This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP Connection Problem, Pattern Problem?

Hello,
since yesterday we have a problem to connect our box via L2TP. Is there a relation to the pattern updates?

We get the error 619 (no connection to the remote computer) on the clients.

ASG Version. 7.507, Pattern Version 20049

Here the log:
2010:08:31-09:10:13 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[41] xx.xx.xx.xx:4500 #1205: received Delete SA(0x8dab7367) payload: deleting IPSEC State #1206
2010:08:31-09:10:13 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[41] xx.xx.xx.xx:4500 #1205: deleting connection "S_REF_IjTGbbqTZE_0" instance with peer xx.xx.xx.xx {isakmp=#0/ipsec=#0}
2010:08:31-09:10:13 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[41] xx.xx.xx.xx:4500 #1205: received Delete SA payload: deleting ISAKMP State #1205
2010:08:31-09:10:13 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[41] xx.xx.xx.xx:4500: deleting connection "S_REF_IjTGbbqTZE_1" instance with peer xx.xx.xx.xx {isakmp=#0/ipsec=#0}
2010:08:31-09:11:15 asg-box pluto[3810]: packet from :500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
2010:08:31-09:11:15 asg-box pluto[3810]: packet from xx.xx.xx.xx:500: ignoring Vendor ID payload [FRAGMENTATION]
2010:08:31-09:11:15 asg-box pluto[3810]: packet from xx.xx.xx.xx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2010:08:31-09:11:15 asg-box pluto[3810]: packet from xx.xx.xx.xx:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2010:08:31-09:11:15 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[42] xx.xx.xx.xx #1207: responding to Main Mode from unknown peer xx.xx.xx.xx
2010:08:31-09:11:15 asg-box pluto[3810]: packet from xx.xx.xx.xx:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
2010:08:31-09:11:15 asg-box pluto[3810]: packet from xx.xx.xx.xx:500: ignoring Vendor ID payload [FRAGMENTATION]
2010:08:31-09:11:15 asg-box pluto[3810]: packet from xx.xx.xx.xx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2010:08:31-09:11:15 asg-box pluto[3810]: packet from xx.xx.xx.xx:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2010:08:31-09:11:15 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[42] xx.xx.xx.xx #1208: responding to Main Mode from unknown peer xx.xx.xx.xx
2010:08:31-09:11:15 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[42] xx.xx.xx.xx #1207: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
2010:08:31-09:11:15 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[42] xx.xx.xx.xx #1207: Peer ID is ID_FQDN: '@test.test.local'
2010:08:31-09:11:15 asg-box pluto[3810]: | NAT-T: new mapping xx.xx.xx.xx:500/4500)
2010:08:31-09:11:15 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_1"[43] xx.xx.xx.xx:4500 #1207: sent MR3, ISAKMP SA established
2010:08:31-09:11:16 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_0"[25] xx.xx.xx.xx:4500 #1209: responding to Quick Mode
2010:08:31-09:11:18 asg-box pluto[3810]: "S_REF_IjTGbbqTZE_0"[25] xx.xx.xx.xx:4500 #1209: IPsec SA established {ESP=>0x7c2757af

This thread was automatically locked due to age.

0 BAlfson over 15 years ago

V7.507 with pattern 20052. Here's the log for a successful connection from a laptop:

2010:08:31-07:43:43 post pluto[3393]: packet from 72.x.x.221:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000006] 

2010:08:31-07:43:43 post pluto[3393]: packet from 72.x.x.221:500: received Vendor ID payload [RFC 3947] 

2010:08:31-07:43:43 post pluto[3393]: packet from 72.x.x.221:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 

2010:08:31-07:43:43 post pluto[3393]: packet from 72.x.x.221:500: ignoring Vendor ID payload [FRAGMENTATION] 

2010:08:31-07:43:43 post pluto[3393]: packet from 72.x.x.221:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] 

2010:08:31-07:43:43 post pluto[3393]: packet from 72.x.x.221:500: ignoring Vendor ID payload [Vid-Initial-Contact] 

