I tested with a SoftEther client using port 992 from an outer Windows PC and all was ok. I also tested with the built-in Windows L2TP client and all ok.
But then, two days later, the Windows L2TP client does not work (?!). The SoftEther client still works, and I can also manage the remote server from my PC with no problems. Only the L2TP part is failing somewhat. I also tested with an iPhone VPN built-in client and did not connect either.
The server log show this sequence:
Code: Select all
01:37:39.171 IPsec Client 55 (public:500 -> private:500): A new IPsec client is created.
01:37:39.171 IPsec IKE Session (IKE SA) 21 (Client: 55) (public:500 -> private:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x72E8C7D6014BB08, Responder Cookie: 0x490FB063058FC92F, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
01:37:39.281 IPsec Client 55 (public:4500 -> private:4500): The port number information of this client is updated.
... nothing, and then 10 seconds later:
01:37:49.214 IPsec Client 55 (public:4500 -> private:4500): This IPsec Client is deleted.
The same server showed this sequence on friday (good connection):
Code: Select all
17:03:41.499 IPsec Client 6 (public:500 -> private:500): A new IPsec client is created.
17:03:41.499 IPsec IKE Session (IKE SA) 6 (Client: 6) (public:500 -> private:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xBFF3BA97947F4809, Responder Cookie: 0x5DCD55E1D3B75A75, DH Group: MODP 2048 (Group 14), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
17:03:41.609 IPsec Client 6 (public:4500 -> private:4500): The port number information of this client is updated.
17:03:41.609 IPsec Client 6 (public:4500 -> private:4500):
17:03:41.609 IPsec IKE Session (IKE SA) 6 (Client: 6) (public:4500 -> private:4500): This IKE SA is established between the server and the client.
17:03:41.640 IPsec IKE Session (IKE SA) 6 (Client: 6) (public:4500 -> private:4500): The client initiates a QuickMode negotiation.
17:03:41.650 IPsec ESP Session (IPsec SA) 6 (Client: 6) (public:4500 -> private:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xF8106F, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 250000 Kbytes or 3600 seconds
17:03:41.650 IPsec ESP Session (IPsec SA) 6 (Client: 6) (public:4500 -> private:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0xBB0B41E0, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 250000 Kbytes or 3600 seconds
17:03:41.680 IPsec ESP Session (IPsec SA) 6 (Client: 6) (public:4500 -> private:4500): This IPsec SA is established between the server and the client.
17:03:41.680 IPsec Client 6 (public:4500 -> private:4500): The L2TP Server Module is started.
17:03:41.740 L2TP PPP Session [public:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: public (Hostname: "DIEGO-TRABAJO"), Port Number of PPP Client: 1701, IP Address of PPP Server: private, Port Number of PPP Server: 1701, Client Software Name: "L2TP VPN Client - Microsoft", IPv4 TCP MSS (Max Segment Size): 1314 bytes
17:03:42.223 On the TCP Listener (Port 0), a Client (IP address public, Host name "public.*******", Port number 1701) has connected.
17:03:42.223 For the client (IP address: public, host name: "public.*******", port number: 1701), connection "CID-6" has been created.
17:03:42.223 SSL communication for connection "CID-6" has been started. The encryption algorithm name is "(null)".
17:03:42.233 [HUB "VPN2"] The connection "CID-6" (IP address: public, Host name: public.*******, Port number: 1701, Client name: "L2TP VPN Client - Microsoft", Version: 4.34, Build: 9744) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "******".
17:03:42.233 [HUB "VPN2"] Connection "CID-6": Successfully authenticated as user "******".
17:03:42.233 [HUB "VPN2"] Connection "CID-6": The new session "SID-******-[L2TP]-6" has been created. (IP address: public, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
17:03:42.233 [HUB "VPN2"] Session "SID-******-[L2TP]-6": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
17:03:42.233 [HUB "VPN2"] Session "SID-******-[L2TP]-6": VPN Client details: (Client product name: "L2TP VPN Client - Microsoft", Client version: 434, Client build number: 9744, Server product name: "SoftEther VPN Server (64 bit)", Server version: 434, Server build number: 9744, Client OS name: "L2TP VPN Client - Microsoft", Client OS version: "-", Client product ID: "-", Client host name: "******", Client IP address: "public", Client port number: 1701, Server host name: "private", Server IP address: "private", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN2", Client unique ID: "...........")
17:03:42.274 L2TP PPP Session [public:1701]: Trying to request an IP address from the DHCP server.
17:03:45.323 [HUB "VPN2"] Session "SID-LOCALBRIDGE-1": The DHCP server of host "xx-xx-xx-xx-xx-xx" (private_real_dhcpserver) on this session allocated, for host "SID-******-[L2TP]-6" on another session "zz-zz-zz-zz-zz-zz", the new IP address private2.
17:03:45.333 L2TP PPP Session [public:1701]: An IP address is assigned. IP Address of Client: private2, Subnet Mask: 255.255.255.0, Default Gateway: private_real_gateway, Domain Name: "xxxxx", DNS Server 1: private_dns, DNS Server 2: 0.0.0.0, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0, IP Address of DHCP Server: private_real_dhcpserver, Lease Lifetime: 86400 seconds
17:03:45.333 L2TP PPP Session [public:1701]: The IP address and other network information parameters are set successfully. IP Address of Client: private2, Subnet Mask: 255.255.255.0, Default Gateway: private_real_gateway, DNS Server 1: private_real_dns, DNS Server 2: 0.0.0.0, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0
So, what can cause this problem now?
I have rebooted the remote router, and also rebooted the remote Softether server (the complete Debian machine), but still I cannot connect with L2TP client.
This is a WireShark capture (simplified and commented) of the failing L2TP negotiation:
Code: Select all
client -> server: Security association (with initiator SPI)
server -> client: Security association (with initiator SPI + responder SPI)
client -> server: Key Exchange (with flags 0x00)
server -> client: Key Exchange (with flags 0x00)
client -> server: Identification (with flags 0x01 -> Encrypted)
(1 seg silence)
... the server did not answer in 1 seg, so the client retried
client -> server: Identification (with flags 0x01 -> Encrypted)
(1 seg silence)
... and then the server answers:
server -> client: Key Exchange (with flags 0x00)
... I think that, from this moment, the connection is going to fail. The client insists on:
client -> server: Identification (with flags 0x01 -> Encrypted)
(2 segs silence)
... and the server with:
server -> client: Key Exchange (with flags 0x00)
(1 seg silence)
... and they did it again:
client -> server: Identification (with flags 0x01 -> Encrypted)
(1 seg silence)
server -> client: Key Exchange (with flags 0x00)
(2 seg silence)
server -> client: Key Exchange (with flags 0x00)
client -> server: Identification (with flags 0x01 -> Encrypted)
(2 seg silence)
... and finally server "gets angry":
server -> client: Key Exchange (with flags 0x00)
server -> client: Delete
01:37:49.214 IPsec Client 55 (public:4500 -> private:4500): This IPsec Client is deleted.
Unfortunately I do not have a WireShark capture of the Friday OK connection. But I hope this can be enough for someone to help/guide me in things that I can change and test.
By the way, the L2TP server/client is a requirement, as some network clients are Microsoft Surface tablet/laptops. And yes, on Friday they also worked well.
Can all this mess be caused by some ISP changes during the weekend? The ports: UDP 500, UDP 4500 are open in the router and redirected to SoftEther server. I also tried opening TCP+UDP 1701 (although I read that this is not required) but no luck. Of course TCP 992 is open and redirected to server and I can connect with SoftEther client with no problems.
Thank you very much in advance