L2TP Remote-Access VPN

Hello! I have a problem with setting up l2tp over ipsec remote acces VPN.
I configured this like in docs, and trying to connection.

Here is my log from Android device:

Oct 14 17:00:13 vyos pluto[2899]: packet from 94.25.168.152:14849: received Vendor ID payload [RFC 3947]
Oct 14 17:00:13 vyos pluto[2899]: packet from 94.25.168.152:14849: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Oct 14 17:00:13 vyos pluto[2899]: packet from 94.25.168.152:14849: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 14 17:00:13 vyos pluto[2899]: packet from 94.25.168.152:14849: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 14 17:00:13 vyos pluto[2899]: packet from 94.25.168.152:14849: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Oct 14 17:00:13 vyos pluto[2899]: packet from 94.25.168.152:14849: received Vendor ID payload [Dead Peer Detection]
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: responding to Main Mode from unknown peer 94.25.168.152:14849
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: Oakley Transform [AES_CBC (256), HMAC_SHA2_384, MODP_1024] refused due to strict flag
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP_1024] refused due to strict flag
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: Oakley Transform [AES_CBC (256), HMAC_SHA2_512, MODP_1024] refused due to strict flag
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: NAT-Traversal: Result using RFC 3947: peer is NATed
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:13 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:16 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:16 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:16 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:19 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:19 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:19 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:22 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:22 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:22 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:25 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:25 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:25 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:28 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:28 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:28 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:31 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:31 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:31 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:34 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:34 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:34 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:37 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:37 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:37 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849
Oct 14 17:00:40 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: next payload type of ISAKMP Identification Payload has an unknown value: 73
Oct 14 17:00:40 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Oct 14 17:00:40 vyos pluto[2899]: "remote-access-mac-zzz"[8] 94.25.168.152:14849 #8: sending encrypted notification PAYLOAD_MALFORMED to 94.25.168.152:14849

And here is log from windows 10:

Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: received Vendor ID payload [RFC 3947]
Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: ignoring Vendor ID payload [FRAGMENTATION]
Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 12 22:49:42 vyos pluto[3962]: packet from 178.173.21.41:500: ignoring Vendor ID payload [IKE CGA version 1]
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[1] 178.173.21.41 #26: responding to Main Mode from unknown peer 178.173.21.41
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[1] 178.173.21.41 #26: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[1] 178.173.21.41 #26: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[1] 178.173.21.41 #26: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[1] 178.173.21.41 #26: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[1] 178.173.21.41 #26: NAT-Traversal: Result using RFC 3947: peer is NATed
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[1] 178.173.21.41 #26: Peer ID is ID_IPV4_ADDR: '192.168.254.1'
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41 #26: deleting connection "remote-access-mac-zzz" instance with peer 178.173.21.41 {isakmp=#0/ipsec=#0}
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41:4500 #26: sent MR3, ISAKMP SA established
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41:4500 #27: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41:4500 #27: responding to Quick Mode
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41:4500 #27: IPsec SA established {ESP=>0x0cf68da4 <0xc9e77aef NATOA=192.168.254.1}
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41:4500 #26: received Delete SA(0x0cf68da4) payload: deleting IPSEC State #27
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41:4500 #26: received Delete SA payload: deleting ISAKMP State #26
Oct 12 22:49:42 vyos pluto[3962]: "remote-access-mac-zzz"[2] 178.173.21.41:4500: deleting connection "remote-access-mac-zzz" instance with peer 178.173.21.41 {isakmp=#0/ipsec=#0}

VyOS v1.1.8
What have I done wrong? Thank u for answer.

Hello, did you try latest rolling release? Recently I tested all available devices, and its work correct.

No. Based on your policy, I can’t get the latest release for no reason. Therefore, version 1.1.8 is interesting.

@Nikolai I mean rolling. You can read https://vyos.io/rolling-release/
ps:/ 1.1 is EOL

Dmitry, I have been updated vyos to latest release VyOS 1.2-rolling-201910150117
And now it doesn’t work…
Help please!

