Client Connection to L2TP/IPSec

Hello,

I’m testing L2TP/OverIPSec on VyOS Version = VyOS 1.4-rolling-202308060317

My configuration =

//// *** VPN Config *** ////

set vpn ipsec interface 'eth0'
set vpn l2tp remote-access authentication local-users username test password 'test'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.255.100'
set vpn l2tp remote-access client-ip-pool stop '192.168.255.200'
set vpn l2tp remote-access client-ip-pool subnet '192.168.255.0/24'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'test'
set vpn l2tp remote-access outside-address '192.168.1.251'

//// *** FIREWAL RULES *** ////

set firewall name FROM-INTERNET rule 40 action 'accept'
set firewall name FROM-INTERNET rule 40 protocol 'esp'
set firewall name FROM-INTERNET rule 41 action 'accept'
set firewall name FROM-INTERNET rule 41 destination port '500'
set firewall name FROM-INTERNET rule 41 protocol 'udp'
set firewall name FROM-INTERNET rule 42 action 'accept'
set firewall name FROM-INTERNET rule 42 destination port '4500'
set firewall name FROM-INTERNET rule 42 protocol 'udp'
set firewall name FROM-INTERNET rule 43 action 'accept'
set firewall name FROM-INTERNET rule 43 destination port '1701'
set firewall name FROM-INTERNET rule 43 ipsec match-ipsec
set firewall name FROM-INTERNET rule 43 protocol 'udp'

From a tcpdump i stay stuck on phase 2/others and client cann’t connect.

vyos@vyos# tcpdump -i eth0 port 500
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:20:52.027508 IP ........net.isakmp > 192.168.1.251.isakmp: isakmp: phase 1 I ident
13:20:52.028495 IP 192.168.1.251.isakmp > ........net.isakmp: isakmp: phase 2/others R inf
13:20:53.001599 IP ........net.isakmp > 192.168.1.251.isakmp: isakmp: phase 1 I ident
13:20:53.004466 IP 192.168.1.251.isakmp > ........net.isakmp: isakmp: phase 2/others R inf
13:20:53.977057 IP ........net.isakmp > 192.168.1.251.isakmp: isakmp: phase 1 I ident
13:20:53.977618 IP 192.168.1.251.isakmp > ........net.isakmp: isakmp: phase 2/others R inf
13:20:56.961775 IP ........net.isakmp > 192.168.1.251.isakmp: isakmp: phase 1 I ident
13:20:56.963432 IP 192.168.1.251.isakmp > ........net.isakmp: isakmp: phase 2/others R inf

[Client IP hidden for security reason]

Is this necessary to configure a VTI interface VTI - Virtual Tunnel Interface — VyOS 1.4.x (sagitta) documentation, or an other configuration than present in L2TP — VyOS 1.4.x (sagitta) documentation or a reference to IPsec — VyOS 1.4.x (sagitta) documentation ?

Can you please share the logs:

$ show log l2tp

Work fine after a local test.

I think problem is the D-NAT.

