Hi all,
I’m getting a very weird set of log entries from configuration I have used quite a bit in the past. It’s clearly something with NAT traversal, and while the L2TP server has NAT running on it, the IPSEC interface is not behind it.
The messages:
The VPN configuration:
[size=x-small][font=Helvetica]vyos@router1# run show interfaces[/font][/size]
[size=x-small][font=Helvetica]Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down[/font][/size]
[size=x-small][font=Helvetica]Interface IP Address S/L Description[/font][/size]
[size=x-small][font=Helvetica]--------- ---------- — -----------[/font][/size]
[size=x-small][font=Helvetica]eth0 173.x.x.118/28 u/u [/font][/size]
[size=x-small][font=Helvetica]eth1 204.x.x.2/24 u/u [/font][/size]
[size=x-small][font=Helvetica]eth2 10.10.0.2/22 u/u [/font][/size]
[size=x-small][font=Helvetica]lo 127.0.0.1/8 u/u [/font][/size]
[size=x-small][font=Helvetica] 10.0.0.1/32[/font][/size]
[size=x-small][font=Helvetica] ::1/128[/font][/size]
[size=x-small][font=Helvetica]vti1 10.9.254.2/30 u/u [/font][/size]
[size=x-small][font=Helvetica]vtun0 10.9.254.129/25 u/u [/font][/size]
[size=x-small][font=Helvetica]vyos@router1# show vpn[/font][/size]
[size=x-small][font=Helvetica] ipsec {[/font][/size]
[size=x-small][font=Helvetica] esp-group ESP-1W {[/font][/size]
[size=x-small][font=Helvetica] compression disable[/font][/size]
[size=x-small][font=Helvetica] lifetime 1800[/font][/size]
[size=x-small][font=Helvetica] mode tunnel[/font][/size]
[size=x-small][font=Helvetica] pfs enable[/font][/size]
[size=x-small][font=Helvetica] proposal 1 {[/font][/size]
[size=x-small][font=Helvetica] encryption aes256[/font][/size]
[size=x-small][font=Helvetica] hash sha512[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] ike-group IKE-1W {[/font][/size]
[size=x-small][font=Helvetica] ikev2-reauth no[/font][/size]
[size=x-small][font=Helvetica] key-exchange ikev1[/font][/size]
[size=x-small][font=Helvetica] lifetime 3600[/font][/size]
[size=x-small][font=Helvetica] proposal 1 {[/font][/size]
[size=x-small][font=Helvetica] dh-group 14[/font][/size]
[size=x-small][font=Helvetica] encryption aes256[/font][/size]
[size=x-small][font=Helvetica] hash sha512[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] ipsec-interfaces {[/font][/size]
[size=x-small][font=Helvetica] interface eth0[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] logging {[/font][/size]
[size=x-small][font=Helvetica] log-modes all[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] nat-networks {[/font][/size]
[size=x-small][font=Helvetica] allowed-network 172.16.0.0/12 {[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] allowed-network 192.168.0.0/16 {[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] nat-traversal enable[/font][/size]
[size=x-small][font=Helvetica] site-to-site {[/font][/size]
[size=x-small][font=Helvetica] peer 174.x.x.201 {[/font][/size]
[size=x-small][font=Helvetica] authentication {[/font][/size]
[size=x-small][font=Helvetica] mode pre-shared-secret[/font][/size]
[size=x-small][font=Helvetica] pre-shared-secret xxx[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] connection-type initiate[/font][/size]
[size=x-small][font=Helvetica] default-esp-group ESP-1W[/font][/size]
[size=x-small][font=Helvetica] ike-group IKE-1W[/font][/size]
[size=x-small][font=Helvetica] ikev2-reauth inherit[/font][/size]
[size=x-small][font=Helvetica] local-address 173.x.x.118[/font][/size]
[size=x-small][font=Helvetica] vti {[/font][/size]
[size=x-small][font=Helvetica] bind vti1[/font][/size]
[size=x-small][font=Helvetica] esp-group ESP-1W[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] l2tp {[/font][/size]
[size=x-small][font=Helvetica] remote-access {[/font][/size]
[size=x-small][font=Helvetica] authentication {[/font][/size]
[size=x-small][font=Helvetica] local-users {[/font][/size]
[size=x-small][font=Helvetica] username brian {[/font][/size]
[size=x-small][font=Helvetica] password test[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] mode local[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] client-ip-pool {[/font][/size]
[size=x-small][font=Helvetica] start 10.9.255.1[/font][/size]
[size=x-small][font=Helvetica] stop 10.9.255.126[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] dns-servers {[/font][/size]
[size=x-small][font=Helvetica] server-1 204.x.x.10[/font][/size]
[size=x-small][font=Helvetica] server-2 204.x.x.11[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] ipsec-settings {[/font][/size]
[size=x-small][font=Helvetica] authentication {[/font][/size]
[size=x-small][font=Helvetica] mode pre-shared-secret[/font][/size]
[size=x-small][font=Helvetica] pre-shared-secret dwelled6@syncopation[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] ike-lifetime 3600[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] outside-address 173.x.x.118[/font][/size]
[size=x-small][font=Helvetica] outside-nexthop 173.x.x.113[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
[size=x-small][font=Helvetica] }[/font][/size]
The messages that follow the INVALID_MESSAGE_ID are all of “[font=Helvetica][size=small]remote-access-mac-zzz”[2] 71.211.239.136:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa609e4a1 (perhaps this is a duplicated packet)".[/size][/font]
[font=Helvetica][size=x-small]How can I provide more information and learn how to solve this?[/size][/font]
[font=Helvetica][size=x-small]Thanks, Brian[/size][/font]
Is that L2TP client coming in on the vti tunnel ? (assuming 192.168.1.25 is IP address of l2tp vpn client)
Hi @16again , 192.168.1.25 is the natted address of 174.16.180.201 (whatever random public address it got from Comcast). 173.x.x.118 is the address of the ethernet port for the router. vti1 is also on that address, which serves a separate point-to=point VPN.
Do you think that the vti might be intercepting the traffic that is intended for the L2TP? I wonder if it might help to create a separate IP address that is just for the L2TP?