"no IKE config found for xxx sending NO_PROPOSAL_CHOSEN" error when trying to create L2TP/IPsec connection

Scott64268989 · August 8, 2021, 5:01pm

The configuration is as follow:
vyos@vyos-l2tp:~$ show configuration commands | match vpn | strip-private
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-networks allowed-network xxx.xxx.0.0/0
set vpn ipsec nat-traversal ‘enable’
set vpn l2tp remote-access authentication local-users username xxxxxx password xxxxxx
set vpn l2tp remote-access authentication mode ‘local’
set vpn l2tp remote-access client-ip-pool start ‘xxx.xxx.30.200’
set vpn l2tp remote-access client-ip-pool stop ‘xxx.xxx.30.205’
set vpn l2tp remote-access dns-servers server-1 ‘xxx.xxx.8.8’
set vpn l2tp remote-access dns-servers server-2 ‘xxx.xxx.4.4’
set vpn l2tp remote-access ipsec-settings authentication mode ‘pre-shared-secret’
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret xxxxxx
set vpn l2tp remote-access outside-address ‘xxx.xxx.52.220’

When I connect from IOS or Windows10, same log messages as follow showed and the tunnel never created.
06[NET] received packet: from xxx.xxx.196.99[51092] to xxx.xxx.30.211[500] (788 bytes)
06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
06[IKE] no IKE config found for xxx.xxx.30.211…xxx.xxx.196.99, sending NO_PROPOSAL_CHOSEN
06[ENC] generating INFORMATIONAL_V1 request 2983860109 [ N(NO_PROP) ]
06[NET] sending packet: from xxx.xxx.30.211[500] to xxx.xxx.196.99[51092] (40 bytes)
Anything wrong with my configuration?
I found the ipsec.service was not running and I cannot start that, is that the reason?
vyos@vyos-l2tp:~$ systemctl status ipsec.service
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled)
Active: inactive (dead) since Mon 2021-08-09 01:37:28 JST; 4s ago
Process: 4753 ExecStart=/usr/sbin/ipsec start --nofork (code=exited, status=0/SUCCESS)
Main PID: 4753 (code=exited, status=0/SUCCESS)

Viacheslav · August 8, 2021, 5:06pm

Which version do you use?

n.fort · August 8, 2021, 5:16pm

Hi @Scott64268989 .
Quick lab shown below (with other config). There you can see ipsec running on a router, and the output of “systemctl status ipsec.service” is the same as yours.
What version you are using?

vyos@RAA-133# run show vpn ipsec sa
Connection               State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-192.0.2.2-tunnel-1  up       5h4m3s    0B/0B           0/0               192.0.2.2         N/A          AES_CBC_128/HMAC_SHA1_96/MODP_1024
[edit]
vyos@RAA-133# sudo systemctl status ipsec.service
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
paste code here

Scott64268989 · August 8, 2021, 11:11pm

Hi @n.fort @Viacheslav Thank you for the reply, here’s the show ver:
Version: VyOS 1.2.5
Release Train: crux
Built by: vyos_bld@e52af994e6b3
Built on: Wed 08 Jul 2020 05:23 UTC
Build UUID: 52993e0f-2cc7-45df-9156-581268d661b9
Build Commit ID: 2a03e6c8ee5e07
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: Red Hat
Hardware model: OpenStack Compute

Dmitry · August 9, 2021, 8:05am

Hello @Scott64268989 , do you have any chance to update your 1.2.5 to 1.2.8?
Also, please show an output of the command to check what happens deeply

sudo swanctl -l

Also, it will be helpful to get a more detailed log, try to increase it.

Scott64268989 · August 9, 2021, 1:54pm

Hi @Dmitry Thank you for the information.
Nothing output for that command, I’m not sure if StrongSwan is configured alright.
I will try to upgrade the version, and will update if I find anything new.
BTW, below is the log after I configured L2TP, could you find anything wrong?

