Hi,
I’m trying to setup VyOS on AWS as a VPN server for L2TP/IPsec clients (Windows / iOS) and for an IPsec only connection for my EdgeRouter.
I followed the manual and various tutorials on the internet for the few commands necessary to setup the L2TP/IPsec part. But when trying to connect from a Windows or iOS client, I get the following:
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: received Vendor ID payload [RFC 3947]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [FRAGMENTATION]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [IKE CGA version 1]
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: responding to Main Mode from unknown peer 444.333.222.111
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: NAT-Traversal: Result using RFC 3947: both are NATed
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.101'
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111 #1: deleting connection "remote-access-mac-zzz" instance with peer 444.333.222.111 {isakmp=#0/ipsec=#0}
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sent MR3, ISAKMP SA established
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: cannot respond to IPsec SA request because no connection is known for 111.222.333.444/32===172.29.32.13:4500[172.29.32.13]:17/1701...444.333.222.111:4500[192.168.1.101]:17/%any===192.168.1.101/32
Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 444.333.222.111:4500
Dec 13 03:26:29 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 13 03:26:29 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500
Dec 13 03:26:30 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 13 03:26:30 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500
Dec 13 03:26:33 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 13 03:26:33 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500
Dec 13 03:26:40 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 13 03:26:40 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500
Dec 13 03:26:55 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 13 03:26:55 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500
Dec 13 03:27:10 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
Dec 13 03:27:10 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500
Dec 13 03:27:25 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: received Delete SA payload: deleting ISAKMP State #1
Dec 13 03:27:25 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500: deleting connection "remote-access-mac-zzz" instance with peer 444.333.222.111 {isakmp=#0/ipsec=#0}
where 444.333.222.111 would be my public IP at home, and 111.222.333.444 the Elastic (public) IP at AWS.
I tried the Elastic IP as well as the internal AWS IP for “set vpn l2tp remote-access outside-address X.X.X.X”. Same result for both, but I guess I need to use the internal IP.
I already googled the “cannot respond to IPsec SA request because no connection is known” part and can find a lot of information but no solution. Is this issue really still unsolved? Obviously the sytem does recognize that both ends are NATed. So why does it not work?
Would I have the same problem with the EdgeRouter connection (IPsec only)? Then only the AWS end would be NATed, as the EdgeRouter will be directly connected to the Internet. Didn’t have time to try that, yet. Did anybody get such a setup working?
Thanks!
Kind regards,
iBlueDragon