This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPSEC not longer working with Chrome OS / Chromebook >= version 57

I use L2TP/IPSEC for a view months with my Chromebook and Sophos UTM as VPN server. Never had an issue until my chromebook is updated last week from version 56 to version 57.

Since than, I'm not able to establish a VPN session anymore.

Tested the following:

1. On Chromebook configured L2TP/IPSEC to an other VPN server: working

2. Tested VPN from my Android phone towards my Sophos UTM: working

 

Does anybody have the same issue and/or know a solution?

 

I have added debug logging from L2TP/IPSEC on the Sophos.

Live Log: IPsec VPN	
Filter:	
	Autoscroll	
Reload
2017:03:30-08:00:00 sophos pluto[23565]: | *time to handle event
2017:03:30-08:00:00 sophos pluto[23565]: | event after this is EVENT_REINIT_SECRET in 632 seconds
2017:03:30-08:00:00 sophos pluto[23565]: | ICOOKIE: e5 bd a6 83 7f e4 83 e2
2017:03:30-08:00:00 sophos pluto[23565]: | RCOOKIE: 3f 4e 49 3c dd 67 26 a4
2017:03:30-08:00:00 sophos pluto[23565]: | peer: c2 cb d7 fe
2017:03:30-08:00:00 sophos pluto[23565]: | state hash entry 17
2017:03:30-08:00:00 sophos pluto[23565]: "L_for olof"[13] 194.203.215.254:226: deleting connection "L_for olof"[13] instance with peer 194.203.215.254 {isakmp=#0/ipsec=#0}
2017:03:30-08:00:00 sophos pluto[23565]: | certs and keys locked by 'delete_connection'
2017:03:30-08:00:00 sophos pluto[23565]: | certs and keys unlocked by 'delete_connection'
2017:03:30-08:00:00 sophos pluto[23565]: | next event EVENT_REINIT_SECRET in 632 seconds
2017:03:30-08:00:47 sophos pluto[23565]: |
2017:03:30-08:00:47 sophos pluto[23565]: | *received 340 bytes from 194.203.215.254:226 on eth0.34
2017:03:30-08:00:47 sophos pluto[23565]: | **parse ISAKMP Message:
2017:03:30-08:00:47 sophos pluto[23565]: | initiator cookie:
2017:03:30-08:00:47 sophos pluto[23565]: | e5 18 50 9f 14 1e be 6c
2017:03:30-08:00:47 sophos pluto[23565]: | responder cookie:
2017:03:30-08:00:47 sophos pluto[23565]: | 00 00 00 00 00 00 00 00
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_SA
2017:03:30-08:00:47 sophos pluto[23565]: | ISAKMP version: ISAKMP Version 1.0
2017:03:30-08:00:47 sophos pluto[23565]: | exchange type: ISAKMP_XCHG_IDPROT
2017:03:30-08:00:47 sophos pluto[23565]: | flags: none
2017:03:30-08:00:47 sophos pluto[23565]: | message ID: 00 00 00 00
2017:03:30-08:00:47 sophos pluto[23565]: | length: 340
2017:03:30-08:00:47 sophos pluto[23565]: | ***parse ISAKMP Security Association Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_VID
2017:03:30-08:00:47 sophos pluto[23565]: | length: 240
2017:03:30-08:00:47 sophos pluto[23565]: | DOI: ISAKMP_DOI_IPSEC
2017:03:30-08:00:47 sophos pluto[23565]: | ***parse ISAKMP Vendor ID Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_VID
2017:03:30-08:00:47 sophos pluto[23565]: | length: 12
2017:03:30-08:00:47 sophos pluto[23565]: | ***parse ISAKMP Vendor ID Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_VID
2017:03:30-08:00:47 sophos pluto[23565]: | length: 20
2017:03:30-08:00:47 sophos pluto[23565]: | ***parse ISAKMP Vendor ID Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_VID
2017:03:30-08:00:47 sophos pluto[23565]: | length: 20
2017:03:30-08:00:47 sophos pluto[23565]: | ***parse ISAKMP Vendor ID Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_NONE
2017:03:30-08:00:47 sophos pluto[23565]: | length: 20
2017:03:30-08:00:47 sophos pluto[23565]: packet from 194.203.215.254:226: received Vendor ID payload [XAUTH]
2017:03:30-08:00:47 sophos pluto[23565]: packet from 194.203.215.254:226: received Vendor ID payload [Dead Peer Detection]
2017:03:30-08:00:47 sophos pluto[23565]: packet from 194.203.215.254:226: received Vendor ID payload [RFC 3947]
2017:03:30-08:00:47 sophos pluto[23565]: packet from 194.203.215.254:226: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:03:30-08:00:47 sophos pluto[23565]: | ****parse IPsec DOI SIT:
2017:03:30-08:00:47 sophos pluto[23565]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
2017:03:30-08:00:47 sophos pluto[23565]: | ****parse ISAKMP Proposal Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_NONE
2017:03:30-08:00:47 sophos pluto[23565]: | length: 228
2017:03:30-08:00:47 sophos pluto[23565]: | proposal number: 0
2017:03:30-08:00:47 sophos pluto[23565]: | protocol ID: PROTO_ISAKMP
2017:03:30-08:00:47 sophos pluto[23565]: | SPI size: 0
2017:03:30-08:00:47 sophos pluto[23565]: | number of transforms: 7
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_T
2017:03:30-08:00:47 sophos pluto[23565]: | length: 24
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 1
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 15
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_T
2017:03:30-08:00:47 sophos pluto[23565]: | length: 36
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 2
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 7
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_KEY_LENGTH
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 128
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_HASH_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 4
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 15
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_T
2017:03:30-08:00:47 sophos pluto[23565]: | length: 36
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 3
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 7
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_KEY_LENGTH
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 128
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_HASH_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 2
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 14
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_T
2017:03:30-08:00:47 sophos pluto[23565]: | length: 32
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 4
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 5
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_HASH_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 2
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 5
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_T
2017:03:30-08:00:47 sophos pluto[23565]: | length: 32
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 5
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 5
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_HASH_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 2
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 2
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_T
2017:03:30-08:00:47 sophos pluto[23565]: | length: 36
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 6
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 7
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_KEY_LENGTH
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 128
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_HASH_ALGORITHM
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 4
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 19
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_NONE
2017:03:30-08:00:47 sophos pluto[23565]: | length: 24
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 7
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 19
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: | preparse_isakmp_policy: peer requests PSK authentication
2017:03:30-08:00:47 sophos pluto[23565]: | instantiated "L_for olof" for 194.203.215.254
2017:03:30-08:00:47 sophos pluto[23565]: | creating state object #14 at 0x9160630
2017:03:30-08:00:47 sophos pluto[23565]: | ICOOKIE: e5 18 50 9f 14 1e be 6c
2017:03:30-08:00:47 sophos pluto[23565]: | RCOOKIE: 58 d8 3d 24 2e cd d3 17
2017:03:30-08:00:47 sophos pluto[23565]: | peer: c2 cb d7 fe
2017:03:30-08:00:47 sophos pluto[23565]: | state hash entry 26
2017:03:30-08:00:47 sophos pluto[23565]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #14
2017:03:30-08:00:47 sophos pluto[23565]: "L_for olof"[14] 194.203.215.254:226 #14: responding to Main Mode from unknown peer 194.203.215.254:226
2017:03:30-08:00:47 sophos pluto[23565]: | **emit ISAKMP Message:
2017:03:30-08:00:47 sophos pluto[23565]: | initiator cookie:
2017:03:30-08:00:47 sophos pluto[23565]: | e5 18 50 9f 14 1e be 6c
2017:03:30-08:00:47 sophos pluto[23565]: | responder cookie:
2017:03:30-08:00:47 sophos pluto[23565]: | 58 d8 3d 24 2e cd d3 17
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_SA
2017:03:30-08:00:47 sophos pluto[23565]: | ISAKMP version: ISAKMP Version 1.0
2017:03:30-08:00:47 sophos pluto[23565]: | exchange type: ISAKMP_XCHG_IDPROT
2017:03:30-08:00:47 sophos pluto[23565]: | flags: none
2017:03:30-08:00:47 sophos pluto[23565]: | message ID: 00 00 00 00
2017:03:30-08:00:47 sophos pluto[23565]: | ***emit ISAKMP Security Association Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_VID
2017:03:30-08:00:47 sophos pluto[23565]: | DOI: ISAKMP_DOI_IPSEC
2017:03:30-08:00:47 sophos pluto[23565]: | *****parse ISAKMP Transform Payload (ISAKMP):
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_T
2017:03:30-08:00:47 sophos pluto[23565]: | length: 24
2017:03:30-08:00:47 sophos pluto[23565]: | transform number: 1
2017:03:30-08:00:47 sophos pluto[23565]: | transform ID: KEY_IKE
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_GROUP_DESCRIPTION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 15
2017:03:30-08:00:47 sophos pluto[23565]: | [15 is MODP_3072]
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_AUTHENTICATION_METHOD
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | [1 is pre-shared key]
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_TYPE
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 1
2017:03:30-08:00:47 sophos pluto[23565]: | [1 is OAKLEY_LIFE_SECONDS]
2017:03:30-08:00:47 sophos pluto[23565]: | ******parse ISAKMP Oakley attribute:
2017:03:30-08:00:47 sophos pluto[23565]: | af+type: OAKLEY_LIFE_DURATION
2017:03:30-08:00:47 sophos pluto[23565]: | length/value: 10800
2017:03:30-08:00:47 sophos pluto[23565]: "L_for olof"[14] 194.203.215.254:226 #14: missing mandatory attribute(s) OAKLEY_HASH_ALGORITHM+OAKLEY_AUTHENTICATION_METHOD in Oakley Transform 1
2017:03:30-08:00:47 sophos pluto[23565]: "L_for olof"[14] 194.203.215.254:226 #14: sending notification BAD_PROPOSAL_SYNTAX to 194.203.215.254:226
2017:03:30-08:00:47 sophos pluto[23565]: | **emit ISAKMP Message:
2017:03:30-08:00:47 sophos pluto[23565]: | initiator cookie:
2017:03:30-08:00:47 sophos pluto[23565]: | e5 18 50 9f 14 1e be 6c
2017:03:30-08:00:47 sophos pluto[23565]: | responder cookie:
2017:03:30-08:00:47 sophos pluto[23565]: | 58 d8 3d 24 2e cd d3 17
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_N
2017:03:30-08:00:47 sophos pluto[23565]: | ISAKMP version: ISAKMP Version 1.0
2017:03:30-08:00:47 sophos pluto[23565]: | exchange type: ISAKMP_XCHG_INFO
2017:03:30-08:00:47 sophos pluto[23565]: | flags: none
2017:03:30-08:00:47 sophos pluto[23565]: | message ID: 00 00 00 00
2017:03:30-08:00:47 sophos pluto[23565]: | ***emit ISAKMP Notification Payload:
2017:03:30-08:00:47 sophos pluto[23565]: | next payload type: ISAKMP_NEXT_NONE
2017:03:30-08:00:47 sophos pluto[23565]: | DOI: ISAKMP_DOI_IPSEC
2017:03:30-08:00:47 sophos pluto[23565]: | protocol ID: 1
2017:03:30-08:00:47 sophos pluto[23565]: | SPI size: 0
2017:03:30-08:00:47 sophos pluto[23565]: | Notify Message Type: BAD_PROPOSAL_SYNTAX
2017:03:30-08:00:47 sophos pluto[23565]: | emitting 0 raw bytes of spi into ISAKMP Notification Payload
2017:03:30-08:00:47 sophos pluto[23565]: | spi
2017:03:30-08:00:47 sophos pluto[23565]: | emitting length of ISAKMP Notification Payload: 12
2017:03:30-08:00:47 sophos pluto[23565]: | emitting length of ISAKMP Message: 40
2017:03:30-08:00:47 sophos pluto[23565]: | state transition function for STATE_MAIN_R0 failed: BAD_PROPOSAL_SYNTAX
2017:03:30-08:00:47 sophos pluto[23565]: | next event EVENT_SO_DISCARD in 0 seconds for #14
2017:03:30-08:00:47 sophos pluto[23565]: |
2017:03:30-08:00:47 sophos pluto[23565]: | *time to handle event
2017:03:30-08:00:47 sophos pluto[23565]: | event after this is EVENT_REINIT_SECRET in 585 seconds
2017:03:30-08:00:47 sophos pluto[23565]: | ICOOKIE: e5 18 50 9f 14 1e be 6c
2017:03:30-08:00:47 sophos pluto[23565]: | RCOOKIE: 58 d8 3d 24 2e cd d3 17
2017:03:30-08:00:47 sophos pluto[23565]: | peer: c2 cb d7 fe
2017:03:30-08:00:47 sophos pluto[23565]: | state hash entry 26
2017:03:30-08:00:47 sophos pluto[23565]: "L_for olof"[14] 194.203.215.254:226: deleting connection "L_for olof"[14] instance with peer 194.203.215.254 {isakmp=#0/ipsec=#0}
2017:03:30-08:00:47 sophos pluto[23565]: | certs and keys locked by 'delete_connection'
2017:03:30-08:00:47 sophos pluto[23565]: | certs and keys unlocked by 'delete_connection'
2017:03:30-08:00:47 sophos pluto[23565]: | next event EVENT_REINIT_SECRET in 585 seconds



This thread was automatically locked due to age.
  • Hi, Olof, and welcome to the UTM Community!

    Please disable debug and replace the log in your post with a new attempt.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Logging with disabled debugging:
     
    2017:04:02-07:03:05 sophos pluto[15738]: packet from 10.2.0.109:500: received Vendor ID payload [XAUTH]
    2017:04:02-07:03:05 sophos pluto[15738]: packet from 10.2.0.109:500: received Vendor ID payload [Dead Peer Detection]
    2017:04:02-07:03:05 sophos pluto[15738]: packet from 10.2.0.109:500: received Vendor ID payload [RFC 3947]
    2017:04:02-07:03:05 sophos pluto[15738]: packet from 10.2.0.109:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:04:02-07:03:05 sophos pluto[15738]: "L_for olof"[2] 10.2.0.109 #2: responding to Main Mode from unknown peer 10.2.0.109
    2017:04:02-07:03:05 sophos pluto[15738]: "L_for olof"[2] 10.2.0.109 #2: missing mandatory attribute(s) OAKLEY_HASH_ALGORITHM+OAKLEY_AUTHENTICATION_METHOD in Oakley Transform 1
    2017:04:02-07:03:05 sophos pluto[15738]: "L_for olof"[2] 10.2.0.109 #2: sending notification BAD_PROPOSAL_SYNTAX to 10.2.0.109:500
    2017:04:02-07:03:05 sophos pluto[15738]: "L_for olof"[2] 10.2.0.109: deleting connection "L_for olof"[2] instance with peer 10.2.0.109 {isakmp=#0/ipsec=#0}
     
     
    Does anybody has the combination Chromebook with version >=57, Sophos UTM and L2TP/IPSEC running without issues?
    Just to be sure, I also peformed a powerwash on the Chromebook, but no difference.
  • Since it's right after Main Mode, my guess would be an incorrect or missing PSK.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thanks for helping.

    I know for sure it is not a missing PSK key. Reconfigured several times my VPN settings and doublechecked again. Not that complicated on a Chomebook.

    Below a not working and working logging

     

    Chromebook OS verion 57: --> VPN towards Sophos not working
    2017:04:03-11:24:50 sophos pluto[15738]: packet from 10.2.0.x:500: received Vendor ID payload [XAUTH]
    2017:04:03-11:24:50 sophos pluto[15738]: packet from 10.2.0.x:500: received Vendor ID payload [Dead Peer Detection]
    2017:04:03-11:24:50 sophos pluto[15738]: packet from 10.2.0.x:500: received Vendor ID payload [RFC 3947]
    2017:04:03-11:24:50 sophos pluto[15738]: packet from 10.2.0.109:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:04:03-11:24:50 sophos pluto[15738]: "L_for xxxxx"[3] 10.2.0.x #3: responding to Main Mode from unknown peer 10.2.0.x
    2017:04:03-11:24:50 sophos pluto[15738]: "L_for xxxxx"[3] 10.2.0.x #3: missing mandatory attribute(s) OAKLEY_HASH_ALGORITHM+OAKLEY_AUTHENTICATION_METHOD in Oakley Transform 1
    2017:04:03-11:24:50 sophos pluto[15738]: "L_for xxxxx"[3] 10.2.0.x #3: sending notification BAD_PROPOSAL_SYNTAX to 10.2.0.x:500
    2017:04:03-11:24:50 sophos pluto[15738]: "L_for xxxxx"[3] 10.2.0.x: deleting connection "L_for xxxxx"[3] instance with peer 10.2.0.x {isakmp=#0/ipsec=#0}


    Android Mobile: --> VPN towards Sophos working
    2017:04:03-11:25:36 sophos pluto[15738]: packet from 10.2.0.x:500: received Vendor ID payload [RFC 3947]
    2017:04:03-11:25:36 sophos pluto[15738]: packet from 10.2.0.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2017:04:03-11:25:36 sophos pluto[15738]: packet from 10.2.0.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:04:03-11:25:36 sophos pluto[15738]: packet from 10.2.0.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2017:04:03-11:25:36 sophos pluto[15738]: packet from 10.2.0.x:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2017:04:03-11:25:36 sophos pluto[15738]: packet from 10.2.0.x:500: received Vendor ID payload [Dead Peer Detection]
    2017:04:03-11:25:36 sophos pluto[15738]: "L_for xxxxx"[4] 10.2.0.x #4: responding to Main Mode from unknown peer 10.2.0.x
    2017:04:03-11:25:36 sophos pluto[15738]: "L_for xxxxx"[4] 10.2.0.x #4: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:04:03-11:25:36 sophos pluto[15738]: "L_for xxxxx"[4] 10.2.0.x #4: Peer ID is ID_IPV4_ADDR: '10.2.0.x'
    2017:04:03-11:25:36 sophos pluto[15738]: "L_for xxxxx"[4] 10.2.0.x #4: Dead Peer Detection (RFC 3706) enabled
    2017:04:03-11:25:36 sophos pluto[15738]: "L_for xxxxx"[4] 10.2.0.x #4: sent MR3, ISAKMP SA established
    2017:04:03-11:25:36 sophos pluto[15738]: "L_for xxxxx"[4] 10.2.0.x #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2017:04:03-11:25:37 sophos pluto[15738]: "L_for xxxxx"[1] 10.2.0.x #5: responding to Quick Mode
    2017:04:03-11:25:37 sophos pluto[15738]: "L_for xxxxx"[1] 10.2.0.x #5: IPsec SA established {ESP=>0x078b3050 <0xb14b1eb0 DPD}
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: Plugin aua.so loaded.
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: AUA plugin initialized.
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: Plugin ippool.so loaded.
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: Plugin pppol2tp.so loaded.
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: pppd 2.4.5 started by (unknown), uid 0
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: Using interface ppp0
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: Connect: ppp0 <-->
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: Overriding mtu 1500 to 1380
    2017:04:03-11:25:39 sophos pppd-l2tp[3115]: Overriding mru 1500 to mtu value 1380
    2017:04:03-11:25:42 sophos pppd-l2tp[3115]: Overriding mtu 1400 to 1380
    2017:04:03-11:25:44 sophos pppd-l2tp[3115]: Cannot determine ethernet address for proxy ARP
    2017:04:03-11:25:44 sophos pppd-l2tp[3115]: local IP address 10.242.3.1
    2017:04:03-11:25:44 sophos pppd-l2tp[3115]: remote IP address 10.242.3.2
    2017:04:03-11:25:44 sophos pppd-l2tp[3115]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="xxxxx" variant="l2tp" srcip="10.2.0.x" virtual_ip="10.242.3.2"

  • This is actually something broken in ChromeOS 57.  The ChromeOS development team is aware of the issue and have a fix coming:

    Google for L2TP / IPSEC possibly broken since M57, or use this direct link:   bugs.chromium.org/.../detail

    Cheers,

    AndyB.

  • Bug is solved in Chrome OS version 58.0.3029.112 (64-bit)