Aug 13 05:51:42 systemd[1]: Starting accel-ppp@l2tp.service - Accel-PPP - High performance VPN server application for Linux...
Aug 13 05:51:42 systemd[1]: accel-ppp@l2tp.service: Can't open PID file /run/accel-pppd/l2tp.pid (yet?) after start: No such file or directory
Aug 13 05:51:42 systemd[1]: Started accel-ppp@l2tp.service - Accel-PPP - High performance VPN server application for Linux.
Aug 13 05:51:42 accel-l2tp[2599]: l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
vyos@home:~$ show log l2tp
Aug 13 05:51:42 systemd[1]: Starting accel-ppp@l2tp.service - Accel-PPP - High performance VPN server application for Linux...
Aug 13 05:51:42 systemd[1]: accel-ppp@l2tp.service: Can't open PID file /run/accel-pppd/l2tp.pid (yet?) after start: No such file or directory
Aug 13 05:51:42 systemd[1]: Started accel-ppp@l2tp.service - Accel-PPP - High performance VPN server application for Linux.
Aug 13 05:51:42 accel-l2tp[2599]: l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
Aug 13 14:20:29 accel-l2tp[2599]: l2tp: recv [L2TP tid=0 sid=0 Ns=0 Nr=0 <Message-Type Start-Ctrl-Conn-Request> <Protocol-Version 256> <Framing-Capabilities 1> <Bearer-Capabilities 0> <Firmware-Revision 2560> <Host-Name D> <Vendor-Name Microsoft> <Assigned-Tunnel-ID 1> <Recv-Window-Size 8>]
Aug 13 14:20:29 accel-l2tp[2599]: l2tp: handling SCCRQ from 192.168.3.2
Aug 13 14:20:29 accel-l2tp[2599]: l2tp: new tunnel 36388-1 created following reception of SCCRQ from 192.168.3.2:1701
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): sending SCCRP
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): send [L2TP tid=1 sid=0 Ns=0 Nr=1 <Message-Type Start-Ctrl-Conn-Reply> <Protocol-Version 256> <Host-Name accel-ppp> <Framing-Capabilities 1> <Assigned-Tunnel-ID -29148> <Vendor-Name accel-ppp> <Recv-Window-Size 16>]
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 1 message sent from send queue
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 2 messages added to reception queue
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 1 message acked by peer
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): recv [L2TP tid=36388 sid=0 Ns=1 Nr=1 <Message-Type Start-Ctrl-Conn-Connected>]
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): handling SCCCN
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): established at 192.168.1.251:1701
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): recv [L2TP tid=36388 sid=0 Ns=2 Nr=1 <Message-Type Incoming-Call-Request> <Assigned-Session-ID 1> <Call-Serial-Number 0> <Bearer-Type 2>]
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): handling ICRQ
Aug 13 14:20:29 accel-l2tp[2599]: l2tp session 36388-1, 36149-1: sending ICRP
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): new session 36149-1 with calling num (null) len 0, called num (null) len 0 created following reception of ICRQ
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 2 messages processed from reception queue
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): send [L2TP tid=1 sid=1 Ns=1 Nr=3 <Message-Type Incoming-Call-Reply> <Assigned-Session-ID -29387>]
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 1 message sent from send queue
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 1 message added to reception queue
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 1 message acked by peer
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): recv [L2TP tid=36388 sid=36149 Ns=3 Nr=2 <Message-Type Incoming-Call-Connected> <TX-Speed 100000000> <Framing-Type 1> <Proxy-Authen-Type 4>]
Aug 13 14:20:29 accel-l2tp[2599]: l2tp session 36388-1, 36149-1: handling ICCN
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 1 message processed from reception queue
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): 0 message sent from send queue
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): sending ZLB
Aug 13 14:20:29 accel-l2tp[2599]: l2tp tunnel 36388-1 (192.168.3.2:1701): send [L2TP tid=1 sid=0 Ns=2 Nr=4]
Aug 13 14:20:29 accel-l2tp[2599]: :: starting data channel for l2tp(192.168.3.2:1701 session 36388-1, 36149-1)
Aug 13 14:20:29 accel-l2tp[2599]: :: lcp_layer_init
Aug 13 14:20:29 accel-l2tp[2599]: :: auth_layer_init
Aug 13 14:20:29 accel-l2tp[2599]: :: ccp_layer_init
Aug 13 14:20:29 accel-l2tp[2599]: :: ipcp_layer_init
Aug 13 14:20:29 accel-l2tp[2599]: :: ipv6cp_layer_init
Aug 13 14:20:29 accel-l2tp[2599]: :: ppp establishing
Aug 13 14:20:29 accel-l2tp[2599]: :: lcp_layer_start
Aug 13 14:20:29 accel-l2tp[2599]: :: send [LCP ConfReq id=51 <auth MSCHAP-v2> <mru 1436> <magic 26fbb17c>]
Aug 13 14:20:29 accel-l2tp[2599]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 17d35aaa> <pcomp> <accomp> < d 3 6 >]
Aug 13 14:20:29 accel-l2tp[2599]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
Aug 13 14:20:29 accel-l2tp[2599]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 17d35aaa>]
Aug 13 14:20:29 accel-l2tp[2599]: :: send [LCP ConfAck id=1]
vyos@home:~$

For resume, see the below schema =

Home-INFRA960×720 18.1 KB

A connection From my workstation directly Works fine.

image858×200 3.56 KB

[RESOLVED], the problem comes from D-NAT

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.