Aug  8 22:17:49 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/libexec/vyos/conf_mode/ipsec-settings.py
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:49 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-vti-config.pl
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:49 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/opt/vyatta/sbin/vpn-config.pl --config_file=/etc/ipsec.conf --secrets_file=/etc/ipsec.secrets --init_script=/etc/init.d/ipsec
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3329]: Starting strongSwan 5.7.2 IPsec [starter]...
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3329]: # deprecated keyword 'nat_traversal' in config setup
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3329]: # deprecated keyword 'virtual_private' in config setup
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3329]: ### 2 parsing errors (0 fatal) ###
Aug  8 22:17:49 vyos-l2tp kernel: [ 3770.037965] NET: Registered protocol family 15
Aug  8 22:17:49 vyos-l2tp kernel: [ 3770.065447] Initializing XFRM netlink socket
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:49 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/opt/vyatta/sbin/dmvpn-config.pl --config_file=/etc/swanctl/swanctl.conf --init_script=/etc/init.d/ipsec
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:49 vyos-l2tp charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.114-amd64-vyos, x86_64)
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] PKCS11 module '<name>' lacks library path
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] loaded 0 RADIUS server configurations
Aug  8 22:17:49 vyos-l2tp charon: 00[CFG] HA config misses local/remote address
Aug  8 22:17:49 vyos-l2tp charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Aug  8 22:17:49 vyos-l2tp charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug  8 22:17:49 vyos-l2tp charon: 00[JOB] spawning 16 worker threads
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3339]: charon (3341) started after 200 ms
Aug  8 22:17:49 vyos-l2tp charon: 05[CFG] rereading secrets
Aug  8 22:17:49 vyos-l2tp charon: 05[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  8 22:17:49 vyos-l2tp charon: 05[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts'
Aug  8 22:17:49 vyos-l2tp charon: 05[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts'
Aug  8 22:17:49 vyos-l2tp charon: 05[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  8 22:17:49 vyos-l2tp charon: 05[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
Aug  8 22:17:49 vyos-l2tp charon: 05[CFG] rereading crls from '/etc/ipsec.d/crls'
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3339]: # deprecated keyword 'nat_traversal' in config setup
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3339]: # deprecated keyword 'virtual_private' in config setup
Aug  8 22:17:49 vyos-l2tp ipsec_starter[3339]: ### 2 parsing errors (0 fatal) ###
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:49 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec
Aug  8 22:17:49 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:50 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-update-l2tp.pl
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:50 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-update-pptp.pl
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:50 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/bin/mv /tmp/config.boot.3417 /opt/vyatta/etc/config/archive/config.boot
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:50 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/sbin/logrotate -f -s /opt/vyatta/etc/config/archive/lr.state /opt/vyatta/etc/config/archive/lr.conf
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:50 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:50 vyos-l2tp commit: Successful change to active configuration by user vyos on /dev/pts/0
Aug  8 22:17:52 vyos-l2tp sudo:     vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/bin/sg vyattacfg umask 0002 ; /opt/vyatta/sbin/vyatta-save-config.pl
Aug  8 22:17:52 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Aug  8 22:17:52 vyos-l2tp sg[3434]: user 'root' (login 'vyos' on pts/0) switched to group 'vyattacfg'
Aug  8 22:17:52 vyos-l2tp sg[3434]: user 'root' (login 'vyos' on pts/0) returned to group 'root'
Aug  8 22:17:52 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug  8 22:17:53 vyos-l2tp newgrp[2078]: user 'vyos' (login 'vyos' on pts/0) returned to group 'users'

n.fort · August 9, 2021, 5:51pm

@Scott64268989 : the output of “sudo swanctl -l” is empty, because you have no active ike sas.

-l, --list-sas
list currently active IKE_SAs

You can list loaded configuration in StrongSwan using “sudo swanctl -L”

Options for swanctl command can be found here: swanctl(8) — strongswan-swanctl — Debian testing — Debian Manpages

Scott64268989 · August 9, 2021, 11:51pm

Hi ALL,
I upgraded to 1.2.8 and rebooted, unfortunately the same as before when I L2TP connected to the server.
“sudo swanctl -L” and “sudo swanctl -l” are both empty.
Here’s sys log after reboot, could you give me some advices?

Aug 10 08:27:34 vyos-l2tp systemd[1]: Stopping System Logging Service...
Aug 10 08:27:34 vyos-l2tp systemd[1]: Starting System Logging Service...
Aug 10 08:27:34 vyos-l2tp systemd[1]: Failed to reset devices.list on /system.slice: Invalid argument
Aug 10 08:27:34 vyos-l2tp systemd[1]: Started System Logging Service.
Aug 10 08:27:38 vyos-l2tp dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
Aug 10 08:27:38 vyos-l2tp dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Aug 10 08:27:38 vyos-l2tp dhclient: DHCPOFFER from 192.168.0.1
Aug 10 08:27:38 vyos-l2tp dhclient: DHCPACK from 192.168.0.1
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"data": {"host_name": null, "search_domains": ["openstacklocal"], "domain_name": null}, "op": "set", "type": "host_name"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"op": "set", "data": {"search_domains": [], "domain_name": "", "host_name": "vyos-l2tp"}, "type": "host_name"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"op": "delete", "tag": "static", "type": "name_servers"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"op": "add", "tag": "static", "data": [], "type": "name_servers"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"op": "delete", "tag": "static", "type": "hosts"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"op": "add", "tag": "static", "data": [], "type": "hosts"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"type": "name_servers", "op": "delete", "tag": "dhcp-eth0"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Received a configuration change request
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Request data: {"tag": "dhcp-eth0", "type": "name_servers", "data": ["8.8.8.8", "8.8.4.4"], "op": "add"}
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/resolv.conf
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Writing /etc/hosts
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Saving state to /var/lib/vyos/hostsd.state
Aug 10 08:27:38 vyos-l2tp vyos-hostsd[698]: Sent response: {'data': None}
Aug 10 08:27:39 vyos-l2tp dhclient: bound to 192.168.0.14 -- renewal in 43095 seconds.
Aug 10 08:27:39 vyos-l2tp rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="1870" x-info="http://www.rsyslog.com"] start
Aug 10 08:27:39 vyos-l2tp systemd[1]: Stopping System Logging Service...
Aug 10 08:27:39 vyos-l2tp systemd[1]: Starting System Logging Service...
Aug 10 08:27:39 vyos-l2tp systemd[1]: Started System Logging Service.
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:39 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-config-mgmt.pl --action=update-revs --revs=100
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:39 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 644 /opt/vyatta/etc/config/archive/lr.conf
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:39 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh -c /usr/libexec/vyos/conf_mode/ntp.py
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:39 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl restart ntp.service
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:39 vyos-l2tp systemd[1]: Starting LSB: Start NTP daemon...
Aug 10 08:27:39 vyos-l2tp ntpd[1908]: ntpd 4.2.6p5@1.2349-o Tue May  5 09:53:03 UTC 2020 (1)
Aug 10 08:27:39 vyos-l2tp ntp[1899]: Starting NTP server: ntpd.
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:39 vyos-l2tp systemd[1]: Started LSB: Start NTP daemon.
Aug 10 08:27:39 vyos-l2tp ntpd[1909]: proto: precision = 0.123 usec
Aug 10 08:27:39 vyos-l2tp ntpd[1909]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Aug 10 08:27:39 vyos-l2tp ntpd[1909]: Listen and drop on 1 v6wildcard :: UDP 123
Aug 10 08:27:39 vyos-l2tp ntpd[1909]: Listen normally on 2 lo 127.0.0.1 UDP 123
Aug 10 08:27:39 vyos-l2tp ntpd[1909]: Listen normally on 3 eth0 192.168.0.14 UDP 123
Aug 10 08:27:39 vyos-l2tp ntpd[1909]: peers refreshed
Aug 10 08:27:39 vyos-l2tp ntpd[1909]: Listening on routing socket on fd #20 for interface updates
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:39 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-banner.pl --action=update --banner-type=post-login
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:39 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta_update_login.pl
Aug 10 08:27:39 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp useradd[1917]: new user: name=vyos, UID=1003, GID=100, home=/home/vyos, shell=/bin/vbash
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to group 'adm'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to group 'disk'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to group 'sudo'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to group 'dip'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to group 'vyattacfg'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to group 'frrvty'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to shadow group 'adm'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to shadow group 'disk'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to shadow group 'sudo'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to shadow group 'dip'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to shadow group 'vyattacfg'
Aug 10 08:27:40 vyos-l2tp useradd[1917]: add 'vyos' to shadow group 'frrvty'
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:40 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh -c /usr/libexec/vyos/conf_mode/ssh.py
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl restart ssh.service
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp systemd[1]: Starting OpenBSD Secure Shell server...
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:40 vyos-l2tp systemd[1]: Started OpenBSD Secure Shell server.
Aug 10 08:27:40 vyos-l2tp sshd[1941]: Server listening on 0.0.0.0 port 22.
Aug 10 08:27:40 vyos-l2tp sshd[1941]: Server listening on :: port 22.
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:40 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces update eth0 in OUTSIDE-IN firewall name
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:40 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces update eth0 local FROM-PUBLIC-NETWORK firewall name
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:40 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/libexec/vyos/conf_mode/ipsec-settings.py
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:40 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-vti-config.pl
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:40 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vpn-config.pl --config_file=/etc/ipsec.conf --secrets_file=/etc/ipsec.secrets --init_script=/etc/init.d/ipsec
Aug 10 08:27:40 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:40 vyos-l2tp ipsec_starter[1977]: Starting strongSwan 5.7.2 IPsec [starter]...
Aug 10 08:27:40 vyos-l2tp ipsec_starter[1977]: # deprecated keyword 'nat_traversal' in config setup
Aug 10 08:27:40 vyos-l2tp ipsec_starter[1977]: # deprecated keyword 'virtual_private' in config setup
Aug 10 08:27:40 vyos-l2tp ipsec_starter[1977]: ### 2 parsing errors (0 fatal) ###
Aug 10 08:27:40 vyos-l2tp kernel: [   28.304765] NET: Registered protocol family 15
Aug 10 08:27:41 vyos-l2tp kernel: [   28.330755] Initializing XFRM netlink socket
Aug 10 08:27:41 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:41 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/dmvpn-config.pl --config_file=/etc/swanctl/swanctl.conf --init_script=/etc/init.d/ipsec
Aug 10 08:27:41 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:41 vyos-l2tp charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.195-amd64-vyos, x86_64)
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] PKCS11 module '<name>' lacks library path
Aug 10 08:27:41 vyos-l2tp ipsec_starter[1992]: Starting strongSwan 5.7.2 IPsec [starter]...
Aug 10 08:27:41 vyos-l2tp ipsec_starter[1992]: # deprecated keyword 'nat_traversal' in config setup
