Page 1 of 1

IPSec SA fails when using ISAKMP phase 1 ID

Posted: Thu Jun 01, 2017 3:03 am
by kneel
Hi,

I am using OpenSWAN on an embedded device. I can connect as a client-to-site and it works fine, but when I add a "local ID" (ie IPSec ISAKMP Phase 1 ID) - even one that matches an l2tpv3 connection setup - the IPSec SA fails to establish correctly. I know this is l2tpv3 because 2 of these devices can be connected for site-to-site, the client (initiator) is using the same as what I am using to (try to) create the SofEther connection.

apropos server log file info below (some IPs masked).

The ONLY thing that has changed is the Phase 1 ID has been added AND it matches the server setup for l2tpv3.

Remove the phase 1 ID, and it connects fine (but not site-to-site, only client-to-site)

It doesn't matter what phase 1 ID I use (listed in l2tpv3 setup or not), I get the same thing happening.

It doesn't matter if I create an l2tpv3 with a * for phase 1 ID - still fails.

What am I missing?

2017-06-01 11:46:40.661 IPsec Client 305 (1.129.34.108:500 -> xxx.xxx.xxx.xxx:500): A new IPsec client is created.
2017-06-01 11:46:40.661 IPsec IKE Session (IKE SA) 288 (Client: 305) (1.129.34.108:500 -> xxx.xxx.xxx.xxx:500): A new IKE SA (Aggressive Mode) is created. Initiator Cookie: 0x1061DC12D4057BB8, Responder Cookie: 0xD3271B532ED8843E, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2017-06-01 11:46:40.661 IPsec Client 305 (1.129.34.108:500 -> xxx.xxx.xxx.xxx:500):
2017-06-01 11:46:50.662 IPsec IKE Session (IKE SA) 288 (Client: 305) (1.129.34.108:500 -> xxx.xxx.xxx.xxx:500): This IKE SA is deleted.
2017-06-01 11:46:50.662 IPsec Client 305 (1.129.34.108:500 -> xxx.xxx.xxx.xxx:500): This IPsec Client is deleted.
2017-06-01 11:47:01.231 L2TP PPP Session [1.129.96.170:61844]: A PPP protocol error occurred, or the PPP session has been disconnected.
2017-06-01 11:47:01.484 [HUB "MaxonVPN"] Session "SID-TEST1-[L2TP]-105": The session has been terminated. The statistical information is as follows: Total outgoing data size: 8024 bytes, Total incoming data size: 977 bytes.
2017-06-01 11:47:01.514 Connection "CID-514" terminated by the cause "The VPN session has been deleted. It is possible that either the administrator disconnected the session or the connection from the client to the VPN Server has been disconnected." (code 11).
2017-06-01 11:47:01.514 Connection "CID-514" has been terminated.
2017-06-01 11:47:01.514 The connection with the client (IP address 1.129.96.170, Port number 61844) has been disconnected.

Re: IPSec SA fails when using ISAKMP phase 1 ID

Posted: Thu Jun 15, 2017 5:01 am
by thisjun
Did you enable L2TPv3 function on the VPN server?

Re: IPSec SA fails when using ISAKMP phase 1 ID

Posted: Thu Jun 22, 2017 4:36 am
by kneel
Thanks for the reply, but I have found a solution anyway:
viewtopic.php?f=7&t=8350