Oct 15 19:32:41 vyos charon: 07[NET] received packet: from 178.173.21.41[500] to 37.18.88.193[500] (408 bytes)
Oct 15 19:32:41 vyos charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Oct 15 19:32:41 vyos charon: 07[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Oct 15 19:32:41 vyos charon: 07[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Oct 15 19:32:41 vyos charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Oct 15 19:32:41 vyos charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 19:32:41 vyos charon: 07[IKE] received FRAGMENTATION vendor ID
Oct 15 19:32:41 vyos charon: 07[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Oct 15 19:32:41 vyos charon: 07[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Oct 15 19:32:41 vyos charon: 07[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Oct 15 19:32:41 vyos charon: 07[IKE] 178.173.21.41 is initiating a Main Mode IKE_SA
Oct 15 19:32:41 vyos charon: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 19:32:41 vyos charon: 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
Oct 15 19:32:41 vyos charon: 07[NET] sending packet: from 37.18.88.193[500] to 178.173.21.41[500] (156 bytes)
Oct 15 19:32:41 vyos charon: 08[NET] received packet: from 178.173.21.41[500] to 37.18.88.193[500] (260 bytes)
Oct 15 19:32:41 vyos charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 15 19:32:41 vyos charon: 08[IKE] remote host is behind NAT
Oct 15 19:32:41 vyos charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 15 19:32:41 vyos charon: 08[NET] sending packet: from 37.18.88.193[500] to 178.173.21.41[500] (244 bytes)
Oct 15 19:32:41 vyos charon: 09[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (68 bytes)
Oct 15 19:32:41 vyos charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH ]
Oct 15 19:32:41 vyos charon: 09[CFG] looking for pre-shared key peer configs matching 37.18.88.193...178.173.21.41[192.168.254.1]
Oct 15 19:32:41 vyos charon: 09[CFG] selected peer config "remote-access"
Oct 15 19:32:41 vyos charon: 09[IKE] IKE_SA remote-access[1] established between 37.18.88.193[37.18.88.193]...178.173.21.41[192.168.254.1]
Oct 15 19:32:41 vyos charon: 09[IKE] DPD not supported by peer, disabled
Oct 15 19:32:41 vyos charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Oct 15 19:32:41 vyos charon: 09[NET] sending packet: from 37.18.88.193[4500] to 178.173.21.41[4500] (68 bytes)
Oct 15 19:32:41 vyos charon: 11[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (436 bytes)
Oct 15 19:32:41 vyos charon: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 15 19:32:41 vyos charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Oct 15 19:32:41 vyos charon: 11[IKE] received 3600s lifetime, configured 0s
Oct 15 19:32:41 vyos charon: 11[IKE] received 250000000 lifebytes, configured 0
Oct 15 19:32:41 vyos charon: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 15 19:32:41 vyos charon: 11[NET] sending packet: from 37.18.88.193[4500] to 178.173.21.41[4500] (204 bytes)
Oct 15 19:32:41 vyos charon: 12[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (60 bytes)
Oct 15 19:32:41 vyos charon: 12[ENC] parsed QUICK_MODE request 1 [ HASH ]
Oct 15 19:32:41 vyos charon: 12[IKE] CHILD_SA remote-access{1} established with SPIs cbfb07a0_i 6ade0464_o and TS 37.18.88.193/32[udp/l2f] === 178.173.21.41/32[udp/l2f]
Oct 15 19:32:41 vyos charon: 13[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (76 bytes)
Oct 15 19:32:41 vyos charon: 13[ENC] parsed INFORMATIONAL_V1 request 1690522692 [ HASH D ]
Oct 15 19:32:41 vyos charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI 6ade0464
Oct 15 19:32:41 vyos charon: 13[IKE] closing CHILD_SA remote-access{1} with SPIs cbfb07a0_i (0 bytes) 6ade0464_o (0 bytes) and TS 37.18.88.193/32[udp/l2f] === 178.173.21.41/32[udp/l2f]
Oct 15 19:32:41 vyos charon: 14[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (84 bytes)
Oct 15 19:32:41 vyos charon: 14[ENC] parsed INFORMATIONAL_V1 request 1502983837 [ HASH D ]
Oct 15 19:32:41 vyos charon: 14[IKE] received DELETE for IKE_SA remote-access[1]
Oct 15 19:32:41 vyos charon: 14[IKE] deleting IKE_SA remote-access[1] between 37.18.88.193[37.18.88.193]...178.173.21.41[192.168.254.1]

Is it possible get some log in Android device? Which device exactly (vendor and model)?

