Hi,
I have managed to setup l2tp over ipsec and the VPN works, but when there is multiple clients connecting from behind the same nat remote office, only 1 of them can connect.
The error in the log is:
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[63] xxx.xxx.xxx.xxx #79: NAT-Traversal: Result using RFC 3947: peer is NATed
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[63] xxx.xxx.xxx.xxx #79: Peer ID is ID_IPV4_ADDR: '192.168.1.187'
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx #79: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: sent MR3, ISAKMP SA established
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #80: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #80: responding to Quick Mode
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #80: cannot install eroute -- it is in use for "remote-access-mac-zzz"[62] xxx.xxx.xxx.xxx:4500 #78
Dec 14 08:11:58 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated pa
cket)
Dec 14 08:11:58 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:1820
Dec 14 08:11:59 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated pa
cket)
Dec 14 08:11:59 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:1820
Dec 14 08:12:02 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated pa
cket)
My config is this:
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-LOCAL {
default-action drop
rule 40 {
action accept
protocol esp
}
rule 41 {
action accept
destination {
port 500
}
protocol udp
}
rule 42 {
action accept
destination {
port 4500
}
protocol udp
}
rule 43 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
duplex auto
hw-id 00:25:90:ea:f1:66
smp_affinity auto
speed auto
}
ethernet eth1 {
address XX.YYY.ZZ.215/24
duplex auto
hw-id 00:25:90:ea:f1:67
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 110 {
outbound-interface eth1
source {
address 192.168.255.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop XX.YY.ZZ.1 {
}
}
}
}
service {
ssh {
disable-host-validation
port 44300
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vpn.xxxxxxxxxxx.com
login {
user xxxxxxxxxx {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
ipsec-interfaces {
interface eth1
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username daves {
password ****************
}
username nicovdm {
password ****************
}
username pierrevh {
password ****************
}
}
mode local
}
client-ip-pool {
start 192.168.255.1
stop 192.168.255.255
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
ike-lifetime 3600
}
outside-address XX.YYY.ZZ.215
}
}
}
Any idea if it’s possible to have multiple l2tp vpn’s originating from behind the same nat device?