Windows 7 IPSec/L2TP VPN disconnects
Hi All! I've got a VPN Server configured with a L2TP/IPSec + PSK settings on it. The VPN server is connected to the internet with a fix public IP like this: 10.10.10.0/24 ----|eth1 VPN Server eth0|----PUBLIC IP When I connect to it from another network, which is behind a linksys router like this: PUBLIC IP ----|eth0 WRT54GL eth1|---- 192.168.1.0/24 and if I use an Asus Eee with WinXP, then it connects and works flawlessly for hours and I can transfer GBytes throught the VPN tunnel.and if I use an Android tablet, then it connects and works flawlessly for hours and I can transfer GBytes throught the VPN tunnel.and if I use a desktop PC with Win7, then it connects and works, but disconnects after I transfered ~200MBytes throught the VPN tunnel. After reconnecting, it works again for another ~200MBytes. If I connect the desktop PC directly to the internet (not behind the router), then it connects and works flawlessly for hours and I can transfer GBytes throught the VPN tunnel. So the disconnection problem only happens when Win7 is behind the router (NAT-ed). And the problem only happens on Win7. (XP and Android works flawlessly from behind the router). I think the problem is somewhere around the IPSec lifetime (bytes) and the rekey procedure fails in NAT-ed enviroment. Here are the logs from the VPN server: (PUBLIC IP replaced) XP connection to VPN server(NAT-ed) Jun 27 14:05:29 vyatta pluto[3023]: packet from 11.22.33.124:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] Jun 27 14:05:29 vyatta pluto[3023]: packet from 11.22.33.124:500: ignoring Vendor ID payload [FRAGMENTATION] Jun 27 14:05:29 vyatta pluto[3023]: packet from 11.22.33.124:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jun 27 14:05:29 vyatta pluto[3023]: packet from 11.22.33.124:500: ignoring Vendor ID payload [Vid-Initial-Contact] Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: responding to Main Mode from unknown peer 11.22.33.124 Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: Peer ID is ID_FQDN: 'ASUSEee' Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124 #1: deleting connection "remote-access-mac-zzz" instance with peer 11.22.33.124 {isakmp=#0/ipsec=#0} Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sent MR3, ISAKMP SA established Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2: IPSec Transform [3DES_CBC (192), HMAC_MD5] refused due to strict flag Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2: responding to Quick Mode Jun 27 14:05:29 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2: IPsec SA established {ESP=>0xcd0cc176 <0xe0dddb1c NATOA=192.168.1.145} Jun 27 14:05:31 vyatta xl2tpd[2598]: Connection established to 11.22.33.124, 1701. Local: 34120, Remote: 1 (ref=0/0). LNS session is 'default' Jun 27 14:05:31 vyatta xl2tpd[2598]: Call established with 11.22.33.124, Local: 64789, Remote: 1, Serial: 0 Jun 27 14:05:31 vyatta pppd[3078]: pppd 2.4.4 started by root, uid 0 Jun 27 14:05:31 vyatta zebra[2009]: interface ppp0 index 6 <POINTOPOINT,NOARP,MULTICAST> added. Jun 27 14:05:31 vyatta pppd[3078]: Connect: ppp0 <--> /dev/pts/1 Jun 27 14:05:31 vyatta pppd[3078]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received Jun 27 14:05:31 vyatta zebra[2009]: warning: PtP interface ppp0 with addr 10.255.255.0/32 needs a peer address Jun 27 14:05:31 vyatta zebra[2009]: interface index 6 was renamed from ppp0 to l2tp0 Jun 27 14:05:31 vyatta ripd[2018]: interface delete ppp0 index 6 flags 0x1090 metric 1 mtu 1400 Jun 27 14:05:31 vyatta ripngd[2021]: interface delete ppp0 index 6 flags 0x1090 metric 1 mtu 1400 Jun 27 14:05:31 vyatta pppd[3078]: local IP address 10.255.255.0 Jun 27 14:05:31 vyatta pppd[3078]: remote IP address 10.10.10.235 Jun 27 14:05:31 vyatta zebra[2009]: interface l2tp0 index 6 changed <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>. XP after ~200MB transfered (IPSec rekey) Jun 27 14:11:02 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #3: IPSec Transform [3DES_CBC (192), HMAC_MD5] refused due to strict flag Jun 27 14:11:02 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #3: responding to Quick Mode Jun 27 14:11:02 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #3: IPsec SA established {ESP=>0x791f5a31 <0x44b86277 NATOA=192.168.1.145} Jun 27 14:11:02 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: received Delete SA(0xcd0cc176) payload: deleting IPSEC State #2 XP after another ~200MB transfered (IPSec rekey) Jun 27 14:11:58 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #4: IPSec Transform [3DES_CBC (192), HMAC_MD5] refused due to strict flag Jun 27 14:11:58 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #4: responding to Quick Mode Jun 27 14:11:58 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #4: IPsec SA established {ESP=>0xa237b44b <0x961881d4 NATOA=192.168.1.145} Jun 27 14:11:58 vyatta pluto[3023]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: received Delete SA(0x791f5a31) payload: deleting IPSEC State #3 Win7 connection to VPN server (not NAT-ed) Jun 27 14:31:57 vyatta pluto[3675]: packet from 11.22.33.117:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008] Jun 27 14:31:57 vyatta pluto[3675]: packet from 11.22.33.117:500: received Vendor ID payload [RFC 3947] Jun 27 14:31:57 vyatta pluto[3675]: packet from 11.22.33.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jun 27 14:31:57 vyatta pluto[3675]: packet from 11.22.33.117:500: ignoring Vendor ID payload [FRAGMENTATION] Jun 27 14:31:57 vyatta pluto[3675]: packet from 11.22.33.117:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] Jun 27 14:31:57 vyatta pluto[3675]: packet from 11.22.33.117:500: ignoring Vendor ID payload [Vid-Initial-Contact] Jun 27 14:31:57 vyatta pluto[3675]: packet from 11.22.33.117:500: ignoring Vendor ID payload [IKE CGA version 1] Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: responding to Main Mode from unknown peer 11.22.33.117 Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: NAT-Traversal: Result using RFC 3947: no NAT detected Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: Peer ID is ID_IPV4_ADDR: '11.22.33.117' Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: sent MR3, ISAKMP SA established Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #2: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #2: responding to Quick Mode Jun 27 14:31:57 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #2: IPsec SA established {ESP=>0xe865f953 <0x7d081fdd} Jun 27 14:31:59 vyatta xl2tpd[2598]: Connection established to 11.22.33.117, 1701. Local: 7952, Remote: 6 (ref=0/0). LNS session is 'default' Jun 27 14:31:59 vyatta xl2tpd[2598]: Call established with 11.22.33.117, Local: 5489, Remote: 1, Serial: 0 Jun 27 14:31:59 vyatta pppd[3899]: pppd 2.4.4 started by root, uid 0 Jun 27 14:31:59 vyatta zebra[2009]: interface ppp0 index 8 <POINTOPOINT,NOARP,MULTICAST> added. Jun 27 14:31:59 vyatta pppd[3899]: Connect: ppp0 <--> /dev/pts/1 Jun 27 14:32:02 vyatta pppd[3899]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received Jun 27 14:32:02 vyatta zebra[2009]: warning: PtP interface ppp0 with addr 10.255.255.0/32 needs a peer address Jun 27 14:32:02 vyatta zebra[2009]: interface index 8 was renamed from ppp0 to l2tp0 Jun 27 14:32:02 vyatta ripd[2018]: interface delete ppp0 index 8 flags 0x1090 metric 1 mtu 1400 Jun 27 14:32:02 vyatta ripngd[2021]: interface delete ppp0 index 8 flags 0x1090 metric 1 mtu 1400 Jun 27 14:32:02 vyatta pppd[3899]: local IP address 10.255.255.0 Jun 27 14:32:02 vyatta pppd[3899]: remote IP address 10.10.10.235 Jun 27 14:32:02 vyatta zebra[2009]: interface l2tp0 index 8 changed <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>. Win7 after ~200MB transfered (IPSec rekey) Jun 27 14:33:00 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #3: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:33:00 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #3: responding to Quick Mode Jun 27 14:33:00 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #3: IPsec SA established {ESP=>0xdda4b7c5 <0x95c1a267} Jun 27 14:33:00 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: received Delete SA(0xe865f953) payload: deleting IPSEC State #2 Win7 after another ~200MB transfered (IPSec rekey) Jun 27 14:33:17 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #4: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:33:17 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #4: responding to Quick Mode Jun 27 14:33:17 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #4: IPsec SA established {ESP=>0xdf8c0566 <0xab87df4a} Jun 27 14:33:17 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: received Delete SA(0xdda4b7c5) payload: deleting IPSEC State #3 Win7 after another ~200MB transfered (IPSec rekey) Jun 27 14:33:29 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #5: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:33:29 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #5: responding to Quick Mode Jun 27 14:33:29 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #5: IPsec SA established {ESP=>0x598afd74 <0xafd9877c} Jun 27 14:33:29 