The latest log which I sent to you, was trying of connect from Win10 device.
My android device is Samsung Galaxy S9+. But windows is prefer than android.
Also, I’ll try to send you from android device.

Do you match/grep logs by charon? Use next instead

show log | match "19:32:"

And will be better if you provide your configuration.

show configuration commands | strip-private | match vpn

Here is new logs :slight_smile: Thank you for answers man!

Trying to connect from Windows 10:

vyos@vyos:~$ show log | match "23:06:"
Oct 15 23:06:17 vyos charon[18614]: 08[NET] received packet: from 178.173.21.41[500] to 37.18.88.193[500] (408 bytes)
Oct 15 23:06:17 vyos charon[18614]: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Oct 15 23:06:17 vyos charon[18614]: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Oct 15 23:06:17 vyos charon[18614]: 08[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Oct 15 23:06:17 vyos charon[18614]: 08[IKE] received NAT-T (RFC 3947) vendor ID
Oct 15 23:06:17 vyos charon[18614]: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 15 23:06:17 vyos charon[18614]: 08[IKE] received FRAGMENTATION vendor ID
Oct 15 23:06:17 vyos charon[18614]: 08[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Oct 15 23:06:17 vyos charon[18614]: 08[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Oct 15 23:06:17 vyos charon[18614]: 08[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Oct 15 23:06:17 vyos charon[18614]: 08[IKE] 178.173.21.41 is initiating a Main Mode IKE_SA
Oct 15 23:06:17 vyos charon[18614]: 08[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 15 23:06:17 vyos charon[18614]: 08[ENC] generating ID_PROT response 0 [ SA V V V V ]
Oct 15 23:06:17 vyos charon[18614]: 08[NET] sending packet: from 37.18.88.193[500] to 178.173.21.41[500] (156 bytes)
Oct 15 23:06:17 vyos charon[18614]: 09[NET] received packet: from 178.173.21.41[500] to 37.18.88.193[500] (260 bytes)
Oct 15 23:06:17 vyos charon[18614]: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 15 23:06:17 vyos charon[18614]: 09[IKE] remote host is behind NAT
Oct 15 23:06:17 vyos charon[18614]: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 15 23:06:17 vyos charon[18614]: 09[NET] sending packet: from 37.18.88.193[500] to 178.173.21.41[500] (244 bytes)
Oct 15 23:06:17 vyos charon[18614]: 10[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (68 bytes)
Oct 15 23:06:17 vyos charon[18614]: 10[ENC] parsed ID_PROT request 0 [ ID HASH ]
Oct 15 23:06:17 vyos charon[18614]: 10[CFG] looking for pre-shared key peer configs matching 37.18.88.193...178.173.21.41[192.168.254.1]
Oct 15 23:06:17 vyos charon[18614]: 10[CFG] selected peer config "remote-access"
Oct 15 23:06:17 vyos charon[18614]: 10[IKE] IKE_SA remote-access[2] established between 37.18.88.193[37.18.88.193]...178.173.21.41[192.168.254.1]
Oct 15 23:06:17 vyos charon[18614]: 10[IKE] DPD not supported by peer, disabled
Oct 15 23:06:17 vyos charon[18614]: 10[ENC] generating ID_PROT response 0 [ ID HASH ]
Oct 15 23:06:17 vyos charon[18614]: 10[NET] sending packet: from 37.18.88.193[4500] to 178.173.21.41[4500] (68 bytes)
