Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 4502 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP over IPSec broken since 9.315

PhillCO2
Hello all,

I've been working with UTM for some time now having introduced it at work in my previous job but this one has be a bit stumped. I've currently been using the home licence for about 3 months or so and had L2TP over IPSec remote connection working perfectly.

Whilst working away in the Caribbean I connected remotely to home to synchronise some files and at the same time noticed there was an Up2Date waiting for 9.315 so I scheduled it. Since then I have not been able to connect via VPN.

My client is Windows 7 Professional, using local authentication on the UTM with a PSK.

Originally I couldn't get the connection to establish at all. Since playing around on the UTM and in Windows, deleting the UTM user and the windows VPN connection and then setting up from scratch I am now get as far as user authentication but this fails.

I have checked and rechecked the username/password/PSK to no avail. I attach the log of a connection attempt from the UTM.

2015:09:27-21:39:04 hostname pluto[7347]: packet from 85.255.232.158:7359: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
2015:09:27-21:39:04 hostname pluto[7347]: packet from 85.255.232.158:7359: received Vendor ID payload [RFC 3947]
2015:09:27-21:39:04 hostname pluto[7347]: packet from 85.255.232.158:7359: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2015:09:27-21:39:04 hostname pluto[7347]: packet from 85.255.232.158:7359: ignoring Vendor ID payload [FRAGMENTATION]
2015:09:27-21:39:04 hostname pluto[7347]: packet from 85.255.232.158:7359: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2015:09:27-21:39:04 hostname pluto[7347]: packet from 85.255.232.158:7359: ignoring Vendor ID payload [Vid-Initial-Contact]
2015:09:27-21:39:04 hostname pluto[7347]: packet from 85.255.232.158:7359: ignoring Vendor ID payload [IKE CGA version 1]
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[39] 85.255.232.158:7359 #41: responding to Main Mode from unknown peer 85.255.232.158:7359
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[39] 85.255.232.158:7359 #41: ECP_384 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[39] 85.255.232.158:7359 #41: ECP_256 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[39] 85.255.232.158:7359 #41: NAT-Traversal: Result using RFC 3947: peer is NATed
2015:09:27-21:39:04 hostname pluto[7347]: | NAT-T: new mapping 85.255.232.158:7359/13291)
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[39] 85.255.232.158:13291 #41: Peer ID is ID_IPV4_ADDR: '192.168.43.219'
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[40] 85.255.232.158:13291 #41: deleting connection "L_for #username#"[39] instance with peer 85.255.232.158 {isakmp=#0/ipsec=#0}
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[40] 85.255.232.158:13291 #41: sent MR3, ISAKMP SA established
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[20] 85.255.232.158:13291 #42: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[20] 85.255.232.158:13291 #42: responding to Quick Mode
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: Plugin aua.so loaded.
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: AUA plugin initialized.
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: Plugin ippool.so loaded.
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: Plugin pppol2tp.so loaded.
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: pppd 2.4.5 started by (unknown), uid 0
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: Using interface ppp0
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: Connect: ppp0 
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: Overriding mtu 1500 to 1380
2015:09:27-21:39:04 hostname pppd-l2tp[11660]: Overriding mru 1500 to mtu value 1380
2015:09:27-21:39:04 hostname pluto[7347]: "L_for #username#"[20] 85.255.232.158:13291 #42: IPsec SA established {ESP=>0x23a7be99 


I would greatly appreciate if anyone can offer any advice.

Regards,

Phill


This thread was automatically locked due to age.
  • 0
    Since submitting previous post I decided to change my configuration. I had set a relatively simple password and PSK for the purpose of testing but I didn't want to leave it that way.

    Since switching back to a 30 character password and 40 character PSK the connection is now working as desired. Although the authentication log was previously showing that the l2tp connection was successfully authenticating I can only assume it was falling foul of the complex password policy or something.

