due to age.