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: received Delete SA(0xdf8c0566) payload: deleting IPSEC State #4 Win7 after another ~200MB transfered (IPSec rekey) Jun 27 14:33:41 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #6: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:33:41 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #6: responding to Quick Mode Jun 27 14:33:41 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #6: IPsec SA established {ESP=>0xf01908c2 <0x797f0602} Jun 27 14:33:41 vyatta pluto[3675]: "remote-access-mac-zzz"[1] 11.22.33.117 #1: received Delete SA(0x598afd74) payload: deleting IPSEC State #5 Win7 connection to VPN server (NAT-ed) Jun 27 14:19:12 vyatta pluto[3235]: packet from 11.22.33.124:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008] Jun 27 14:19:12 vyatta pluto[3235]: packet from 11.22.33.124:500: received Vendor ID payload [RFC 3947] Jun 27 14:19:12 vyatta pluto[3235]: packet from 11.22.33.124:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jun 27 14:19:12 vyatta pluto[3235]: packet from 11.22.33.124:500: ignoring Vendor ID payload [FRAGMENTATION] Jun 27 14:19:12 vyatta pluto[3235]: packet from 11.22.33.124:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] Jun 27 14:19:12 vyatta pluto[3235]: packet from 11.22.33.124:500: ignoring Vendor ID payload [Vid-Initial-Contact] Jun 27 14:19:12 vyatta pluto[3235]: packet from 11.22.33.124:500: ignoring Vendor ID payload [IKE CGA version 1] Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: responding to Main Mode from unknown peer 11.22.33.124 Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: NAT-Traversal: Result using RFC 3947: peer is NATed Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[1] 11.22.33.124 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.107' Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124 #1: deleting connection "remote-access-mac-zzz" instance with peer 11.22.33.124 {isakmp=#0/ipsec=#0} Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sent MR3, ISAKMP SA established Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others (WTF?) Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2: responding to Quick Mode Jun 27 14:19:12 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2: IPsec SA established {ESP=>0x0fe8a54c <0x54ddd63c NATOA=192.168.1.107} Jun 27 14:19:14 vyatta xl2tpd[2598]: Connection established to 11.22.33.124, 1701. Local: 39750, Remote: 5 (ref=0/0). LNS session is 'default' Jun 27 14:19:14 vyatta xl2tpd[2598]: Call established with 11.22.33.124, Local: 62547, Remote: 1, Serial: 0 Jun 27 14:19:14 vyatta pppd[3472]: pppd 2.4.4 started by root, uid 0 Jun 27 14:19:14 vyatta zebra[2009]: interface ppp0 index 7 <POINTOPOINT,NOARP,MULTICAST> added. Jun 27 14:19:14 vyatta pppd[3472]: Connect: ppp0 <--> /dev/pts/1 Jun 27 14:19:17 vyatta pppd[3472]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received Jun 27 14:19:17 vyatta zebra[2009]: warning: PtP interface ppp0 with addr 10.255.255.0/32 needs a peer address Jun 27 14:19:17 vyatta zebra[2009]: interface index 7 was renamed from ppp0 to l2tp0 Jun 27 14:19:17 vyatta ripd[2018]: interface delete ppp0 index 7 flags 0x1090 metric 1 mtu 1400 Jun 27 14:19:17 vyatta ripngd[2021]: interface delete ppp0 index 7 flags 0x1090 metric 1 mtu 1400 Jun 27 14:19:17 vyatta pppd[3472]: local IP address 10.255.255.0 Jun 27 14:19:17 vyatta pppd[3472]: remote IP address 10.10.10.235 Jun 27 14:19:17 vyatta zebra[2009]: interface l2tp0 index 7 changed <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>. Win7 after ~200MB transfered (IPSec rekey failed) Jun 27 14:20:25 vyatta pluto[3235]: "remote-access-mac-zzz"[3] 11.22.33.124:4500 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others Jun 27 14:20:25 vyatta pluto[3235]: "remote-access-mac-zzz"[3] 11.22.33.124:4500 #3: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:20:25 vyatta pluto[3235]: "remote-access-mac-zzz"[3] 11.22.33.124:4500 #3: responding to Quick Mode Jun 27 14:20:25 vyatta pluto[3235]: "remote-access-mac-zzz"[3] 11.22.33.124:4500 #3: cannot install eroute -- it is in use for "remote-access-mac-zzz"[2] 11.22.33.124:4500 #2 Jun 27 14:20:25 vyatta pluto[3235]: "remote-access-mac-zzz"[3] 11.22.33.124:4500: deleting connection "remote-access-mac-zzz" instance with peer 11.22.33.124 {isakmp=#0/ipsec=#0} Jun 27 14:20:27 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) Jun 27 14:20:27 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 11.22.33.124:4500 Jun 27 14:20:30 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) Jun 27 14:20:30 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 11.22.33.124:4500 Jun 27 14:20:34 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) Jun 27 14:20:34 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 11.22.33.124:4500 Jun 27 14:20:37 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: received Delete SA(0x0fe8a54c) payload: deleting IPSEC State #2 Jun 27 14:20:43 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) Jun 27 14:20:43 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 11.22.33.124:4500 Jun 27 14:21:00 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) Jun 27 14:21:00 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 11.22.33.124:4500 Jun 27 14:21:16 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) Jun 27 14:21:16 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 11.22.33.124:4500 Jun 27 14:21:19 vyatta xl2tpd[2598]: Maximum retries exceeded for tunnel 39750. Closing. Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500 #1: received Delete SA payload: deleting ISAKMP State #1 Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[2] 11.22.33.124:4500: deleting connection "remote-access-mac-zzz" instance with peer 11.22.33.124 {isakmp=#0/ipsec=#0} Jun 27 14:21:32 vyatta pluto[3235]: packet from 11.22.33.124:4500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008] Jun 27 14:21:32 vyatta pluto[3235]: packet from 11.22.33.124:4500: received Vendor ID payload [RFC 3947] Jun 27 14:21:32 vyatta pluto[3235]: packet from 11.22.33.124:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jun 27 14:21:32 vyatta pluto[3235]: packet from 11.22.33.124:4500: ignoring Vendor ID payload [FRAGMENTATION] Jun 27 14:21:32 vyatta pluto[3235]: packet from 11.22.33.124:4500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] Jun 27 14:21:32 vyatta pluto[3235]: packet from 11.22.33.124:4500: ignoring Vendor ID payload [Vid-Initial-Contact] Jun 27 14:21:32 vyatta pluto[3235]: packet from 11.22.33.124:4500: ignoring Vendor ID payload [IKE CGA version 1] Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[4] 11.22.33.124:4500 #4: responding to Main Mode from unknown peer 11.22.33.124:4500 Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[4] 11.22.33.124:4500 #4: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[4] 11.22.33.124:4500 #4: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[4] 11.22.33.124:4500 #4: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[4] 11.22.33.124:4500 #4: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[4] 11.22.33.124:4500 #4: NAT-Traversal: Result using RFC 3947: peer is NATed Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[4] 11.22.33.124:4500 #4: Peer ID is ID_IPV4_ADDR: '192.168.1.107' Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #4: deleting connection "remote-access-mac-zzz" instance with peer 11.22.33.124 {isakmp=#0/ipsec=#0} Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #4: sent MR3, ISAKMP SA established Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #5: NAT-Traversal: received 2 NAT-OA. using first, ignoring others Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #5: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #5: responding to Quick Mode Jun 27 14:21:32 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #5: IPsec SA established {ESP=>0xbb89b1b1 <0x78537fb1 NATOA=192.168.1.107} Jun 27 14:21:34 vyatta pppd[3472]: Modem hangup Jun 27 14:21:34 vyatta zebra[2009]: interface l2tp0 index 7 changed <POINTOPOINT,NOARP,MULTICAST>. Jun 27 14:21:34 vyatta pppd[3472]: Connection terminated: no multilink. Jun 27 14:21:34 vyatta zebra[2009]: interface l2tp0 index 7 deleted. Jun 27 14:21:34 vyatta ripd[2018]: interface delete l2tp0 index 7 flags 0x1090 metric 1 mtu 1400 Jun 27 14:21:34 vyatta ripngd[2021]: interface delete l2tp0 index 7 flags 0x1090 metric 1 mtu 1400 Jun 27 14:22:53 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #4: received Delete SA(0xbb89b1b1) payload: deleting IPSEC State #5 Jun 27 14:22:53 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500 #4: received Delete SA payload: deleting ISAKMP State #4 Jun 27 14:22:53 vyatta pluto[3235]: "remote-access-mac-zzz"[5] 11.22.33.124:4500: deleting connection "remote-access-mac-zzz" instance with peer 11.22.33.124 {isakmp=#0/ipsec=#0} I hope somebody got cure for this. Thanks, Gabor
June 27th, 2012 9:50am

Hi, Here is one article can be referred to. IPSec Troubleshooting http://technet.microsoft.com/en-us/library/cc783041(v=ws.10).aspx#BKMK_10Ivan-Liu TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2012 9:26pm