2010:08:31-07:43:43 post pluto[3393]: packet from 72.x.x.221:500: ignoring Vendor ID payload [IKE CGA version 1] 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #281: responding to Main Mode from unknown peer 72.x.x.221:4500 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #281: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #281: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute OAKLEY_GROUP_DESCRIPTION 

2010:08:31-07:43:43 post pluto[3393]: | NAT-T: new mapping 72.x.x.221:4500/500) 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221 #276: pfkey_msg_build of Add SA esp.cccaafee@68.y.y.33 failed, code -22 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221 #281: NAT-Traversal: Result using RFC 3947: peer is NATed 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221 #281: Peer ID is ID_IPV4_ADDR: '192.168.z.103' 

2010:08:31-07:43:43 post pluto[3393]: | NAT-T: new mapping 72.x.x.221:500/4500) 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #276: pfkey_msg_build of Add SA esp.cccaafee@68.y.y.33 failed, code -22 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #281: sent MR3, ISAKMP SA established 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #282: NAT-Traversal: received 2 NAT-OA. using first, ignoring others 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #282: responding to Quick Mode 

2010:08:31-07:43:43 post pluto[3393]: "S_REF_bqPGsVBHbM"[13] 72.x.x.221:4500 #282: IPsec SA established {ESP=>0xb84d166c  /dev/pts/0 

2010:08:31-07:43:48 post pppd-l2tp[8788]: Cannot determine ethernet address for proxy ARP 

2010:08:31-07:43:48 post pppd-l2tp[8788]: local IP address 10.242.3.1 

2010:08:31-07:43:48 post pppd-l2tp[8788]: remote IP address 10.242.3.2 

2010:08:31-07:43:52 post pppd-l2tp[8788]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="OURDOMAIN\OurUser" variant="l2tp" srcip="72.x.x.221" virtual_ip="10.242.3.2" 

2010:08:31-07:44:01 post pluto[3393]: forgetting secrets 

2010:08:31-07:44:01 post pluto[3393]: loading secrets from "/etc/ipsec.secrets" 

2010:08:31-07:44:01 post pluto[3393]: loaded private key file '/etc/ipsec.d/private/OurDomain VPN.pem' (1679 bytes) 

2010:08:31-07:44:01 post pluto[3393]: loaded private key file '/etc/ipsec.d/private/OurDomain VPN.pem' (1679 bytes) 

2010:08:31-07:44:01 post pluto[3393]: loaded private key file '/etc/ipsec.d/private/OurDomain VPN.pem' (1679 bytes) 

2010:08:31-07:44:01 post pluto[3393]: loaded shared key for 0.0.0.0 68.y.y.33 

2010:08:31-07:44:01 post pluto[3393]: loaded shared key for 0.0.0.0 68.y.y.33 

2010:08:31-07:44:01 post pluto[3393]: Changing to directory '/etc/ipsec.d/cacerts' 

2010:08:31-07:44:01 post pluto[3393]: loaded CA cert file 'VPN Signing CA.pem' (2978 bytes) 

2010:08:31-07:44:01 post pluto[3393]: loaded CA cert file 'VPN Signing CA (Tue Mar 17 19:56:20 2009).pem' (3122 bytes) 

2010:08:31-07:44:01 post pluto[3393]: Changing to directory '/etc/ipsec.d/aacerts' 

2010:08:31-07:44:01 post pluto[3393]: Changing to directory '/etc/ipsec.d/ocspcerts' 

2010:08:31-07:44:01 post pluto[3393]: Changing to directory '/etc/ipsec.d/crls'

The first difference I see is the lack of a reference in your log to RFC 3947 which relates to NAT-T. Do you have NAT-T selected on the 'Advanced' tab of 'IPsec'?

Cheers - Bob

0 pv01 over 15 years ago in reply to BAlfson

Yes, we use NAT-T.

Best regards
Dirk
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 15 years ago

This seems strange to me. What client are you using? Are you using a PSK or certs? If certs, have you made any changes?

The other thing that would be interesting would be to compare your log above to a connection session from last week's logs.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel