Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 37 subscribers
  • Views 1995 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP Dialin stopped working

Ben@Network

Hello Community,

I have a problem on a firewall, here the L2TP dialup does not work anymore. Until yesterday this had worked, it only had the problem that the PSK changed (community.sophos.com/.../l2tp-psk-issue). Yesterday I had reset the SSMK (Secure Storage Master Key) on the firewall and then re-entered the L2TP PSK on the firewall. Now I get this message on the client (Windows 10):

Can't connect to The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer.

Restarting the VPN processes and rebooting the firewall did not change anything either. Likewise, deleting the L2TP configuration and creating it again did not change anything.

On the Windows client I deleted the L2TP connection and created it again. This also did not change anything. The above error message comes very quickly.

When I use "show vpn L2TP-logs" to look at the L2TP, I don't see any entries in the connection setup log:

console> show vpn L2TP-logs
xl2tpd[21823]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[21823]: death_handler: Fatal signal 15 received
xl2tpd[7334]: Not looking for kernel SAref support.
xl2tpd[7334]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
xl2tpd[7334]: xl2tpd version xl2tpd-1.3.10 started on localhost PID:7334
xl2tpd[7334]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[7334]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[7334]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[7334]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[7334]: Listening on IP address 0.0.0.0, port 1701

If I look at the whole thing with a TCPDump then I see exactly 2 packets and then the error message comes directly on the client:

SG550_XN01_SFOS 18.0.5 MR-5# tcpdump -i PortA1 host 80.xxx.xxx.xxx -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on PortA1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:24:38.218078 PortA1, IN: IP 80.xxx.xxx.xxx.500 > yyy.yyy.yyy.254.500: isakmp: phase 1 I ident
09:24:38.218854 PortA1, OUT: IP yyy.yyy.yyy.254.500 > 80.xxx.xxx.xxx.500: isakmp: phase 2/others R inf

When I look into the "strongswan.log" I see that the "received proposals" do not match with the "configured proposals". On the firewall I use the "DefaultL2TP" policy. I compared this with other firewalls (on which the dial-in works) and the same settings are set. From my client I can connect to the other sites. This log is from the not working dialup:

2021-04-29 09:27:31 29[NET] <177> received packet: from 80.xxx.xxx.xxx[500] to yyy.yyy.yyy.254[500] (408 bytes)
2021-04-29 09:27:31 29[ENC] <177> parsed ID_PROT request 0 [ SA V V V V V V V V ]
2021-04-29 09:27:31 29[ENC] <177> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
2021-04-29 09:27:31 29[IKE] <177> received MS NT5 ISAKMPOAKLEY vendor ID
2021-04-29 09:27:31 29[IKE] <177> received NAT-T (RFC 3947) vendor ID
2021-04-29 09:27:31 29[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2021-04-29 09:27:31 29[IKE] <177> received FRAGMENTATION vendor ID
2021-04-29 09:27:31 29[ENC] <177> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2021-04-29 09:27:31 29[ENC] <177> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2021-04-29 09:27:31 29[ENC] <177> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2021-04-29 09:27:31 29[IKE] <177> 80.xxx.xxx.xxx is initiating a Main Mode IKE_SA
2021-04-29 09:27:31 29[CFG] <177> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
2021-04-29 09:27:31 29[CFG] <177> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
2021-04-29 09:27:31 29[IKE] <177> no proposal found
2021-04-29 09:27:31 29[ENC] <177> generating INFORMATIONAL_V1 request 2767287564 [ N(NO_PROP) ]
2021-04-29 09:27:31 29[NET] <177> sending packet: from yyy.yyy.yyy.254[500] to 80.xxx.xxx.xxx[500] (56 bytes)

The firewall on which the problem occurs is my firewall for the migration of my old UTM and unfortunately has only a base license at the moment, so I cannot open an official support case. Maybe someone in the community has a tip for me?

 

Thanks,

Ben



This thread was automatically locked due to age.
  • 0

    I have compared the logs from a firewall where dial-in works with a firewall where dial-in does not work. When dialup works the log looks like this:

    2021-04-29 13:55:41 01[NET] <L2TP_VDSL-1|27338> received packet: from 80.xxx.xxx.xxx[4500] to 192.168.zzz.zzz[4500] (76 bytes)
    2021-04-29 13:55:41 01[ENC] <L2TP_VDSL-1|27338> parsed INFORMATIONAL_V1 request 2982490368 [ HASH D ]
    2021-04-29 13:55:41 01[IKE] <L2TP_VDSL-1|27338> received DELETE for ESP CHILD_SA with SPI 44342b66.

    "L2TP_VDSL" is the name for the connection, this is missing from my firewall where dialup is not working. On this one, the log only says "177". Next I had deleted the L2TP connection. Nothing has changed in the logs when I try to establish the tunnel. This made me wonder. On the firewall IPSec tunnels are configured, which are on "Response Only" and are not connected. Even after disabling these tunnels, I could not connect via L2TP VPN.

    I then put the L2TP dialup on another public IP (so IPSec S2S/Tunnel interfaces separated from L2TP) and with the other public IP the dialup worked immediately.

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hello Ben,

    Thank you for contacting the Sophos Community.

    Would it be possible for you to download and install MR5 Build 586.

    As per the issue described, if you re-configure again the L2TP in the other interface where the site-to-site is configured, does the issue resurfaces?

    If the issue persists on Build 586, can you change the PSK of the L2TP, and configure the computer with this new and see if it can connect.

    Since 

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    MR5 Build 586 is installed. The error remains the same, when I establish the L2TP tunnel with the interface IP, the connection fails. The log entries look like described above.

    If I establish the L2TP tunnel on the alias IP, the dial-up works. 

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hello Ben,

    Thank you for the follow-up and updating to MR5.

    Please open a case with Support for further investigation and feel free to share the Case ID with me so I can follow up.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    This firewall is my (unlicensed) test box, so I'm unable to open a support case. I reimaged the firewall und applied the configuration backup to the firewall. But the issue still exists. I can try to build the configuration from the scratch.

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hello Ben,

    Sorry I re-read your post and you mentioned that on the initial post.

    I would like to try to replicate this. Is this a simple Windows L2TP to XG configuration right? The only thing is that when the connection goes to the Main IP it doesn't connect but if you use an Alias IP it works. I can try to replicate if that is the case.

    You mentioned you have an IPsec Tunnel is this using PSK and initiating the traffic or set as a responder?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello Emmanuel,

    Yes, it is a simple L2TP Setup with a windows client. Authentication is via PSK. L2TP on XG is configured as response only. When use the same setup with an alias IP on WAN everything works fine.

    Thanks, Ben

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hello Ben,

    Thank you for the confirmation, I will try to replicate it.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello Ben,

    I tried to replicate but it got connected for me on both the Main and Alias IP.

    Since this is a Lab environment, would it be possible for you to disable your IPsec tunnels, and just configure the L2TP in your Main address, see if it makes any difference, also make sure you aren’t using NAT-T on the settings for L2TP.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello Emmanuel,


    I can recreate the problem:
    - VPN tunnels are configured (endpoint on IP .254). Then I configured the L2TP on the interface IP .254. The L2TP dial-in does not work. Another L2TP dial-in on the .253 works.
    - I have disabled all VPN tunnels. With the disabled VPN tunnels the L2TP dial-in on the .254 works.
    - I have gradually turned all VPN tunnels back on. Again, L2TP dial-up on the .254 worked.
    - Then I terminated the L2TP connection on the .254 and started it again. After restarting the L2TP connection on .254, it stopped working.

    During the test I noticed that when the L2TP connection on .254 is working there are log entries in the "l2tpd.log". If the connection is not working, nothing is logged.

    Further investigation showed that if I disable a tunnel with the remote gateway "*" and RSA keys, my L2TP dialup on the .254 works again until it is terminated on the firewall and restarted.

    The whole thing is reproducible, if I terminate the tunnel with the remote gateway "*", I can establish an L2TP connection on the .254 (multiple times). When I restart the L2TP connection on the .254 on the firewall, I cannot establish the L2TP tunnel on .254 until I terminate the tunnel with the remote gateway "*". 

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML