Reply
New Member
Posts: 15
Registered: ‎05-16-2013
Kudos: 3
Accepted Solution

L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

Hi All,

 

First let me thank everyone for reading and hopefully lending me a hand sorting this out.

 

I have a working L2TP VPN server running on my ERL. I'm running into an issue trying to have multiple clients connect from a single NAT'd external location. The second connection fails with the following error messages (the first connection is already active when this log is output):

 

Jul 11 14:43:58 Test pluto[986]: packet from xxx.xxx.xxx.xxx:52565: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Jul 11 14:43:58 Test pluto[986]: packet from xxx.xxx.xxx.xxx:52565: received Vendor ID payload [RFC 3947]
Jul 11 14:43:58 Test pluto[986]: packet from xxx.xxx.xxx.xxx:52565: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 11 14:43:58 Test pluto[986]: packet from xxx.xxx.xxx.xxx:52565: ignoring Vendor ID payload [FRAGMENTATION]
Jul 11 14:43:58 Test pluto[986]: packet from xxx.xxx.xxx.xxx:52565: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jul 11 14:43:58 Test pluto[986]: packet from xxx.xxx.xxx.xxx:52565: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 11 14:43:58 Test pluto[986]: packet from xxx.xxx.xxx.xxx:52565: ignoring Vendor ID payload [IKE CGA version 1]
Jul 11 14:43:58 Test pluto[986]: "remote-access-mac-zzz"[21] xxx.xxx.xxx.xxx:52565 #21: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx:52565
Jul 11 14:43:58 Test pluto[986]: "remote-access-mac-zzz"[21] xxx.xxx.xxx.xxx:52565 #21: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
Jul 11 14:43:58 Test pluto[986]: "remote-access-mac-zzz"[21] xxx.xxx.xxx.xxx:52565 #21: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
Jul 11 14:43:58 Test pluto[986]: "remote-access-mac-zzz"[21] xxx.xxx.xxx.xxx:52565 #21: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
Jul 11 14:43:58 Test pluto[986]: "remote-access-mac-zzz"[21] xxx.xxx.xxx.xxx:52565 #21: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
Jul 11 14:43:58 Test pluto[986]: "remote-access-mac-zzz"[21] xxx.xxx.xxx.xxx:52565 #21: NAT-Traversal: Result using RFC 3947: peer is NATed
Jul 11 14:43:59 Test pluto[986]: "remote-access-mac-zzz"[21] xxx.xxx.xxx.xxx:52565 #21: Peer ID is ID_IPV4_ADDR: '192.168.1.77'
Jul 11 14:43:59 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52565 #21: deleting connection "remote-access-mac-zzz" instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0}
Jul 11 14:43:59 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #21: sent MR3, ISAKMP SA established
Jul 11 14:43:59 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #22: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jul 11 14:43:59 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #22: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag
Jul 11 14:43:59 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #22: responding to Quick Mode
Jul 11 14:43:59 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #22: cannot install eroute -- it is in use for "remote-access-mac-zzz"[20] xxx.xxx.xxx.xxx:4500 #20
Jul 11 14:44:00 Test kernel: Port 0 receive error code 10, packet dropped
Jul 11 14:44:01 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #21: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jul 11 14:44:01 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #21: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:52566
Jul 11 14:44:02 Test kernel: Port 0 receive error code 10, packet dropped
Jul 11 14:44:03 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #21: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jul 11 14:44:03 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #21: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:52566
Jul 11 14:44:04 Test kernel: Port 0 receive error code 10, packet dropped
Jul 11 14:44:06 Test kernel: Port 0 receive error code 10, packet dropped
Jul 11 14:44:08 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #21: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000001 (perhaps this is a duplicated packet)
Jul 11 14:44:08 Test pluto[986]: "remote-access-mac-zzz"[22] xxx.xxx.xxx.xxx:52566 #21: sending encrypted notification INVALID_MESSAGE_ID to xxx.xxx.xxx.xxx:52566
Jul 11 14:44:08 Test kernel: Port 0 receive error code 10, packet dropped
Jul 11 14:44:16 Test kernel: last message repeated 3 times

Anyone have any ideas? For clarity all obfuscated IP addresses are the same external IP.


