L2TP Remote-Access VPN 1.2.3

jose.robles · February 13, 2020, 12:06am

Remote users no longer able to connect to VPN. I believe this happened sometime after upgrade

show version
Version: VyOS 1.2.3-H1
var/log/message
Feb 12 16:24:02 head-vy charon: 06[NET] received packet: from xx.xxx.xxx.xx[500] to xxx.xx.xx.xxx[500] (408 bytes)
Feb 12 16:24:02 head-vy charon: 06[IKE] no IKE config found for xxx.xx.xx.xxx…xx.xxx.xxx.xx, sending NO_PROPOSAL_CHOSEN
Feb 12 16:24:02 head-vy charon: 06[NET] sending packet: from xxx.xx.xx.xxx[500] to xx.xxx.xxx.xx[500] (40 bytes)
Feb 12 16:24:03 head-vy charon: 16[NET] received packet: from xx.xxx.xxx.xx[500] to xxx.xx.xx.xxx[500] (408 bytes)
Feb 12 16:24:03 head-vy charon: 16[IKE] no IKE config found for xxx.xxx.xx.xxx…xx.xxx.xxx.xx, sending NO_PROPOSAL_CHOSEN
Feb 12 16:24:03 head-vy charon: 16[NET] sending packet: from xxx.xx.xx.xxx[500] to 67.210.184.92[500] (40 bytes)
Feb 12 16:24:04 head-vy charon: 11[NET] received packet: from xx.xxx.xxx.xxx[500] to xxx.xx.xx.xxx[500] (408 bytes)
Feb 12 16:24:04 head-vy charon: 11[IKE] no IKE config found for xxx.xxx.xx.xxx…xx.xxx.xxx.xx, sending NO_PROPOSAL_CHOSEN
Feb 12 16:24:04 head-vy charon: 11[NET] sending packet: from xxx.xx.xx.xxx[500] to 67.210.184.92[500] (40 bytes)
Feb 12 16:24:07 head-vy charon: 08[NET] received packet: from xx.xxx.xxx.xx[500] to xxx.xx.xx.xxx[500] (408 bytes)
Feb 12 16:24:07 head-vy charon: 08[IKE] no IKE config found for xxx.xx.xx.xxx…xx.xxx.xxx.xx, sending NO_PROPOSAL_CHOSEN
Feb 12 16:24:07 head-vy charon: 08[NET] sending packet: from xxx.xx.xx.xxxx[500] to xxx.xxx.xxx.xx[500] (40 bytes)

config:

l2tp {

remote-access {

authentication {

local-users {

username first.last {

password ****************

}

mode local

require mschap-v2

}

client-ip-pool {

start 10.254.254.10

stop 10.254.254.254

}

dns-servers {

server-1 172.16.2.98

server-2 172.16.2.99

}

idle 1800

ipsec-settings {

authentication {

mode pre-shared-secret

pre-shared-secret ****************

}

ike-lifetime 3600

lifetime 3600

Windows 10 Client
The L2TP connection attempt failed because the security layer encountered a processing error during intial negotiations with the remote computer.

Update…

Rebuilt preshared key. Now getting new log messages. Its failing on stage 2 now. I will post logs and configs when I get a chance

Dmitry · February 13, 2020, 7:37am

Hello @jose.robles, can you provide full config with ipsec commands show configuration command | match vpn for reproducing in LAB?
If NIC on Win PC disable and enable again, is VPN will successfully connect?

d14v0l0 · February 13, 2020, 8:49pm

NAT transversal is disabled?

jose.robles · February 15, 2020, 12:38am

set vpn l2tp remote-access authentication local-users username xxxxxx password xxxxxx
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access authentication require ‘mschap-v2’
set vpn l2tp remote-access client-ip-pool start ‘10.254.254.10’
set vpn l2tp remote-access client-ip-pool stop ‘10.254.254.254’
set vpn l2tp remote-access dns-servers server-1 ‘172.16.2.98’
set vpn l2tp remote-access dns-servers server-2 ‘172.16.2.99’
set vpn l2tp remote-access idle ‘1800’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘xxxxxxxxx’
set vpn l2tp remote-access ipsec-settings ike-lifetime ‘3600’
set vpn l2tp remote-access ipsec-settings lifetime ‘3600’
set vpn l2tp remote-access outside-address ‘xxx.xxx.xxx.xxx’

jose.robles · February 15, 2020, 1:03am

It is enabled under the vpn ipsec section. Under the l2tp section it does not give an option for nat-traversal.

