l2tp over ipsec - multiple clients behind nat


#1

Hi,

I have managed to setup l2tp over ipsec and the VPN works, but when there is multiple clients connecting from behind the same nat remote office, only 1 of them can connect.

The error in the log is:

Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[63] xxx.xxx.xxx.xxx #79: NAT-Traversal: Result using RFC 3947: peer is NATed
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[63] xxx.xxx.xxx.xxx #79: Peer ID is ID_IPV4_ADDR: '192.168.1.187'
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx #79: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: sent MR3, ISAKMP SA established
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #80: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #80: responding to Quick Mode
Dec 14 08:11:57 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #80: cannot install eroute -- it is in use for "remote-access-mac-zzz"[62] xxx.xxx.xxx.xxx:4500 #78
Dec 14 08:11:58 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated pa
cket)
Dec 14 08:11:58 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:1820
Dec 14 08:11:59 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated pa
cket)
Dec 14 08:11:59 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:1820
Dec 14 08:12:02 vpn pluto[5967]: "remote-access-mac-zzz"[64] xxx.xxx.xxx.xxx:1820 #79: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated pa
cket)

My config is this:

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name OUTSIDE-LOCAL {
        default-action drop
        rule 40 {
            action accept
            protocol esp
        }
        rule 41 {
            action accept
            destination {
                port 500
            }
            protocol udp
        }
        rule 42 {
            action accept
            destination {
                port 4500
            }
            protocol udp
        }
        rule 43 {
            action accept
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        duplex auto
        hw-id 00:25:90:ea:f1:66
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address XX.YYY.ZZ.215/24
        duplex auto
        hw-id 00:25:90:ea:f1:67
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
    source {
        rule 110 {
            outbound-interface eth1
            source {
                address 192.168.255.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop XX.YY.ZZ.1 {
            }
        }
    }
}
service {
    ssh {
        disable-host-validation
        port 44300
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vpn.xxxxxxxxxxx.com
    login {
        user xxxxxxxxxx {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }

    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ****************
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    
}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth1
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username daves {
                        password ****************
                    }
                    username nicovdm {
                        password ****************
                    }
                    username pierrevh {
                        password ****************
                    }

                }
                mode local
            }
            client-ip-pool {
                start 192.168.255.1
                stop 192.168.255.255
            }

            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
            }
            outside-address XX.YYY.ZZ.215
        }
    }
}

Any idea if it’s possible to have multiple l2tp vpn’s originating from behind the same nat device?


#2

Let’s just say that l2tp is in the “it’s a miracle it works at all” class.
I note Ubiquity have similar issue and it’s something to do with the ancient stwongswan version 4.5.2
They mention updating to 5.3.something solves this.

My big problem is rekey / DPD related as $clients are windows 7/8/10 and fall off after an hour.