Help troubleshooting L2TP over IPSEC VPN connections.
-
@JaredBusch @scottalanmiller Any idea?
-
If this is what I think it is,.. it's something we have gone round and round with for nearly a year. It's something we can't seem to nail down as either an ERL or OS issue.
-
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
@JaredBusch @scottalanmiller Any idea?
Is this user trying to connect from the same IP as another user?
-
@jaredbusch said in Help troubleshooting L2TP over IPSEC VPN connections.:
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
@JaredBusch @scottalanmiller Any idea?
Is this user trying to connect from the same IP as another user?
Generally not.. They are remote / home users.
-
@jaredbusch said in Help troubleshooting L2TP over IPSEC VPN connections.:
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
@JaredBusch @scottalanmiller Any idea?
Is this user trying to connect from the same IP as another user?
No, a single user trying to connect from home. She connected Wednesday without a problem, but Thursday she tries to connect again and it is not possible.
Logs show
13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists 13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 existsNew connection can't be made because a policy with the same details is already present. If we vpn from any place that has a different public ip than the one from her home, we can establish the vpn connection without a problem.
-
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
@jaredbusch said in Help troubleshooting L2TP over IPSEC VPN connections.:
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
@JaredBusch @scottalanmiller Any idea?
Is this user trying to connect from the same IP as another user?
No, a single user trying to connect from home. She connected Wednesday without a problem, but Thursday she tries to connect again and it is not possible.
Logs show
13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists 13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 existsNew connection can't be made because a policy with the same details is already present. If we vpn from any place that has a different public ip than the one from her home, we can establish the vpn connection without a problem.
What VPN client are you using, default to Windows?
-
@dbeato Yes
-
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
@dbeato Yes
Okay, was looking at that error on other OpenVPN clients that had issues on older versions.
-
@dbeato said in Help troubleshooting L2TP over IPSEC VPN connections.:
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
@dbeato Yes
Okay, was looking at that error on other OpenVPN clients that had issues on older versions.
It looks like it is a Strongswan issue, as a temporary fix it should be resolved by manually restarting the IPSec VPN (restart vpn). Unfortunately, during working hours it seems to be too disruptive to use for properly connected users. At least without having tested the effects of the restart for connected users.
The strange thing is the connection is acting as if two computers were trying to access the VPN server behind the same NAT when according to the user it is only a single device.
-
Here is our issue https://wiki.strongswan.org/issues/431, it was fixed 3 years ago when version 5.3 of strongSwan came out.
I had not found what strongSwan version we were using, I just assumed we were using something newer. Then I found that our edge router is using strongSwan 5.2.2.
Here is our version.
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64): uptime: 3 days, since Aug 06 22:12:40 2018 malloc: sbrk 376832, mmap 0, used 295456, free 81376 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:From here https://community.ubnt.com/t5/EdgeMAX-Feature-Requests/Upgrade-to-strongswan-5-6-x/idi-p/1507341 we see a change to strongSwan 5.5.x has been accepted don't know when it will be available.
strongSwan 5.3 + can now handle identical policies by reusing the same reqid. This allows identical CHILD_SAs to the same host.
So that probably means multiple machines behind NAT could also work when the fix is implemented.
-
jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,...
@JaredBusch @scottalanmiller
Can a cron be set to restart the ipsec every 24 hours? -
@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:
Here is our issue https://wiki.strongswan.org/issues/431, it was fixed 3 years ago when version 5.3 of strongSwan came out.
I had not found what strongSwan version we were using, I just assumed we were using something newer. Then I found that our edge router is using strongSwan 5.2.2.
Here is our version.
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64): uptime: 3 days, since Aug 06 22:12:40 2018 malloc: sbrk 376832, mmap 0, used 295456, free 81376 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:From here https://community.ubnt.com/t5/EdgeMAX-Feature-Requests/Upgrade-to-strongswan-5-6-x/idi-p/1507341 we see a change to strongSwan 5.5.x has been accepted don't know when it will be available.
strongSwan 5.3 + can now handle identical policies by reusing the same reqid. This allows identical CHILD_SAs to the same host.
So that probably means multiple machines behind NAT could also work when the fix is implemented.
Yeah, that is what I found and was referring to. I just did not post it here.
-
@gjacobse said in Help troubleshooting L2TP over IPSEC VPN connections.:
jeeze,.. that is a sad state to think that we have nbeen fighting this for that long,...
@JaredBusch @scottalanmiller
Can a cron be set to restart the ipsec every 24 hours?Yes.