d14v0l0 · February 15, 2020, 9:03am

Disable it. Maybe that solve problem if your clients are on Win10

jose.robles · February 16, 2020, 7:54pm

Upadate, I ripped out the config and put it back in again. I noticed this message in the /var/log/messages:
unable to install policy “server IP”[udp/l2f] === “client IP”[udp/l2f] out for reqid 8, the same policy for reqid 4 exists. I issued the command “restart vpn” and I was able to connect. I used it for the night and disconnected. The next day I was unable to connect again.

jose.robles · February 16, 2020, 7:55pm

Vyos will not allow me to disable. I am guessing its because of the site to site VPN connections established.

Dmitry · February 16, 2020, 8:00pm

@jose.robles please, share your full vpn commands which include IPSec configuration.

 show configuration command | match vpn

jose.robles · February 17, 2020, 4:19am

set interfaces openvpn vtun0 description ‘Remote Access OpenVPN’
set interfaces openvpn vtun0 encryption ‘aes256’
set interfaces openvpn vtun0 hash ‘sha512’
set interfaces openvpn vtun0 local-host ‘xxx.xxx.xxx.xxx’
set interfaces openvpn vtun0 local-port ‘1198’
set interfaces openvpn vtun0 mode ‘server’
set interfaces openvpn vtun0 protocol ‘udp’
set interfaces openvpn vtun0 server domain-name ‘companydomain’
set interfaces openvpn vtun0 server name-server ‘172.16.2.98’
set interfaces openvpn vtun0 server name-server ‘172.16.2.99’
set interfaces openvpn vtun0 server push-route ‘10.50.10.0/24’
set interfaces openvpn vtun0 server push-route ‘172.16.0.0/16’
set interfaces openvpn vtun0 server push-route ‘xxx.xxx.xxx.xxx/24’
set interfaces openvpn vtun0 server push-route ‘172.28.125.144/28’
set interfaces openvpn vtun0 server push-route ‘192.168.101.0/24’
set interfaces openvpn vtun0 server push-route ‘192.168.100.0/24’
set interfaces openvpn vtun0 server subnet ‘10.253.253.0/24’
set interfaces openvpn vtun0 tls ca-cert-file ‘/config/auth/my.net.crt’
set interfaces openvpn vtun0 tls cert-file ‘/config/auth/my.my.net.crt’
set interfaces openvpn vtun0 tls dh-file ‘/config/auth/dh1024.pem’
set interfaces openvpn vtun0 tls key-file ‘/config/auth/my.net.key’
set interfaces openvpn vtun1 description ‘Remote Access OpenVPN’
set interfaces openvpn vtun1 encryption ‘aes256’
set interfaces openvpn vtun1 hash ‘sha512’
set interfaces openvpn vtun1 local-host ‘xxx.xxx.xxx.xxx’
set interfaces openvpn vtun1 local-port ‘1199’
set interfaces openvpn vtun1 mode ‘server’
set interfaces openvpn vtun1 protocol ‘udp’
set interfaces openvpn vtun1 server domain-name ‘companydomain’
set interfaces openvpn vtun1 server name-server ‘172.16.2.98’
set interfaces openvpn vtun1 server name-server ‘172.16.2.99’
set interfaces openvpn vtun1 server push-route ‘172.16.0.0/16’
set interfaces openvpn vtun1 server push-route ‘10.50.11.0/24’
set interfaces openvpn vtun1 server subnet ‘10.253.252.0/24’
set interfaces openvpn vtun1 tls ca-cert-file ‘/config/auth/my.net.crt’
set interfaces openvpn vtun1 tls cert-file ‘/config/auth/my.my.net.crt’
set interfaces openvpn vtun1 tls dh-file ‘/config/auth/dh1024.pem’
set interfaces openvpn vtun1 tls key-file ‘/config/auth/my.my.net.key’
set interfaces openvpn vtun2 description ‘Remote Access OpenVPN’
set interfaces openvpn vtun2 encryption ‘aes256’
set interfaces openvpn vtun2 hash ‘sha512’
set interfaces openvpn vtun2 local-host ‘xxx.xxx.xxx.xxx’
set interfaces openvpn vtun2 local-port ‘1200’
set interfaces openvpn vtun2 mode ‘server’
set interfaces openvpn vtun2 openvpn-option ‘–push redirect-gateway def1’
