Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 4721 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS L2TP remote vpn does not connect.

Lennart Johansson

Hi,

ipsec-l2tp remote vpn is unable to pass ipsec phase 1 connection, client i nativ Windows 10

L2tp is enabled,

Profile is default L2TP

Gateway type: respond only

Preshared key is added

Port is wan port, have tried sub interface too

No local id

remote host and subnet is any

No remote id

Firewall rule is added for vpn zone to internal zone

Ipsec phase 1 is active for 30 seconds then terminates, no l2tp activity in log

Any suggestions?

/Lennart



This thread was automatically locked due to age.
  • 0

    Hi Lennart,

    Thank you for reaching out to Sophos Community.

    Any log details on log/ipsec.log

    *L2TP VPN establishes an IPSec Connection and ISAKAMP SA 

    Can you also verify the following configurations?

    • Check the L2TP configuration on the firewall
    • Ensure that L2TP is turned on, and check the IP and DNS settings
    • CONFIGURE > VPN > Show VPN settings > L2TP 
    • PROTECT > Rules and Policies

    Are the following services running and listening on the correct ports (UDP 500 and UDP 4500):
     
    service -S | grep ipsec
    service -S | grep l2tpd
    netstat -anlpu | grep 500
    netstat -anlpu | grep 4500

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hi Erick,

    l2tp is running

    I not sure I following you, I don't have a visible Linux subsystem in my FW it's a XGS appliance, so no services or netstat command

    system diagnostics show subsystem-info shows that ipsec is running

    IPSEngine            RUNNING, not sure what service is running L2TP but it is enabled in firewall

    show vpn IPSec-logs gives

    2023-03-23 16:17:35Z 06[NET] <23> received packet: from <client IP>[500] to <firewall IP>[500] (408 bytes)
    2023-03-23 16:17:35Z 06[ENC] <23> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    2023-03-23 16:17:35Z 06[IKE] <23> no IKE config found for <firewall IP>...<client IP>, sending NO_PROPOSAL_CHOSEN
    2023-03-23 16:17:35Z 06[ENC] <23> generating INFORMATIONAL_V1 request 2375894993 [ N(NO_PROP) ]
    2023-03-23 16:17:35Z 06[NET] <23> sending packet: from <firewall IP>[500] to <client IP>[500] (40 bytes)
    2023-03-23 16:17:36Z 15[NET] <24> received packet: from <client IP>[500] to <firewall IP>[500] (408 bytes)
    2023-03-23 16:17:36Z 15[ENC] <24> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    2023-03-23 16:17:36Z 15[IKE] <24> no IKE config found for <firewall IP>...<client IP>, sending NO_PROPOSAL_CHOSEN
    2023-03-23 16:17:36Z 15[ENC] <24> generating INFORMATIONAL_V1 request 2014775830 [ N(NO_PROP) ]
    2023-03-23 16:17:36Z 15[NET] <24> sending packet: from <firewall IP>[500] to <client IP>[500] (40 bytes)
    2023-03-23 16:17:37Z 14[NET] <25> received packet: from <client IP>[500] to <firewall IP>[500] (408 bytes)
    2023-03-23 16:17:37Z 14[ENC] <25> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    2023-03-23 16:17:37Z 14[IKE] <25> no IKE config found for <firewall IP>...<client IP>, sending NO_PROPOSAL_CHOSEN
    2023-03-23 16:17:37Z 14[ENC] <25> generating INFORMATIONAL_V1 request 2853765956 [ N(NO_PROP) ]
    2023-03-23 16:17:37Z 14[NET] <25> sending packet: from <firewall IP>[500] to <client IP>[500] (40 bytes)
    2023-03-23 16:17:40Z 17[NET] <26> received packet: from <client IP>[500] to <firewall IP>[500] (408 bytes)
    2023-03-23 16:17:40Z 17[ENC] <26> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    2023-03-23 16:17:40Z 17[IKE] <26> no IKE config found for <firewall IP>...<client IP>, sending NO_PROPOSAL_CHOSEN
    2023-03-23 16:17:40Z 17[ENC] <26> generating INFORMATIONAL_V1 request 1837318258 [ N(NO_PROP) ]
    2023-03-23 16:17:40Z 17[NET] <26> sending packet: from <firewall IP>[500] to <client IP>[500] (40 byte)

    show vpn L2TP-logs gives

    <console> sho vpn L2TP-logs
    xl2tpd[21884]: control_finish: Peer requested tunnel 28 twice, ignoring second one.
    xl2tpd[21884]: control_finish: Peer requested tunnel 28 twice, ignoring second one.
    xl2tpd[21884]: control_finish: Peer requested tunnel 28 twice, ignoring second one.
    xl2tpd[21884]: control_finish: Peer requested tunnel 28 twice, ignoring second one.
    xl2tpd[21884]: Maximum retries exceeded for tunnel 23159.  Closing.
    xl2tpd[21884]: Connection 27 closed to <client IP>, port 1701 (Timeout)
    xl2tpd[21884]: Maximum retries exceeded for tunnel 2736.  Closing.
    xl2tpd[21884]: Connection 28 closed to <client IP>, port 1701 (Timeout)
    xl2tpd[21884]: Unable to deliver closing message for tunnel 23159. Destroying anyway.
    xl2tpd[21884]: Unable to deliver closing message for tunnel 2736. Destroying anyway.

    I have added added the preshared key to windows firewall-->ip-sec setting (never had to do that in other firewall, but anyway), also have same key in l2tp settings.

    Then only firewall rule I have for vpn is the one that is in documentation

    /Lennart

  • 0 in reply to Lennart Johansson

    Ok , now I know how to get to the advanced shell

    XGS116_XN01_SFOS 19.5.0 GA-Build197# service -S | grep ipsec
    ipsec-monitor        RUNNING
    XGS116_XN01_SFOS 19.5.0 GA-Build197# service -S | grep l2tpd
    l2tpd                RUNNING
    XGS116_XN01_SFOS 19.5.0 GA-Build197# netstat -anlpu | grep 500
    udp        0      0 0.0.0.0:4500            0.0.0.0:*                           21816/charon
    udp        0      0 0.0.0.0:500             0.0.0.0:*                           21816/charon
    udp6       0      0 :::4500                 :::*                                21816/charon
    udp6       0      0 :::500                  :::*                                21816/charon

    So all expected service seems to be running and listening on all interface

    /Lennart

  • 0 in reply to Lennart Johansson

    More logs

    openswan.log

    2023-03-23 19:01:52Z 23[IKE] <l2t-1|57> received DELETE for IKE_SA l2t-1[57]
    2023-03-23 19:01:52Z 23[IKE] <l2t-1|57> deleting IKE_SA l2t-1[57] between <firewall IP>[<firewall IP>]...<client IP>[192.168.200.50]
    2023-03-23 19:01:52Z 05[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"<firewall IP>","remote_server":"<client IP>","action":"disable","family":"0","conntype":"hth","compress":"0"}'': success 0
    2023-03-23 19:01:52Z 05[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown -- down --
    2023-03-23 19:01:52Z 05[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'l2t' using  interface 'ipsec0'
    2023-03-23 19:01:52Z 05[APP] [COP-UPDOWN][NET] (get_src_ip) source address for <firewall IP> is IP: <firewall IP>
    2023-03-23 19:01:52Z 05[APP]
    2023-03-23 19:01:52Z 05[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [ipsec0] skip route add since remote subnet is <client IP>/32, src_ip <firewall IP>
    2023-03-23 19:01:52Z 05[APP] [COP-UPDOWN] (add_routes) no routes to del for l2t on interface ipsec0
    2023-03-23 19:01:53Z 05[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"<firewall IP>","peer":"<client IP>","mynet":"<firewall IP>/32","peernet":"<client IP>/32","connop":"0","iface":"unknown","myproto":"17","myport":"1701","peerproto":"17","peerport":"1701","conntype":"hth","actnet":"","compress":"0","conn_id":"1"}'': error returned 255
    2023-03-23 19:04:08Z 20[NET] <58> received packet: from <client IP>[500] to <firewall IP>[500] (408 bytes)
    2023-03-23 19:04:08Z 20[ENC] <58> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    2023-03-23 19:04:08Z 20[ENC] <58> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
    2023-03-23 19:04:08Z 20[IKE] <58> received MS NT5 ISAKMPOAKLEY vendor ID
    2023-03-23 19:04:08Z 20[IKE] <58> received NAT-T (RFC 3947) vendor ID
    2023-03-23 19:04:08Z 20[IKE] <58> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    2023-03-23 19:04:08Z 20[IKE] <58> received FRAGMENTATION vendor ID
    2023-03-23 19:04:08Z 20[ENC] <58> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    2023-03-23 19:04:08Z 20[ENC] <58> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    2023-03-23 19:04:08Z 20[ENC] <58> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    2023-03-23 19:04:08Z 20[IKE] <58> <client IP> is initiating a Main Mode IKE_SA
    2023-03-23 19:04:08Z 20[ENC] <58> generating ID_PROT response 0 [ SA V V V V V ]
    2023-03-23 19:04:08Z 20[NET] <58> sending packet: from <firewall IP>[500] to <client IP>[500] (176 bytes)
    2023-03-23 19:04:09Z 12[NET] <58> received packet: from <client IP>[500] to <firewall IP>[500] (388 bytes)
    2023-03-23 19:04:09Z 12[ENC] <58> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2023-03-23 19:04:09Z 12[IKE] <58> remote host is behind NAT
    2023-03-23 19:04:09Z 12[ENC] <58> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2023-03-23 19:04:09Z 12[NET] <58> sending packet: from <firewall IP>[500] to <client IP>[500] (372 bytes)
    2023-03-23 19:04:09Z 27[NET] <58> received packet: from <client IP>[4500] to <firewall IP>[4500] (68 bytes)
    2023-03-23 19:04:09Z 27[ENC] <58> parsed ID_PROT request 0 [ ID HASH ]
    2023-03-23 19:04:09Z 27[CFG] <58> looking for pre-shared key peer configs matching <firewall IP>...<client IP>[192.168.200.50]
    2023-03-23 19:04:09Z 27[CFG] <58> selected peer config "l2t-1"
    2023-03-23 19:04:09Z 27[IKE] <l2t-1|58> IKE_SA l2t-1[58] established between <firewall IP>[<firewall IP>]...<client IP>[192.168.200.50]
    2023-03-23 19:04:09Z 27[IKE] <l2t-1|58> DPD not supported by peer, disabled
    2023-03-23 19:04:09Z 27[ENC] <l2t-1|58> generating ID_PROT response 0 [ ID HASH ]
    2023-03-23 19:04:09Z 27[NET] <l2t-1|58> sending packet: from <firewall IP>[4500] to <client IP>[4500] (68 bytes)
    2023-03-23 19:04:09Z 23[NET] <l2t-1|58> received packet: from <client IP>[4500] to <firewall IP>[4500] (436 bytes)
    2023-03-23 19:04:09Z 23[ENC] <l2t-1|58> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    2023-03-23 19:04:09Z 23[IKE] <l2t-1|58> ### process_request invoking quick_mode_create
    2023-03-23 19:04:09Z 23[IKE] <l2t-1|58> ### quick_mode_create: 0x7f4f000056c0 config (nil)
    2023-03-23 19:04:09Z 23[IKE] <l2t-1|58> ### process_r: 0x7f4f000056c0 QM_INIT
    2023-03-23 19:04:09Z 23[IKE] <l2t-1|58> expected IPComp proposal but peer did not send one, IPComp disabled
    2023-03-23 19:04:09Z 23[IKE] <l2t-1|58> received 3600s lifetime, configured 0s
    2023-03-23 19:04:09Z 23[IKE] <l2t-1|58> received 250000000 lifebytes, configured 0
    2023-03-23 19:04:09Z 23[IKE] <l2t-1|58> ### build_r: 0x7f4f000056c0 QM_INIT
    2023-03-23 19:04:09Z 23[ENC] <l2t-1|58> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    2023-03-23 19:04:09Z 23[NET] <l2t-1|58> sending packet: from <firewall IP>[4500] to <client IP>[4500] (204 bytes)
    2023-03-23 19:04:09Z 22[NET] <l2t-1|58> received packet: from <client IP>[4500] to <firewall IP>[4500] (60 bytes)
    2023-03-23 19:04:09Z 22[ENC] <l2t-1|58> parsed QUICK_MODE request 1 [ HASH ]
    2023-03-23 19:04:09Z 22[IKE] <l2t-1|58> ### process_r: 0x7f4f000056c0 QM_NEGOTIATED
    2023-03-23 19:04:09Z 22[IKE] <l2t-1|58> CHILD_SA l2t-1{10} established with SPIs c2f3633d_i e313a362_o and TS <firewall IP>/32[udp/1701] === <client IP>/32[udp/1701]
    2023-03-23 19:04:09Z 22[APP] <l2t-1|58> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (<firewall IP>/32#<client IP>/32)
    2023-03-23 19:04:09Z 22[APP] <l2t-1|58> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (<firewall IP>#<client IP>#n)
    2023-03-23 19:04:09Z 22[APP] <l2t-1|58> [COP-UPDOWN] (cop_updown_invoke_once) UID: 58 Net: Local <firewall IP> Remote <client IP> Connection: l2t Fullname: l2t-1
    2023-03-23 19:04:09Z 22[APP] <l2t-1|58> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-host
    2023-03-23 19:04:09Z 22[IKE] <l2t-1|58> ### destroy: 0x7f4f000056c0
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'l2t' result --> id: '1', mode: 'hth', tunnel_type: '1', subnet_family:'0'
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown ++ up ++
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"<firewall IP>","remote_server":"<client IP>","action":"enable","family":"0","conntype":"hth","compress":"0"}'': success 0
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'l2t' using  interface 'ipsec0'
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN][NET] (get_src_ip) source address for <firewall IP> is IP: <firewall IP>
    2023-03-23 19:04:09Z 08[APP]
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [ipsec0] skip route add since remote subnet is <client IP>/32, src_ip <firewall IP>
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN] (add_routes) no routes to add for l2t on interface ipsec0
    2023-03-23 19:04:09Z 08[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"<firewall IP>","peer":"<client IP>","mynet":"<firewall IP>/32","peernet":"<client IP>/32","connop":"1","iface":"Port2","myproto":"17","myport":"1701","peerproto":"17","peerport":"1701","conntype":"hth","actnet":"","compress":"0","conn_id":"1"}'': error returned 255

    2023-03-23 19:04:44Z 29[NET] <l2t-1|58> received packet: from <client IP>[4500] to <firewall IP>[4500] (76 bytes)
    2023-03-23 19:04:44Z 29[ENC] <l2t-1|58> parsed INFORMATIONAL_V1 request 849452127 [ HASH D ]
    2023-03-23 19:04:44Z 29[IKE] <l2t-1|58> received DELETE for ESP CHILD_SA with SPI e313a362
    2023-03-23 19:04:44Z 29[IKE] <l2t-1|58> closing CHILD_SA l2t-1{10} with SPIs c2f3633d_i (580 bytes) e313a362_o (0 bytes) and TS <firewall IP>/32[udp/1701] === <client IP>/32[udp/1701]
    2023-03-23 19:04:44Z 29[APP] <l2t-1|58> [COP-UPDOWN] (ref_counting) ref_count: 1 to 0 -- down -- (<firewall IP>/32#<client IP>/32)
    2023-03-23 19:04:44Z 29[APP] <l2t-1|58> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 1 to 0 -- down -- (<firewall IP>#<client IP>#n)
    2023-03-23 19:04:44Z 29[APP] <l2t-1|58> [COP-UPDOWN] (cop_updown_invoke_once) UID: 58 Net: Local <firewall IP> Remote <client IP> Connection: l2t Fullname: l2t-1
    2023-03-23 19:04:44Z 29[APP] <l2t-1|58> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-host
    2023-03-23 19:04:44Z 11[NET] <l2t-1|58> received packet: from <client IP>[4500] to <firewall IP>[4500] (84 bytes)
    2023-03-23 19:04:44Z 11[ENC] <l2t-1|58> parsed INFORMATIONAL_V1 request 4000896794 [ HASH D ]
    2023-03-23 19:04:44Z 11[IKE] <l2t-1|58> received DELETE for IKE_SA l2t-1[58]
    2023-03-23 19:04:44Z 11[IKE] <l2t-1|58> deleting IKE_SA l2t-1[58] between <firewall IP>[<firewall IP>]...<client IP>[192.168.200.50]
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'l2t' result --> id: '1', mode: 'hth', tunnel_type: '1', subnet_family:'0'
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown -- down --
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"<firewall IP>","remote_server":"<client IP>","action":"disable","family":"0","conntype":"hth","compress":"0"}'': success 0
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown -- down --
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'l2t' using  interface 'ipsec0'
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][NET] (get_src_ip) source address for <firewall IP> is IP: <firewall IP>
    2023-03-23 19:04:44Z 15[APP]
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [ipsec0] skip route add since remote subnet is <client IP>/32, src_ip <firewall IP>
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (add_routes) no routes to del for l2t on interface ipsec0
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"<firewall IP>","peer":"<client IP>","mynet":"<firewall IP>/32","peernet":"<client IP>/32","connop":"0","iface":"unknown","myproto":"17","myport":"1701","peerproto":"17","peerport":"1701","conntype":"hth","actnet":"","compress":"0","conn_id":"1"}'': error returned 255

    XGS116_XN01_SFOS 19.5.0 GA-Build197#  tail -f /log/charon.log
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'l2t' result --> id: '1', mode: 'hth', tunnel_type: '1', subnet_family:'0'
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown -- down --
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"<firewall IP>","remote_server":"<client IP>","action":"disable","family":"0","conntype":"hth","compress":"0"}'': success 0
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown -- down --
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'l2t' using  interface 'ipsec0'
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][NET] (get_src_ip) source address for <firewall IP> is IP: <firewall IP>
    2023-03-23 19:04:44Z 15[APP]
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [ipsec0] skip route add since remote subnet is <client IP>/32, src_ip <firewall IP>
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN] (add_routes) no routes to del for l2t on interface ipsec0
    2023-03-23 19:04:44Z 15[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_connection_chains -t json -s nosync -b '{"me":"<firewall IP>","peer":"<client IP>","mynet":"<firewall IP>/32","peernet":"<client IP>/32","connop":"0","iface":"unknown","myproto":"17","myport":"1701","peerproto":"17","peerport":"1701","conntype":"hth","actnet":"","compress":"0","conn_id":"1"}'': error returned 255
    2023-03-23 19:20:09Z 27[NET] <59> received packet: from <client IP>[500] to <firewall IP>[500] (408 bytes)
    2023-03-23 19:20:09Z 27[ENC] <59> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    2023-03-23 19:20:09Z 27[ENC] <59> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
    2023-03-23 19:20:09Z 27[IKE] <59> received MS NT5 ISAKMPOAKLEY vendor ID
    2023-03-23 19:20:09Z 27[IKE] <59> received NAT-T (RFC 3947) vendor ID
    2023-03-23 19:20:09Z 27[IKE] <59> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    2023-03-23 19:20:09Z 27[IKE] <59> received FRAGMENTATION vendor ID
    2023-03-23 19:20:09Z 27[ENC] <59> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    2023-03-23 19:20:09Z 27[ENC] <59> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    2023-03-23 19:20:09Z 27[ENC] <59> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    2023-03-23 19:20:09Z 27[IKE] <59> <client IP> is initiating a Main Mode IKE_SA
    2023-03-23 19:20:09Z 27[ENC] <59> generating ID_PROT response 0 [ SA V V V V V ]
    2023-03-23 19:20:09Z 27[NET] <59> sending packet: from <firewall IP>[500] to <client IP>[500] (176 bytes)
    2023-03-23 19:20:09Z 08[NET] <59> received packet: from <client IP>[500] to <firewall IP>[500] (388 bytes)
    2023-03-23 19:20:09Z 08[ENC] <59> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2023-03-23 19:20:09Z 08[IKE] <59> remote host is behind NAT
    2023-03-23 19:20:09Z 08[ENC] <59> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2023-03-23 19:20:09Z 08[NET] <59> sending packet: from <firewall IP>[500] to <client IP>[500] (372 bytes)
    2023-03-23 19:20:09Z 22[NET] <59> received packet: from <client IP>[4500] to <firewall IP>[4500] (68 bytes)
    2023-03-23 19:20:09Z 22[ENC] <59> parsed ID_PROT request 0 [ ID HASH ]
    2023-03-23 19:20:09Z 22[CFG] <59> looking for pre-shared key peer configs matching <firewall IP>...<client IP>[192.168.200.50]
    2023-03-23 19:20:09Z 22[CFG] <59> selected peer config "l2t-1"
    2023-03-23 19:20:09Z 22[IKE] <l2t-1|59> IKE_SA l2t-1[59] established between <firewall IP>[<firewall IP>]...<client IP>[192.168.200.50]
    2023-03-23 19:20:09Z 22[IKE] <l2t-1|59> DPD not supported by peer, disabled
    2023-03-23 19:20:09Z 22[ENC] <l2t-1|59> generating ID_PROT response 0 [ ID HASH ]
    2023-03-23 19:20:09Z 22[NET] <l2t-1|59> sending packet: from <firewall IP>[4500] to <client IP>[4500] (68 bytes)
    2023-03-23 19:20:09Z 05[NET] <l2t-1|59> received packet: from <client IP>[4500] to <firewall IP>[4500] (436 bytes)
    2023-03-23 19:20:09Z 05[ENC] <l2t-1|59> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    2023-03-23 19:20:09Z 05[IKE] <l2t-1|59> ### process_request invoking quick_mode_create
    2023-03-23 19:20:09Z 05[IKE] <l2t-1|59> ### quick_mode_create: 0x7f4f34000a00 config (nil)
    2023-03-23 19:20:09Z 05[IKE] <l2t-1|59> ### process_r: 0x7f4f34000a00 QM_INIT
    2023-03-23 19:20:09Z 05[IKE] <l2t-1|59> expected IPComp proposal but peer did not send one, IPComp disabled
    2023-03-23 19:20:09Z 05[IKE] <l2t-1|59> received 3600s lifetime, configured 0s
    2023-03-23 19:20:09Z 05[IKE] <l2t-1|59> received 250000000 lifebytes, configured 0
    2023-03-23 19:20:09Z 05[IKE] <l2t-1|59> ### build_r: 0x7f4f34000a00 QM_INIT
    2023-03-23 19:20:09Z 05[ENC] <l2t-1|59> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    2023-03-23 19:20:09Z 05[NET] <l2t-1|59> sending packet: from <firewall IP>[4500] to <client IP>[4500] (204 bytes)
    2023-03-23 19:20:09Z 23[NET] <l2t-1|59> received packet: from <client IP>[4500] to <firewall IP>[4500] (60 bytes)
    2023-03-23 19:20:09Z 23[ENC] <l2t-1|59> parsed QUICK_MODE request 1 [ HASH ]
    2023-03-23 19:20:09Z 23[IKE] <l2t-1|59> ### process_r: 0x7f4f34000a00 QM_NEGOTIATED
    2023-03-23 19:20:09Z 23[IKE] <l2t-1|59> CHILD_SA l2t-1{11} established with SPIs c6c84397_i a70a44a6_o and TS <firewall IP>/32[udp/1701] === <client IP>/32[udp/1701]
    2023-03-23 19:20:09Z 23[APP] <l2t-1|59> [COP-UPDOWN] (ref_counting) ref_count: 0 to 1 ++ up ++ (<firewall IP>/32#<client IP>/32)
    2023-03-23 19:20:09Z 23[APP] <l2t-1|59> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 0 to 1 ++ up ++ (<firewall IP>#<client IP>#n)
    2023-03-23 19:20:09Z 23[APP] <l2t-1|59> [COP-UPDOWN] (cop_updown_invoke_once) UID: 59 Net: Local <firewall IP> Remote <client IP> Connection: l2t Fullname: l2t-1
    2023-03-23 19:20:09Z 23[APP] <l2t-1|59> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-host
    2023-03-23 19:20:09Z 23[IKE] <l2t-1|59> ### destroy: 0x7f4f34000a00
    2023-03-23 19:20:09Z 25[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'l2t' result --> id: '1', mode: 'hth', tunnel_type: '1', subnet_family:'0'
    2023-03-23 19:20:09Z 25[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec remote updown ++ up ++
    2023-03-23 19:20:10Z 25[APP] [COP-UPDOWN][SHELL] (run_shell) '/bin/service fwm:vpn_gateway_chains -t json -s nosync -b '{"local_server":"<firewall IP>","remote_server":"<client IP>","action":"enable","family":"0","conntype":"hth","compress":"0"}'': success 0
    2023-03-23 19:20:10Z 25[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) ---- exec subnet updown ++ up ++
    2023-03-23 19:20:10Z 25[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) connection 'l2t' using  interface 'ipsec0'
    2023-03-23 19:20:10Z 25[APP] [COP-UPDOWN][NET] (get_src_ip) source address for <firewall IP> is IP: <firewall IP>
    2023-03-23 19:20:10Z 25[APP]

    /Lennart

  • +1 in reply to Lennart Johansson

    Hi Lennart,

    Based on the IPsec Logs. 

     "no IKE config found for <firewall IP>...<client IP>, sending NO_PROPOSAL_CHOSEN"

    The error ‘NO_PROPOSAL_CHOSEN’ means that there is a mismatch of the IPsec policies. 
    Sophos Firewall doesn’t accept any proposal received. The connection has to be reconfigured on either of
    the ends.Phase 1 proposals need to be validated on either end of the tunnel.

    and on Lt2p.logs

    It has already reached the maximum number of tries

    "xl2tpd[21884]: Maximum retries exceeded for tunnel 2736.  Closing."

    Kindly re-check the configuration and ike version

    You may also refer to the following KB

    Sophos Firewall: Troubleshooting site to site IPsec VPN issues

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Thanks Erick,

    A follow up question regarding that, is there any known definition what Windows 10 is using as default for ipsec policys?

    /Lennart

  • 0 in reply to Lennart Johansson

    Have a look here: learn.microsoft.com/.../default-encryption-settings-for-l2tp-ipsec-vpn-client

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML