[jira] [Commented] (CLOUDSTACK-9212) Cannot Connect to VPN with Public IP on Windows 7 L2TP IPSEC VPN Client

Adrian Sender (JIRA) Tue, 19 Jan 2016 16:05:55 -0800

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15107703#comment-15107703
 ]


Adrian Sender commented on CLOUDSTACK-9212:
-------------------------------------------

How to reproduce bug.

1. Install windows 7. 
2. Configure network with internet facing public IP address.
3. Enable VPN on source nat address in CS.
4. Setup VPN client with user/pass and preshared key using the windows vpn 
wizard.
5. Internet facing VPN client on windows 7 fails to connect.
6. Put same windows 7 machine behind NAT, VPN works.

Logs for public IP address, note the connection fails.

root@r-4045-VM:~# cat /var/log/auth.log 

Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
received Vendor ID payload [RFC 3947] method set to=109 
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 109
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 20 00:01:36 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
ignoring Vendor ID payload [IKE CGA version 1]
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
responding to Main Mode from unknown peer 128.250.116.181
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: Main 
mode peer ID is ID_IPV4_ADDR: '128.250.116.181'
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=aes_256 prf=oakley_sha group=modp2048}
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: the 
peer proposed: 103.6.252.199/32:17/1701 -> 128.250.116.181/32:17/1701
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68: 
responding to Quick Mode proposal {msgid:01000000}
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68:     
us: 103.6.252.199<103.6.252.199>[+S=C]:17/1701
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68:   
them: 128.250.116.181[+S=C]:17/1701
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68: 
keeping refhim=4294901761 during rekey
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 20 00:01:36 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #68: 
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1677a1c0 <0x241ef249 
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 20 00:01:54 r-4045-VM sshd[8198]: Accepted publickey for root from 
169.254.0.1 port 38084 ssh2
Jan 20 00:01:54 r-4045-VM sshd[8198]: pam_unix(sshd:session): session opened 
for user root by (uid=0)
Jan 20 00:01:54 r-4045-VM sshd[8198]: pam_unix(sshd:session): session closed 
for user root
Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
received Delete SA(0x1677a1c0) payload: deleting IPSEC State #68
Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
received and ignored informational message
Jan 20 00:02:11 r-4045-VM pluto[4569]: "L2TP-PSK"[23] 128.250.116.181 #67: 
received Delete SA payload: deleting ISAKMP State #67
Jan 20 00:02:11 r-4045-VM pluto[4569]: packet from 128.250.116.181:500: 
received and ignored informational message



Here is the same machine but I changed the networking so I am on NAT, no other 
configuration settings were changed. In this case I am able to connect to the 
Cloudstack Remote Access VPN.


root@r-4045-VM:~# cat /var/log/auth.log 

Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 128.250.116.180:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 128.250.116.180:500: 
received Vendor ID payload [RFC 3947] method set to=109 
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 128.250.116.180:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 109
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 128.250.116.180:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 128.250.116.180:500: 
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 128.250.116.180:500: 
ignoring Vendor ID payload [Vid-Initial-Contact]
Jan 19 23:34:10 r-4045-VM pluto[4569]: packet from 128.250.116.180:500: 
ignoring Vendor ID payload [IKE CGA version 1]
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
responding to Main Mode from unknown peer 128.250.116.180
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: Main 
mode peer ID is ID_IPV4_ADDR: '192.168.1.82'
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[28] 128.250.116.180 #65: 
switched from "L2TP-PSK" to "L2TP-PSK"
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: 
deleting connection "L2TP-PSK" instance with peer 128.250.116.180 
{isakmp=#0/ipsec=#0}
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: new 
NAT mapping for #65, was 128.250.116.180:500, now 128.250.116.180:4500
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=aes_256 prf=oakley_sha group=modp2048}
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: the 
peer proposed: 103.6.252.199/32:17/1701 -> 192.168.1.82/32:17/0
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: 
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #66: 
responding to Quick Mode proposal {msgid:01000000}
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #66:     
us: 103.6.252.199<103.6.252.199>[+S=C]:17/1701
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #66:   
them: 128.250.116.180[192.168.1.82,+S=C]:17/1701
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #66: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #66: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #66: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 19 23:34:10 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #66: 
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xe3a6868c <0xbfcf6dcb 
xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.82 NATD=128.250.116.180:4500 DPD=none}
Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: 
received Delete SA(0xe3a6868c) payload: deleting IPSEC State #66
Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: 
received and ignored informational message
Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180 #65: 
received Delete SA payload: deleting ISAKMP State #65
Jan 19 23:34:28 r-4045-VM pluto[4569]: "L2TP-PSK"[29] 128.250.116.180: deleting 
connection "L2TP-PSK" instance with peer 128.250.116.180 {isakmp=#0/ipsec=#0}
Jan 19 23:34:28 r-4045-VM pluto[4569]: packet from 128.250.116.180:4500: 
received and ignored informational message
Jan 19 23:35:01 r-4045-VM CRON[7995]: pam_unix(cron:session): session closed 
for user root

> Cannot Connect to VPN with Public IP on Windows 7 L2TP IPSEC VPN Client
> -----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9212
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9212
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.3.1, 4.5.1
>         Environment: Cloudstack 4.3.x 4.5.1 
> Xenserver 6.5
> Advanced Networking
>            Reporter: Adrian Sender
>
> Cannot connect to VR VPN using internet facing public IP address on client. 
> Can only connect when VPN client is using NAT



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9212) Cannot Connect to VPN with Public IP on Windows 7 L2TP IPSEC VPN Client

Reply via email to