dkosovic
commented
3 years ago The L2TP connection gets established after the IPsec connection is established, but as the IPsec connection failed to be established because a Delete SA payload is received, xl2tpd is not involved.
Try the registry workaround to allow a Win10 L2TP/IPsec client to access a L2TP/IPsec server behind a NAT, e.g. :
shussain
Dear sir: If I use windows client to connet L2TP/Ipsec server directly, it can work. But, if there is a NAT between the client and L2TP/Ipsec server, it cannot work. The IP of NAT is 192.168.171.141 and the IP of L2TP/Ipsec server is 192.168.171.145, the IP of client is 10.10.216.194. The NAT is achieved by iptables. The L2TP is achieved by xl2tpd. The log of libreswan is as follows, libreswan seems to be working well and windows client sends a delete. So I want to know if the problem is occured in xl2td, but there is no information in /var/log/xl2tpd.log.
Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: responding to Main Mode from unknown peer 192.168.171.141 on port 500 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: WARNING: connection l2tp-psk PSK length of 4 bytes is too short for sha PRF in FIPS mode (10 bytes required) Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: STATE_MAIN_R2: sent MR2, expecting MI3 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: Peer ID is ID_IPV4_ADDR: '10.10.216.194' Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=DH20} Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: the peer proposed: 192.168.171.141/32:17/1701 -> 10.10.216.194/32:17/0 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: responding to Quick Mode proposal {msgid:01000000} Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: us: 192.168.171.145:17/1701 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: them: 192.168.171.141:17/1701===10.10.216.194/32 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x8064a2a0 <0x59d7891f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.168.171.141:4500 DPD=active} Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x8064a2a0 <0x59d7891f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.168.171.141:4500 DPD=active} Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: the peer proposed: 192.168.171.141/32:17/1701 -> 10.10.216.194/32:17/1701 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: responding to Quick Mode proposal {msgid:02000000} Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: us: 192.168.171.145:17/1701 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: them: 192.168.171.141:17/1701===10.10.216.194/32 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: keeping refhim=0 during rekey Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x4b337d1c <0x1d130fad xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.168.171.141:4500 DPD=active} Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x4b337d1c <0x1d130fad xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.168.171.141:4500 DPD=active} Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: received Delete SA(0x8064a2a0) payload: deleting IPSEC State #4 Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: deleting other state #4 (STATE_QUICK_R2) and sending notification Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #4: ESP traffic information: in=0B out=0B Mar 12 09:32:14 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: received and ignored empty informational notification payload Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: the peer proposed: 192.168.171.141/32:17/1701 -> 10.10.216.194/32:17/1701 Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #6: responding to Quick Mode proposal {msgid:03000000} Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #6: us: 192.168.171.145:17/1701 Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #6: them: 192.168.171.141:17/1701===10.10.216.194/32 Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #6: keeping refhim=0 during rekey Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0xa62249fd <0x2d04c9f5 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.168.171.141:4500 DPD=active} Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #6: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xa62249fd <0x2d04c9f5 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.168.171.141:4500 DPD=active} Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: received Delete SA(0x4b337d1c) payload: deleting IPSEC State #5 Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: deleting other state #5 (STATE_QUICK_R2) and sending notification Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #5: ESP traffic information: in=0B out=0B Mar 12 09:32:17 centos7 pluto[3776]: "l2tp-psk"[2] 192.168.171.141 #3: received and ignored empty informational notification payload