Oct 15 23:06:17 vyos charon[18614]: 12[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (436 bytes)
Oct 15 23:06:17 vyos charon[18614]: 12[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 15 23:06:17 vyos charon[18614]: 12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Oct 15 23:06:17 vyos charon[18614]: 12[IKE] received 3600s lifetime, configured 0s
Oct 15 23:06:17 vyos charon[18614]: 12[IKE] received 250000000 lifebytes, configured 0
Oct 15 23:06:17 vyos charon[18614]: 12[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 15 23:06:17 vyos charon[18614]: 12[NET] sending packet: from 37.18.88.193[4500] to 178.173.21.41[4500] (204 bytes)
Oct 15 23:06:17 vyos charon[18614]: 13[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (60 bytes)
Oct 15 23:06:17 vyos charon[18614]: 13[ENC] parsed QUICK_MODE request 1 [ HASH ]
Oct 15 23:06:17 vyos charon[18614]: 13[IKE] CHILD_SA remote-access{1} established with SPIs c1b3f642_i 25619316_o and TS 37.18.88.193/32[udp/l2f] === 178.173.21.41/32[udp/l2f]
Oct 15 23:06:17 vyos charon[18614]: 14[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (76 bytes)
Oct 15 23:06:17 vyos charon[18614]: 14[ENC] parsed INFORMATIONAL_V1 request 93092637 [ HASH D ]
Oct 15 23:06:17 vyos charon[18614]: 14[IKE] received DELETE for ESP CHILD_SA with SPI 25619316
Oct 15 23:06:17 vyos charon[18614]: 14[IKE] closing CHILD_SA remote-access{1} with SPIs c1b3f642_i (0 bytes) 25619316_o (0 bytes) and TS 37.18.88.193/32[udp/l2f] === 178.173.21.41/32[udp/l2f]
Oct 15 23:06:17 vyos charon[18614]: 15[NET] received packet: from 178.173.21.41[4500] to 37.18.88.193[4500] (84 bytes)
Oct 15 23:06:17 vyos charon[18614]: 15[ENC] parsed INFORMATIONAL_V1 request 4146135641 [ HASH D ]
Oct 15 23:06:17 vyos charon[18614]: 15[IKE] received DELETE for IKE_SA remote-access[2]
Oct 15 23:06:17 vyos charon[18614]: 15[IKE] deleting IKE_SA remote-access[2] between 37.18.88.193[37.18.88.193]...178.173.21.41[192.168.254.1]
Oct 15 23:06:24 vyos sudo[18824]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/bin/journalctl
Oct 15 23:06:24 vyos sudo[18824]: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Oct 15 23:06:24 vyos sudo[18824]: pam_unix(sudo:session): session closed for user root
Oct 15 23:06:34 vyos sudo[18845]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/bin/journalctl
Oct 15 23:06:34 vyos sudo[18845]: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Oct 15 23:06:34 vyos sudo[18845]: pam_unix(sudo:session): session closed for user root
Oct 15 23:06:55 vyos sudo[18866]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/bin/journalctl
Oct 15 23:06:55 vyos sudo[18866]: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Oct 15 23:06:55 vyos sudo[18866]: pam_unix(sudo:session): session closed for user root
Oct 15 23:06:58 vyos sudo[18887]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/bin/journalctl
Oct 15 23:06:58 vyos sudo[18887]: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Oct 15 23:06:58 vyos sudo[18887]: pam_unix(sudo:session): session closed for user root