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5471
Solutions: 1656
Contributions: 2

Re: L2TP VPN - Multiple connections from same NAT'd location


@gerakinis wrote:

I have a working L2TP VPN server running on my ERL. I'm running into an issue trying to have multiple clients connect from a single NAT'd external location. The second connection fails with the following error messages (the first connection is already active when this log is output):


Yeah this is actually a known limitation of the underlying software component, strongSwan (and openswan etc.), for example see this and this. So for now if this is required, other VPN solutions (e.g., OpenVPN, PPTP) may be considered.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5471
Solutions: 1656
Contributions: 2

Re: L2TP VPN - Multiple connections from same NAT'd location


@gerakinis wrote:

I have a working L2TP VPN server running on my ERL. I'm running into an issue trying to have multiple clients connect from a single NAT'd external location. The second connection fails with the following error messages (the first connection is already active when this log is output):


Yeah this is actually a known limitation of the underlying software component, strongSwan (and openswan etc.), for example see this and this. So for now if this is required, other VPN solutions (e.g., OpenVPN, PPTP) may be considered.

New Member
Posts: 15
Registered: ‎05-16-2013
Kudos: 3

Re: L2TP VPN - Multiple connections from same NAT'd location

I was very worried that this would be the case. I really don't want to setup a G2G VPN connection or a PPTP server, but these look to be the options available to me. 

 

Thank you.

SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7925
Solutions: 233

Re: L2TP VPN - Multiple connections from same NAT'd location

you can do local pptp auth on the edgerouter


isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

I'd like to ask, is there another solution for this? I'd like to use L2TP over ipsec.

New Member
Posts: 28
Registered: ‎09-07-2014
Kudos: 3
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

"multiple clients"

 

My i ask if that is windows 7-8 clients?

Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

I checked Win 8.1 multiple clients.

New Member
Posts: 28
Registered: ‎09-07-2014
Kudos: 3
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

I have tried everything that i can and seams no one from ubnt can answer the question.

 

This does only happen with windows clients.

 

The test i have done is usting a os x client at the same time as my windows client from same nat network to my edgemax lite router at home.

 

Os x does not get disconnected at all but the windows clients i get random disconnections 24/7.

 

Clients (os x and windows) - Firewall -> INTERNET -> Edgemax lite.

 

So at the moment i cant even recommend edgemax to costumers that want to use it with l2tp.

 

People will probebly say openvpn ( or ppp ), but thats not a answer, costumers wants to use what comes with os not adding extra administration to applications.

Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location


@kiwifruktish wrote:

 

 

This does only happen with windows clients.

 

 

 

Os x does not get disconnected at all but the windows clients i get random disconnections 24/7.

 





This does happen with Windows clients ... and EdgeRouter. I can use multiple connection L2TP on the same machines to router Zywall Zyxel. So problem is on EdgeRouter, I think.

 

If I connect first Windows client to Edge then second cannot connect.

New Member
Posts: 28
Registered: ‎09-07-2014
Kudos: 3
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

Ye its seams not to be compatibel with windows, becouse windows and os x at same time works, havent had time to try other os also at same time, but more then one windows is not possible.

 

Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

In new version 1.7 RC1 problem still not resolved.

New Member
Posts: 5
Registered: ‎11-12-2015
Kudos: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

I don't know if you are having the problem still, but I was also having the problems on my windows 7 pc.  I found a suggested solution in another blog that stated this is a know issue with microsoft and "L2TP/IPsec server behind a NAT-T device in Windows".  Apparently the problem existed on Vista and Windows Server 2008.  Based on the blog suggestion that it occurred on other versions of windows, I tried the registry change on my system and it resolved the issue. I have not been experiencing the error or disconnects.

 

See MS knowledge base article:  https://support.microsoft.com/en-us/kb/926179

The orginal information I got was from here:

http://serverfault.com/questions/474742/simple-l2tp-ipsec-server-not-working-openswan-xl2tpd-ubuntu-...

 

 

 

Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

[ Edited ]

For me this solution doesn't resolve problem.

I have one Edge Lite 5 which I upgraded to 1.8 firmware and test L2TP over Ipsec (I read that there is new openswan).

Unfortunatelly, still I have a problemFirst computer connected successfully, second has a problem. Log below.