set interfaces openvpn vtun2 protocol ‘udp’
set interfaces openvpn vtun2 server domain-name ‘companydomain’
set interfaces openvpn vtun2 server name-server ‘172.16.2.98’
set interfaces openvpn vtun2 server name-server ‘172.16.2.99’
set interfaces openvpn vtun2 server push-route ‘10.50.10.0/24’
set interfaces openvpn vtun2 server push-route ‘172.16.0.0/16’
set interfaces openvpn vtun2 server push-route ‘xxx.xxx.xxx.xxx/24’
set interfaces openvpn vtun2 server push-route ‘172.28.125.144/28’
set interfaces openvpn vtun2 server push-route ‘192.168.101.0/24’
set interfaces openvpn vtun2 server push-route ‘192.168.100.0/24’
set interfaces openvpn vtun2 server push-route ‘xxx.xxx.xxx.xxx/32’
set interfaces openvpn vtun2 server push-route ‘xxx.xxx.xxx.xxx/32’
set interfaces openvpn vtun2 server subnet ‘10.253.251.0/24’
set interfaces openvpn vtun2 server topology ‘subnet’
set interfaces openvpn vtun2 tls ca-cert-file ‘/config/auth/my.net.crt’
set interfaces openvpn vtun2 tls cert-file ‘/config/auth/my.my.net.crt’
set interfaces openvpn vtun2 tls dh-file ‘/config/auth/dh1024.pem’
set interfaces openvpn vtun2 tls key-file ‘/config/auth/my.my.net.key’
set nat source rule 495 description ‘remote-access’
set nat source rule 496 description ‘remote-access’
set nat source rule 497 description ‘remote-access’
set vpn ipsec esp-group remote-branch compression ‘disable’
set vpn ipsec esp-group remote-branch lifetime ‘86400’
set vpn ipsec esp-group remote-branch mode ‘tunnel’
set vpn ipsec esp-group remote-branch pfs ‘disable’
set vpn ipsec esp-group remote-branch proposal 1 encryption ‘aes256’
set vpn ipsec esp-group remote-branch proposal 1 hash ‘sha1’
set vpn ipsec esp-group remote-branch2 compression ‘disable’
set vpn ipsec esp-group remote-branch2 lifetime ‘86400’
set vpn ipsec esp-group remote-branch2 mode ‘tunnel’
set vpn ipsec esp-group remote-branch2 pfs ‘disable’
set vpn ipsec esp-group remote-branch2 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group remote-branch2 proposal 1 hash ‘sha1’
set vpn ipsec esp-group remote-branch3 compression ‘disable’
set vpn ipsec esp-group remote-branch3 lifetime ‘28800’
set vpn ipsec esp-group remote-branch3 mode ‘tunnel’
set vpn ipsec esp-group remote-branch3 pfs ‘disable’
set vpn ipsec esp-group remote-branch3 proposal 1 encryption ‘aes256’
set vpn ipsec esp-group remote-branch3 proposal 1 hash ‘sha1’
set vpn ipsec esp-group remote-branch4 compression ‘disable’
set vpn ipsec esp-group remote-branch4 lifetime ‘28800’
set vpn ipsec esp-group remote-branch4 mode ‘tunnel’
set vpn ipsec esp-group remote-branch4 pfs ‘disable’
set vpn ipsec esp-group remote-branch4 proposal 1 encryption ‘aes256’
set vpn ipsec esp-group remote-branch4 proposal 1 hash ‘sha1’
set vpn ipsec ike-group remote-branch1-ike ikev2-reauth ‘no’
set vpn ipsec ike-group remote-branch1-ike key-exchange ‘ikev1’
set vpn ipsec ike-group remote-branch1-ike lifetime ‘86400’
set vpn ipsec ike-group remote-branch1-ike mode ‘main’
set vpn ipsec ike-group remote-branch1-ike proposal 1 dh-group ‘5’
set vpn ipsec ike-group remote-branch1-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group remote-branch1-ike proposal 1 hash ‘sha1’
set vpn ipsec ike-group remote-branch2 ikev2-reauth ‘no’
set vpn ipsec ike-group remote-branch2 key-exchange ‘ikev1’
set vpn ipsec ike-group remote-branch2 lifetime ‘86400’
set vpn ipsec ike-group remote-branch2 proposal 1 dh-group ‘14’
set vpn ipsec ike-group remote-branch2 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group remote-branch2 proposal 1 hash ‘sha1’