_

vyos@vyos:~$ show configuration commands | strip-private | match vpn
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network xxx.xxx.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username xxxxxx password xxxxxx
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start 'xxx.xxx.0.1'
set vpn l2tp remote-access client-ip-pool stop 'xxx.xxx.0.100'
set vpn l2tp remote-access description 'TestRemoteAccessVPN'
set vpn l2tp remote-access dns-servers server-1 'xxx.xxx.8.8'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret xxxxxx
set vpn l2tp remote-access ipsec-settings ike-lifetime '3600'
set vpn l2tp remote-access outside-address 'xxx.xxx.88.193'

Trying to connect frome iOS:

07[NET] received packet: from 31.173.86.255[35553] to 37.18.88.193[500] (788 bytes)
07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
07[IKE] received NAT-T (RFC 3947) vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
07[IKE] received FRAGMENTATION vendor ID
07[IKE] received DPD vendor ID
07[IKE] 31.173.86.255 is initiating a Main Mode IKE_SA
07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
07[ENC] generating ID_PROT response 0 [ SA V V V V ]
07[NET] sending packet: from 37.18.88.193[500] to 31.173.86.255[35553] (160 bytes)
08[NET] received packet: from 31.173.86.255[35553] to 37.18.88.193[500] (228 bytes)
08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
08[IKE] remote host is behind NAT
08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
08[NET] sending packet: from 37.18.88.193[500] to 31.173.86.255[35553] (244 bytes)
14[NET] received packet: from 31.173.86.255[3092] to 37.18.88.193[4500] (108 bytes)
14[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
14[CFG] looking for pre-shared key peer configs matching 37.18.88.193...31.173.86.255[100.118.117.113]
14[CFG] selected peer config "remote-access"
14[IKE] IKE_SA remote-access[4] established between 37.18.88.193[37.18.88.193]...31.173.86.255[100.118.117.113]
14[ENC] generating ID_PROT response 0 [ ID HASH ]
14[NET] sending packet: from 37.18.88.193[4500] to 31.173.86.255[3092] (76 bytes)
08[NET] received packet: from 31.173.86.255[3092] to 37.18.88.193[4500] (316 bytes)
08[ENC] parsed QUICK_MODE request 3828860548 [ HASH SA No ID ID NAT-OA NAT-OA ]
08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
08[IKE] received 3600s lifetime, configured 0s
08[ENC] generating QUICK_MODE response 3828860548 [ HASH SA No ID ID NAT-OA NAT-OA ]
08[NET] sending packet: from 37.18.88.193[4500] to 31.173.86.255[3092] (204 bytes)
06[NET] received packet: from 31.173.86.255[3092] to 37.18.88.193[4500] (60 bytes)
06[ENC] parsed QUICK_MODE request 3828860548 [ HASH ]
06[IKE] CHILD_SA remote-access{3} established with SPIs c1ca2a4e_i 019b52a7_o and TS 37.18.88.193/32[udp/l2f] === 31.173.86.255/32[udp/65153]
15[NET] received packet: from 31.173.86.255[3092] to 37.18.88.193[4500] (76 bytes)
15[ENC] parsed INFORMATIONAL_V1 request 1103660005 [ HASH D ]
15[IKE] received DELETE for ESP CHILD_SA with SPI 019b52a7
15[IKE] closing CHILD_SA remote-access{3} with SPIs c1ca2a4e_i (685 bytes) 019b52a7_o (499 bytes) and TS 37.18.88.193/32[udp/l2f] === 31.173.86.255/32[udp/65153]
15[NET] received packet: from 31.173.86.255[3092] to 37.18.88.193[4500] (92 bytes)
15[ENC] parsed INFORMATIONAL_V1 request 1696219511 [ HASH D ]
15[IKE] received DELETE for IKE_SA remote-access[4]
15[IKE] deleting IKE_SA remote-access[4] between 37.18.88.193[37.18.88.193]...31.173.86.255[100.118.117.113]

Try add outside-nexthop and check connection again.

set vpn l2tp remote-access outside-nexthop 100.64.0.1

I tried. The same result. Which address do I need to set in command set vpn l2tp remote-access outside-nexthop ? I tried local-network addres, interface eth0(outside) address. No result :frowning:

Here is some log from Windows:
Sorry for Russian, but I think u understand that :smiley:

CoID={210CBA52-8737-4750-B23E-9E9827B80127}: Пользователь SYSTEM начал выполнять подключение VPN, используя профиль подключения per-user с именем L2TP. Параметры подключения: 
Dial-in User = testuser
VpnStrategy = L2TP
DataEncryption = Requested
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = EAP 
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = 
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
IPsec authentication for L2TP = Pre-shared key.
____

CoID={210CBA52-8737-4750-B23E-9E9827B80127}: Пользователь SYSTEM пытается установить связь с сервером удаленного доступа для подключения L2TP при помощи следующего устройства: 
Server address/Phone Number = 37.18.88.193
Device = WAN Miniport (L2TP)
Port = VPN3-1    
MediaType = VPN.
____

CoID={210CBA52-8737-4750-B23E-9E9827B80127}: Пользователь SYSTEM установил удаленное подключение L2TP, которое завершилось сбоем. Возвращен код ошибки 651.

Seems ISP block ipsec. Please mark it as solved, if you don’t have another issues.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.