    I include the current connection log for comparison:

    2015:09:27-21:45:01 hostname pluto[7347]: packet from 85.255.232.158:10629: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
    2015:09:27-21:45:01 hostname pluto[7347]: packet from 85.255.232.158:10629: received Vendor ID payload [RFC 3947]
    2015:09:27-21:45:01 hostname pluto[7347]: packet from 85.255.232.158:10629: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2015:09:27-21:45:01 hostname pluto[7347]: packet from 85.255.232.158:10629: ignoring Vendor ID payload [FRAGMENTATION]
    2015:09:27-21:45:01 hostname pluto[7347]: packet from 85.255.232.158:10629: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2015:09:27-21:45:01 hostname pluto[7347]: packet from 85.255.232.158:10629: ignoring Vendor ID payload [Vid-Initial-Contact]
    2015:09:27-21:45:01 hostname pluto[7347]: packet from 85.255.232.158:10629: ignoring Vendor ID payload [IKE CGA version 1]
    2015:09:27-21:45:01 hostname pluto[7347]: "L_for #username#"[41] 85.255.232.158:10629 #43: responding to Main Mode from unknown peer 85.255.232.158:10629
    2015:09:27-21:45:01 hostname pluto[7347]: "L_for #username#"[41] 85.255.232.158:10629 #43: ECP_384 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
    2015:09:27-21:45:01 hostname pluto[7347]: "L_for #username#"[41] 85.255.232.158:10629 #43: ECP_256 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
    2015:09:27-21:45:01 hostname pluto[7347]: "L_for #username#"[41] 85.255.232.158:10629 #43: NAT-Traversal: Result using RFC 3947: peer is NATed
    2015:09:27-21:45:01 hostname pluto[7347]: | NAT-T: new mapping 85.255.232.158:10629/20663)
    2015:09:27-21:45:01 hostname pluto[7347]: "L_for #username#"[41] 85.255.232.158:20663 #43: Peer ID is ID_IPV4_ADDR: '192.168.43.219'
    2015:09:27-21:45:01 hostname pluto[7347]: "L_for #username#"[42] 85.255.232.158:20663 #43: deleting connection "L_for #username#"[41] instance with peer 85.255.232.158 {isakmp=#0/ipsec=#0}
    2015:09:27-21:45:01 hostname pluto[7347]: "L_for #username#"[42] 85.255.232.158:20663 #43: sent MR3, ISAKMP SA established
    2015:09:27-21:45:02 hostname pluto[7347]: "L_for #username#"[21] 85.255.232.158:20663 #44: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
    2015:09:27-21:45:02 hostname pluto[7347]: "L_for #username#"[21] 85.255.232.158:20663 #44: responding to Quick Mode
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: Plugin aua.so loaded.
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: AUA plugin initialized.
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: Plugin ippool.so loaded.
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: Plugin pppol2tp.so loaded.
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: pppd 2.4.5 started by (unknown), uid 0
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: Using interface ppp0
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: Connect: ppp0 
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: Overriding mtu 1500 to 1380
    2015:09:27-21:45:02 hostname pppd-l2tp[11972]: Overriding mru 1500 to mtu value 1380
    2015:09:27-21:45:02 hostname pluto[7347]: "L_for #username#"[21] 85.255.232.158:20663 #44: IPsec SA established {ESP=>0x955e6f18 
  • 0
    Hi, Phil, and a belated welcome to the User BB!

    Peer #username# failed CHAP authentication was the key issue, and you saw that.  Sometimes, the Up2Date mangles the configuration, so if something seems strange, I always recommend restoring from the backup taken just before the Up2Date was applied.  If that doesn't fix the problem and doing a reboot doesn't either, then doing a limited re-setup as you did is the last thing before reloading from ISO.

    Cheers - Bob
  • 0
    Thank you for the reply Bob, that's useful to know. If I experience post-upgrade issues in future I will try doing a configuration revert.

    Cheers,

    Phill