Hi Guys
Recently update my ERPoE to v1.8 and having a few issues with VPN since then.
IPSec site-to-Site had issues initally, which were related to PFS settigns and were reolved (http://community.ubnt.com/t5/EdgeMAX-Beta/1-8-0a1-Entire-VPN-tree-configuration-disappeared-after-update/m-p/1338518#U1338518)
My L2TP remote access vpn's have not been working since the upgrade. The swanctl --log command give the following. VPN section of the config also attached.
I'm at a loss - outside my expertise. Can anyone shed some light ont his for me?
Thanks!
06[ENC] generating INFORMATIONAL_V1 request 136326413 [ N(NO_PROP) ] 06[NET] sending packet: from xxx.xxx.xxx.10[500] to xxx.xxx.xxx.7[500] (56 bytes) 15[NET] received packet: from xxx.xxx.xxx.7[500] to xxx.xxx.xxx.10[500] (500 bytes) 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ] 15[IKE] received NAT-T (RFC 3947) vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 15[IKE] received FRAGMENTATION vendor ID 15[IKE] received DPD vendor ID 15[IKE] xxx.xxx.xxx.7 is initiating a Main Mode IKE_SA 15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 15[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 15[IKE] no proposal found
ipsec {
auto-firewall-nat-exclude disable
disable-uniqreqids
esp-group ESP-Group1 {
compression disable
lifetime 1800
mode tunnel
pfs dh-group19
proposal 1 {
encryption 3des
hash sha1
}
}
esp-group ESP-Group2 {
compression disable
lifetime 600
mode tunnel
pfs dh-group2
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-Group1 {
dead-peer-detection {
action clear
interval 30
timeout 90
}
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
proposal 2 {
dh-group 2
encryption 3des
hash sha1
}
}
ike-group IKE-Group2 {
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 19
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface pppoe0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer xxx.xxx.xxx.114 {
authentication {
mode pre-shared-secret
pre-shared-secret ******
}
connection-type respond
default-esp-group ESP-Group2
ike-group IKE-Group1
local-address xxx.xxx.xxx.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-Group1
local {
prefix ***.***.***.0/24
}
remote {
prefix ***.***.***.0/24
}
}
}
peer ***.***.***.7 {
authentication {
mode pre-shared-secret
pre-shared-secret ******
}
connection-type respond
default-esp-group ESP-Group1
ike-group IKE-Group2
local-address ***.***.***.10
tunnel 1 {
esp-group ESP-Group1
local {
prefix ***.***.***.0/24
}
remote {
prefix ***.***.***.0/24
}
}
}
}
}
l2tp {
remote-access {
authentication {
local-users {
username number1 {
password *****
}
}
mode local
}
client-ip-pool {
start 192.168.11.60
stop 192.168.11.69
}
dns-servers {
server-1 ***.***.***.20
server-2 8.8.4.4
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret *****
}
ike-lifetime 3600
}
mtu 1492
outside-address ***.***.***.10
outside-nexthop ***.***.***.245
}
}