Aug 10 08:27:41 vyos-l2tp ipsec_starter[1992]: # deprecated keyword 'virtual_private' in config setup
Aug 10 08:27:41 vyos-l2tp ipsec_starter[1992]: ### 2 parsing errors (0 fatal) ###
Aug 10 08:27:41 vyos-l2tp ipsec_starter[1992]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Aug 10 08:27:41 vyos-l2tp kernel: [   28.637321] NET: Registered protocol family 38
Aug 10 08:27:41 vyos-l2tp kernel: [   28.689820] alg: No test for xcbc(camellia) (xcbc(camellia-asm))
Aug 10 08:27:41 vyos-l2tp kernel: [   28.719433] alg: No test for rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-aesni-avx2))
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] loaded 0 RADIUS server configurations
Aug 10 08:27:41 vyos-l2tp charon: 00[CFG] HA config misses local/remote address
Aug 10 08:27:41 vyos-l2tp charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Aug 10 08:27:41 vyos-l2tp charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 10 08:27:41 vyos-l2tp charon: 00[JOB] spawning 16 worker threads
Aug 10 08:27:41 vyos-l2tp ipsec_starter[1987]: charon (1989) started after 600 ms
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:42 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:42 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-update-l2tp.pl
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:42 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/vyatta/sbin/vyatta-update-pptp.pl
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:42 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/mv /tmp/config.boot.2336 /opt/vyatta/etc/config/archive/config.boot
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:42 vyos-l2tp sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/logrotate -f -s /opt/vyatta/etc/config/archive/lr.state /opt/vyatta/etc/config/archive/lr.conf
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 10 08:27:42 vyos-l2tp sudo: pam_unix(sudo:session): session closed for user root
Aug 10 08:27:42 vyos-l2tp commit: Successful change to active configuration by user root on unknown
Aug 10 08:27:43 vyos-l2tp sg[1305]: user 'root' (login '???' on ???) returned to group 'root'
Aug 10 08:27:43 vyos-l2tp vyos-router[921]: Starting VyOS router: migrate rl-system firewall configure.
Aug 10 08:27:43 vyos-l2tp systemd[1]: Reloading.
Aug 10 08:27:43 vyos-l2tp systemd[1]: squid.service: Supervising process 1073 which is not our child. We'll most likely not notice when it exits.
Aug 10 08:27:43 vyos-l2tp systemd[1]: Started ACPI event daemon.
Aug 10 08:27:43 vyos-l2tp systemd[1]: Listening on ACPID Listen Socket.
Aug 10 08:27:43 vyos-l2tp systemd[1]: Mounted /.
Aug 10 08:27:43 vyos-l2tp vyos-config[988]: Configuration success
Aug 10 08:27:43 vyos-l2tp systemd[1]: Failed to reset devices.list on /system.slice: Invalid argument
Aug 10 08:27:45 vyos-l2tp systemd[1]: Time has been changed
...
Aug 10 08:32:35 vyos-l2tp charon: 13[NET] <1> received packet: from 175.177.45.131[39105] to 192.168.0.14[500] (788 bytes)
Aug 10 08:32:35 vyos-l2tp charon: 13[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Aug 10 08:32:35 vyos-l2tp charon: 13[IKE] <1> no IKE config found for 192.168.0.14...175.177.45.131, sending NO_PROPOSAL_CHOSEN
Aug 10 08:32:35 vyos-l2tp charon: 13[ENC] <1> generating INFORMATIONAL_V1 request 1125657931 [ N(NO_PROP) ]
Aug 10 08:32:35 vyos-l2tp charon: 13[NET] <1> sending packet: from 192.168.0.14[500] to 175.177.45.131[39105] (40 bytes)

Viacheslav · August 10, 2021, 5:43am

Do you have l2tp + site-to-site connection from the same extenral remote ip address at the same time?

Scott64268989 · August 11, 2021, 1:24am

Hi @Viacheslav I haven’t tried site-to-site configuration, it’s a fresh VyOS install on fresh CentOS and L2TP config only. Global IP is also newly applied.

Viacheslav · August 11, 2021, 5:10am

IKE Settings between client and router mismatch

Scott64268989 · August 12, 2021, 1:50am

Hi @Viacheslav I’m using IOS and Windows10 as clients and both gave me same results, do you have any idea that how can I correct this mismatch?

ibehr · May 3, 2022, 9:05pm

Are L2TP and site-to-site mutually exclusive?

Viacheslav · May 3, 2022, 10:38pm

As I remember yes they are but need to recheck it.
It definitely has issues with DMVPN + l2tp T3844