Hi Ivan-Liu, Thank you for your reply, but I didn't found any useful information on your link. I've compared the Main Mode SA and the Quick mode SA details on the XP and Win7 machine with IP Security Monitor. But they are all the same. The only strange thing is that Generic Filters, Specific Filters, Negotiation Policies are empty in the Win7 machine. Also a strange thing that the default values for Quick Mode SA lifetime is 60min/100.000KB but the connection uses 60min/250.000KB. I've changed the default settings in the Group Policy ... Firewall and Advanced Security Settings ... IPSec ... Cusomize ... etc. but still the 60min/250.000KB used. Regards, Gabor
July 18th, 2012 4:38am

Hi Gabor, I have a similar problem with Win 7: main mode rekeying fails everytime. To play around with the parameters, I've tried to reduce the main mode time-out, but I have the same problem as you: I tried everything, changed Firewall properties, Security rule, IPSec policy, even the corresponding registry key, but it remains fixed at 28800s (8hr). It looks like the default value is hardcoded and cannot be modified, but I cannot believe that this is really so. Very strange. For the rekeying problem, I noticed a very strange thing: my VPN box is a CISCO ASA, and when I look into the active Main mode SA on the ASA, I noticed that the (public) IP address of my Win 7 client was reversed (4.3.2.1 instead of 1.2.3.4). So, maybe there is some big-endian <> little-endian bug when the endpoint is NATted? When the first SA is negotiated, this is apparently not a problem, but when rekeying starts, the ASA compares the incoming IP with the one in the SA, which is different and refuses. The tunnel drops, but with the automatic redial, it is automatically restarted I've both endpoints behind a NAT device, NAT-t is enabled and I've set the "AssumeUDPEncapsulationContext" registry key to 2. It's very annoying, because we have a lot of homeworkers in our company, and we have recently migrated from the legacy CISCO VPN client to the Windows native client, and now we are facing this problem. Hope that anyone can help. Regards, Carl
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 4:23pm

Hi Carl, In my Win7 configuration IPSec (hardcoded) expiration values are: Main mode: 0KB/8hrQuick mode: 250.000KB/1hr Thanks to my quick mode rekeying problem, I never get my VPN working, more than 1hr, so I do not know what about the main mode rekeying. I installed a Win8 desktop just to test its VPN connection, but it has the same rekeying issue. :( So after WinXP, something went wrong... It would be good if somebody at MS could test this issue and help us. Regards, Gabor
July 26th, 2012 3:51am

Hi, L2TP Will not work in a NAT Based networks , it will work only in NAT-T network which is available in all windows versions , did you checked your Server ADCertificate Authority issued a Certificate for the win7 computer to authorize the computer and a uses to access VPN !? Thanks, SurenFace the fact tat we all have plenty to learn about this field. Deal wit the failures, use tem as motivation, learn something new everyday. Claiming false credentials & phantom skillsets will not get you far, especially when 63248651487512645876531864 people in the universe know how 2 use the internet Please remember to click Mark as Answer on the post that helps you, Please VOTE as HELPFUL if the post helps you. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2012 9:07am

I am having this issue as well? Our hosting provider says this is an issue with Windows 7 and L2TP with XP runs fine. Microsoft? How about it fixing it or providing some more information if you think not your problem???Dave
August 30th, 2012 9:02pm

Hi Suren, In my configuration, NAT-T is configured. Certificate has nothing to do with it, my VPN box is a CISCO ASA not a Windows server. I still have the problem that my tunnel drops after rekeying. Log messages are not clear. My first assumption was that P1 fails. In fact, my P1 lifetime was 8h and P2 was 60min. My tunnel drops after 6 hours (P1 rekeying at 75% of 8h), so it seems related to P1. But then I tried a P1 lifetime of 10min, and P2 of 60min. The tunnel the drops at 60 min. We tried some other values, and we conclude now that P2 rekeying fails after the first P1 rekeying. As long as P1 is not rekeyed, P2 works fine. But after P1 rekeying, P2 fails. Any idea? We will open a case at CISCO, because this continues to be really annoying.
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2012 2:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics