L2TP disconnect

anatoly.kryzhanovsky · September 10, 2018, 6:29am

good day
several days ago i changed our gateway based on windows to vyos. My configuration now more simple than i think as begging, but it works…
i have only one issue: in my configuration i have l2tp vpn with radius server based on windows ad. Client successfully connected to vpn but after some time (about several hour, i haven’t accurate time now) connections was lost and on next try client receive 789 error.
I try to some excrements from my home network (two computers behind nat that connected to internet):
on computer 1 i connected to L2TP and work for some time. After connection was interrupted i try to connect to VPN from computer 2 and get same 789 error.
BUT i try to connect to VPN from computer 1 via 3G network - and all works fine!
after some time (about half of hour or may be hour) i can connect to VPM from both computer via my home network without any problem.
so i think that there is some problem with something like timeout or lifetime of key may be…
this is my configuration for l2tp:
vpn {
ipsec {
ipsec-interfaces {
interface pppoe0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
mode radius
radius-server 192.168.0.10 {
key ********
}
}
client-ip-pool {
start 192.168.0.150
stop 192.168.0.200
}
dns-servers {
server-1 192.168.0.10
server-2 192.168.0.11
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ********
}
ike-lifetime 3600
}
outside-address ...
}
}
}

omamenko · September 14, 2018, 11:53am

Hi Anatoly,

Could you provide output of next commands:
:~$ sh ver
:~$ sh vpn remote-access
:~$ show vpn debug

Oleksandr Mamenko

anatoly.kryzhanovsky · December 18, 2018, 4:40am

sorry for so long delay, but i have some problems which had higher priority
first of all, answering for your request:

sh ver

Version: VyOS 1.1.8
Description: VyOS 1.1.8 (helium)
Copyright: 2017 VyOS maintainers and contributors
Built by: maintainers@vyos.net
Built on: Sat Nov 11 13:44:36 UTC 2017
Build ID: 1711111344-b483efc
System type: x86 64-bit
Boot via: image
HW model: System Product Name
HW S/N: System Serial Number
HW UUID: A0717B78-48DE-E011-98C9-14DAE9DABD3F
Uptime: 07:25:23 up 22 days, 16:14, 1 user, load average: 0.08, 0.04, 0.05

sh vpn remote-access
at this moment i have no active session, so no significant output

show vpn debug
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth2/eth2 192.168.0.1:4500
000 interface eth2/eth2 192.168.0.1:500
000 interface pppoe0/pppoe0 XX.XX.XX.XX:4500
000 interface pppoe0/pppoe0 XX.XX.XX.XX:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkc s1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "remote-access-mac-zzz": XX.XX.XX.XX[XX.XX.XX.XX]:17/1701...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0
000 "remote-access-mac-zzz": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "remote-access-mac-zzz": dpd_action: clear; dpd_delay: 15s; dpd_timeout: 45s;
000 "remote-access-mac-zzz": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: pppoe0;
000 "remote-access-mac-zzz": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "remote-access-win-aaa": XX.XX.XX.XX[XX.XX.XX.XX]:17/1701...%virtual[%any]:1:
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth2/eth2 192.168.0.1:4500
000 interface eth2/eth2 192.168.0.1:500
000 interface pppoe0/pppoe0 XX.XX.XX.XX:4500
000 interface pppoe0/pppoe0 XX.XX.XX.XX:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "remote-access-mac-zzz": XX.XX.XX.XX[XX.XX.XX.XX]:17/1701...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0
000 "remote-access-mac-zzz": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "remote-access-mac-zzz": dpd_action: clear; dpd_delay: 15s; dpd_timeout: 45s;
000 "remote-access-mac-zzz": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: pppoe0;
000 "remote-access-mac-zzz": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "remote-access-win-aaa": XX.XX.XX.XX[XX.XX.XX.XX]:17/1701...%virtual[%any]:17/1701===?; unrouted; eroute owner: #0
000 "remote-access-win-aaa": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "remote-access-win-aaa": dpd_action: clear; dpd_delay: 15s; dpd_timeout: 45s;
000 "remote-access-win-aaa": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: pppoe0;
000 "remote-access-win-aaa": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 21 days, since Nov 26 13:56:00 2018
malloc: sbrk 368640, mmap 0, used 235184, free 133456
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
192.168.0.1
XX.XX.XX.XX
Connections:
Security Associations:
none

and now more information about behaviour:
case 1: wire internet access from client
i can connect to VPN server and establish connection. Connection operate for 30 minutes to 3 hours (random value, i can’t find any dependency) and then i lost connection. If i try to wait while Window automatic reconnect then i receive 789 error and could restore connection only after 1-2 hours.

case 2: wire internet access client
if i try to reconnect not intermediately after connection was lost (for test i wait about 15-30 seconds) - i can reconnect successfully!

case 3: 3G internet access client
one time i’m try to use my 3G connection and no one disconnect for whole day!

so no i’m totally confused and don’t know where to start investigation of problem

all other things work perfectly and i’m totally like VyOS.

jonny.redes · December 13, 2019, 1:55pm

Hello, I have the exact same problem, did anyone get a solution?

Dmitry · December 13, 2019, 5:49pm

Hello @jonny.redes, which VyOS version are you using?
show version
Seems this can be IPSec issue. Tell me if you know how I can reproduce this issue in LAB environment

jonny.redes · December 19, 2019, 12:41am

Hello Dmitry,

I am using VyOS version 1.1.8, I will try to reproduce the problem in a LAB. I’ve been thinking, usually after 1 hour or so the problem normalizes, do you think it could have something related to ‘ike-lifetime’? I wonder why I use the default of 3600 seconds and it coincides with the interval they can reconnect on the VPN after they lose their connection.

Dmitry · December 19, 2019, 7:37am

Hello @jonny.redes, 1.1.X . EOL.
I propose to trying latest rolling, which contain new l2tp implementation.
As for ike-lifetime, you need to research logs, because also exist DPD, which can clear IPSec connection by timeout.