set vpn ipsec ike-group remote-branch3 ikev2-reauth ‘no’
set vpn ipsec ike-group remote-branch3 key-exchange ‘ikev1’
set vpn ipsec ike-group remote-branch3 lifetime ‘28800’
set vpn ipsec ike-group remote-branch3 mode ‘main’
set vpn ipsec ike-group remote-branch3 proposal 1 dh-group ‘2’
set vpn ipsec ike-group remote-branch3 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group remote-branch3 proposal 1 hash ‘sha1’
set vpn ipsec ike-group remote-branch4 ikev2-reauth ‘no’
set vpn ipsec ike-group remote-branch4 key-exchange ‘ikev1’
set vpn ipsec ike-group remote-branch4 lifetime ‘28800’
set vpn ipsec ike-group remote-branch4 mode ‘main’
set vpn ipsec ike-group remote-branch4 proposal 1 dh-group ‘2’
set vpn ipsec ike-group remote-branch4 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group remote-branch4 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘bond8.99’
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type ‘initiate’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx default-esp-group ‘xxxxxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ‘xxxxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 local prefix ‘10.38.56.0/24’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 remote prefix ‘172.28.125.144/28’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 1 local prefix ‘10.38.56.0/24’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 1 remote prefix ‘172.28.110.0/24’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 2 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 2 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 2 local prefix ‘10.138.56.0/24’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 2 remote prefix ‘172.28.125.144/28’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret '’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type ‘initiate’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ‘remote-branch2’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 esp-group ‘remote-branch2’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 protocol ‘gre’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret ‘*******’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type ‘initiate’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 esp-group ‘remote-branch2’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 protocol ‘gre’
set vpn l2tp remote-access authentication local-users username xxxxxxx password ‘xxxxxx’
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access authentication require ‘mschap-v2’
set vpn l2tp remote-access client-ip-pool start ‘10.254.254.10’
set vpn l2tp remote-access client-ip-pool stop ‘10.254.254.254’
set vpn l2tp remote-access dns-servers server-1 ‘172.16.2.98’
set vpn l2tp remote-access dns-servers server-2 ‘172.16.2.99’
set vpn l2tp remote-access idle ‘1800’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ‘********’
set vpn l2tp remote-access ipsec-settings ike-lifetime ‘3600’
set vpn l2tp remote-access ipsec-settings lifetime ‘3600’
set vpn l2tp remote-access outside-address ‘xxx.xxx.xxx.xxx’

jose.robles · February 22, 2020, 8:17pm

Update. I can get the connection to work if I change the preshared key. For some reason the preshared key will stop working. Im guessing it has something to do with the way Windows 10 handles the preshared key.

jose.robles · March 6, 2020, 4:40pm

Its been working so far, every so often I have to restart vpn for some reason and it will connect again.