L2tp/IPsec remote access VPN is not working


#1

Hello,
L2tp/IPsec remote access VPN is not working in VyOS 1.2.0. Please, check the log file below. Tested with the built-in l2tp client on WinXP, Win7, Win10 and Android 5.1. None of them can connect to VPN.

I have tested the same configuration in Vyatta 6.6R1_amd64 and it is working. Tested with Android 5.1 l2tp client.

Thank you.

+++ Configuration +++

set interfaces ethernet eth0 address 172.17.100.20/16

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
edit vpn l2tp
set remote-access outside-address 172.17.100.20
set remote-access authentication mode local
set remote-access authentication local-users username brezular1 password 'test1111'
set remote-access authentication local-users username brezular2 password 'test2222'
set remote-access client-ip-pool start 192.168.214.1
set remote-access client-ip-pool stop 192.168.214.255
set remote-access dns-servers server-1 8.8.8.8
set remote-access ipsec-settings authentication mode pre-shared-secret
set remote-access ipsec-settings authentication pre-shared-secret testshared
set remote-access ipsec-settings ike-lifetime 3600

+++ /var/log/messages +++

Feb  5 21:00:26 vyos charon: 10[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (444 bytes)
Feb  5 21:00:26 vyos charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
Feb  5 21:00:26 vyos charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
Feb  5 21:00:26 vyos charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb  5 21:00:26 vyos charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb  5 21:00:26 vyos charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb  5 21:00:26 vyos charon: 10[IKE] received FRAGMENTATION vendor ID
Feb  5 21:00:26 vyos charon: 10[IKE] received DPD vendor ID
Feb  5 21:00:26 vyos charon: 10[IKE] 172.17.100.5 is initiating a Main Mode IKE_SA
Feb  5 21:00:26 vyos charon: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb  5 21:00:26 vyos charon: 10[ENC] generating ID_PROT response 0 [ SA V V V V ]
Feb  5 21:00:26 vyos charon: 10[NET] sending packet: from 172.17.100.20[500] to 172.17.100.5[500] (160 bytes)
Feb  5 21:00:26 vyos charon: 11[MGR] ignoring request with ID 2366369201, already processing
Feb  5 21:00:26 vyos charon: 13[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (228 bytes)
Feb  5 21:00:26 vyos charon: 13[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb  5 21:00:26 vyos charon: 12[MGR] ignoring request with ID 3419062997, already processing
Feb  5 21:00:26 vyos charon: 13[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb  5 21:00:26 vyos charon: 13[NET] sending packet: from 172.17.100.20[500] to 172.17.100.5[500] (244 bytes)
Feb  5 21:00:26 vyos charon: 14[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (92 bytes)
Feb  5 21:00:26 vyos charon: 14[ENC] parsed ID_PROT request 0 [ ID HASH ]
Feb  5 21:00:26 vyos charon: 14[CFG] looking for pre-shared key peer configs matching 172.17.100.20...172.17.100.5[172.17.10]
Feb  5 21:00:26 vyos charon: 14[CFG] selected peer config "remote-access"
Feb  5 21:00:26 vyos charon: 14[IKE] IKE_SA remote-access[3] established between 172.17.100.20[172.17.100.20]...172.17.100.5]
Feb  5 21:00:26 vyos charon: 14[ENC] generating ID_PROT response 0 [ ID HASH ]
Feb  5 21:00:26 vyos charon: 14[NET] sending packet: from 172.17.100.20[500] to 172.17.100.5[500] (76 bytes)
Feb  5 21:00:26 vyos charon: 14[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (92 bytes)
Feb  5 21:00:26 vyos charon: 14[IKE] received retransmit of request with ID 0, retransmitting response
Feb  5 21:00:26 vyos charon: 14[NET] sending packet: from 172.17.100.20[500] to 172.17.100.5[500] (76 bytes)
Feb  5 21:00:26 vyos charon: 15[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (108 bytes)
Feb  5 21:00:26 vyos charon: 15[ENC] parsed INFORMATIONAL_V1 request 2384766413 [ HASH N(INITIAL_CONTACT) ]
Feb  5 21:00:26 vyos charon: 15[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (108 bytes)
Feb  5 21:00:26 vyos charon: 15[IKE] received retransmit of request with ID 2384766413, but no response to retransmit
Feb  5 21:00:27 vyos charon: 07[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (348 bytes)
Feb  5 21:00:27 vyos charon: 07[ENC] parsed QUICK_MODE request 2471207950 [ HASH SA No ID ID ]
Feb  5 21:00:27 vyos charon: 07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Feb  5 21:00:27 vyos charon: 07[IKE] received 28800s lifetime, configured 0s
Feb  5 21:00:27 vyos charon: 07[ENC] generating QUICK_MODE response 2471207950 [ HASH SA No ID ID ]
Feb  5 21:00:27 vyos charon: 07[NET] sending packet: from 172.17.100.20[500] to 172.17.100.5[500] (172 bytes)
Feb  5 21:00:27 vyos charon: 07[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (348 bytes)
Feb  5 21:00:27 vyos charon: 07[IKE] received retransmit of request with ID 2471207950, retransmitting response
Feb  5 21:00:27 vyos charon: 07[NET] sending packet: from 172.17.100.20[500] to 172.17.100.5[500] (172 bytes)
Feb  5 21:00:27 vyos charon: 16[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (76 bytes)
Feb  5 21:00:27 vyos charon: 16[ENC] parsed QUICK_MODE request 2471207950 [ HASH ]
Feb  5 21:00:27 vyos charon: 16[IKE] CHILD_SA remote-access{3} established with SPIs c0c8cc43_i 012b5a28_o and TS 172.17.100]
Feb  5 21:00:27 vyos charon: 16[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (76 bytes)
Feb  5 21:00:27 vyos charon: 16[IKE] received retransmit of request with ID 2471207950, but no response to retransmit
Feb  5 21:00:27 vyos charon: 16[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (76 bytes)
Feb  5 21:00:27 vyos charon: 16[IKE] received retransmit of request with ID 2471207950, but no response to retransmit
Feb  5 21:00:27 vyos charon: 16[NET] received packet: from 172.17.100.5[500] to 172.17.100.20[500] (76 bytes)
Feb  5 21:00:27 vyos charon: 16[IKE] received retransmit of request with ID 2471207950, but no response to retransmit
Feb  5 21:00:33 vyos xl2tpd[1809]: Maximum retries exceeded for tunnel 58864.  Closing.
Feb  5 21:00:33 vyos xl2tpd[1809]: Connection 12907 closed to 172.17.100.5, port 44654 (Timeout)