Mar 14 19:23:21 08[IKE] <57> 213.92.x.x is initiating a Main Mode IKE_SA
Mar 14 19:23:21 05[IKE] <remote-access|57> IKE_SA remote-access[57] established between 91.227.x.x[91.227.x.x]...213.92.x.x[192.168.77.200]
Mar 14 19:23:21 11[IKE] <remote-access|57> CHILD_SA remote-access{50} established with SPIs cc1f793c_i 27fddbba_o and TS 91.227.x.x/32[udp/l2f] === 213.92.x.x/32[udp/l2f]
Mar 14 19:23:27 12[KNL] 10.255.255.0 appeared on ppp0
Mar 14 19:23:27 07[KNL] 10.255.255.0 disappeared from ppp0
Mar 14 19:23:27 09[KNL] 10.255.255.0 appeared on ppp0
Mar 14 19:23:27 11[KNL] interface l2tp0 activated
Mar 14 19:23:55 08[IKE] <58> 213.92.x.x is initiating a Main Mode IKE_SA
Mar 14 19:23:56 13[IKE] <remote-access|58> IKE_SA remote-access[58] established between 91.227.x.x[91.227.x.x]...213.92.x.x[192.168.77.44]
Mar 14 19:23:56 11[KNL] <remote-access|58> deleting policy 91.227.x.x/32[udp/l2f] === 213.92.x.x/32[udp/l2f] out failed, not found
Mar 14 19:23:56 11[KNL] <remote-access|58> deleting policy 213.92.x.x/32[udp/l2f] === 91.227.x.x/32[udp/l2f] in failed, not found
Mar 14 19:23:56 11[KNL] <remote-access|58> deleting policy 91.227.x.x/32[udp/l2f] === 213.92.x.x/32[udp/l2f] out failed, not found
Mar 14 19:23:56 11[KNL] <remote-access|58> deleting policy 213.92.x.x/32[udp/l2f] === 91.227.x.x/32[udp/l2f] in failed, not found

 

ubnt@ubnt# show vpn
 ipsec {
     auto-firewall-nat-exclude enable
     ipsec-interfaces {
         interface eth0
     }
     logging {
         log-level 2
     }
     nat-networks {
         allowed-network 10.0.0.0/8 {
         }
         allowed-network 172.16.0.0/12 {
         }
         allowed-network 192.168.0.0/16 {
         }
     }
     nat-traversal enable
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username re {
                     password xxxxx
                 }
                 username re2 {
                     password xxxx
                 }
             }
             mode local
         }
         client-ip-pool {
             start 192.168.0.90
             stop 192.168.0.95
         }
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret xxxxx
             }
             ike-lifetime 3600
         }
         mtu 1484
         outside-address 91.227.x.x
         outside-nexthop 91.227.x.x
     }
 }

 

Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

UBNT support could you answer? Is this resolved in 1.8?

 

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: L2TP VPN - Multiple connections from same NAT'd location

@remikk do you have any NAT config on the L2TP router?

Veteran Member
Posts: 4,074
Registered: ‎05-15-2014
Kudos: 1521
Solutions: 278

Re: L2TP VPN - Multiple connections from same NAT'd location

Please see https://wiki.strongswan.org/issues/365  ...there seem to be options to do this, not sure if supported by current EdgeOS though.

Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

Yes

ubnt@ubnt# show service nat
 rule 5000 {
     description "masquerade for WAN"
     outbound-interface eth0
     type masquerade
 }
 rule 5002 {
     description "masquerade for WAN 2"
     outbound-interface eth1
     type masquerade
 }
Highlighted
Member
Posts: 129
Registered: ‎10-08-2014
Kudos: 6
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

BranoB I don't know how to do in Edge Router. I will wait for answer from UBNT support.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5471
Solutions: 1656
Contributions: 2

Re: L2TP VPN - Multiple connections from same NAT'd location

BranoB: That's good information. However, unfortunately the current strongSwan version (5.2) in 1.8 release does not have the plugin yet so we'll either have to upgrade again or backport the plugin.

New Member
Posts: 28
Registered: ‎09-07-2014
Kudos: 3
Solutions: 1

Re: L2TP VPN - Multiple connections from same NAT'd location

Is there any information when this will work for windows users?

Reply