Posts made by Romo

@dbeato Yes

@jaredbusch said in Help troubleshooting L2TP over IPSEC VPN connections.:

@romo said in Help troubleshooting L2TP over IPSEC VPN connections.:

@JaredBusch @scottalanmiller Any idea?

Is this user trying to connect from the same IP as another user?

No, a single user trying to connect from home. She connected Wednesday without a problem, but Thursday she tries to connect again and it is not possible.

Logs show

13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists

New connection can't be made because a policy with the same details is already present. If we vpn from any place that has a different public ip than the one from her home, we can establish the vpn connection without a problem.

@JaredBusch @scottalanmiller Any idea?

@gjacobse I can connect without a problem from a different public ip

@gjacobse Will try that next

So we have the VPN setup and it is working currently for 3 out of 4 users. I have been dealing with the problematic connection but can't figure out how to solve the issue. I'd really appreciate any help you guys can provide.

L2TP over IPSEC VPN

VPN Server: EdgeRouter PoE 5 v1.10.5
Client: Windows 10 v1709 build 16299.579

Windows Side
Client is properly reaching the VPN server even though the Windows error says the server is unreachable (logs below). Don't really think the problem lies on the Windows side but still, I have checked the Windows setup and everything is set according to documentation and the same as the other working clients. The machine has been rebooted (several times) and I have even uninstalled and reinstalled the WAN Miniport interfaces.

Edge Router Side
Full log - sudo swanctl --log while trying to connect.

06[NET] received packet: from USER_PUBLIC_IP[500] to EDGE_ROUTER_IP[500] (408 bytes)06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
06[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
06[IKE] received MS NT5 ISAKMPOAKLEY vendor ID06[IKE] received NAT-T (RFC 3947) vendor ID
06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID06[IKE] received FRAGMENTATION vendor ID
06[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1
:20
06[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8
:1906[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86
:52
06[IKE] USER_PUBLIC_IP is initiating a Main Mode IKE_SA
06[ENC] generating ID_PROT response 0 [ SA V V V ]
06[NET] sending packet: from EDGE_ROUTER_IP[500] to USER_PUBLIC_IP[500] (136 bytes)
01[NET] received packet: from USER_PUBLIC_IP[500] to EDGE_ROUTER_IP[500] (228 bytes)
01[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]01[IKE] remote host is behind NAT
01[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]01[NET] sending packet: from EDGE_ROUTER_IP[500] to USER_PUBLIC_IP[500] (212 bytes)
05[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (76 bytes
)05[ENC] parsed ID_PROT request 0 [ ID HASH ]
05[CFG] looking for pre-shared key peer configs matching EDGE_ROUTER_IP...USER_PUBLIC_IP[192.168.0.16]
05[CFG] selected peer config "remote-access"
05[IKE] IKE_SA remote-access[63] established between EDGE_ROUTER_IP[EDGE_ROUTER_IP
]...USER_PUBLIC_IP[192.168.0.16]05[IKE] DPD not supported by peer, disabled05[ENC] generating ID_PROT response 0 [ ID HASH ]
05[NET] sending packet: from EDGE_ROUTER_IP[4500] to USER_PUBLIC_IP[4500] (76 bytes)09[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (444 byte
s)
09[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
09[IKE] received 3600s lifetime, configured 0s
09[IKE] received 250000000 lifebytes, configured 009[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
09[NET] sending packet: from EDGE_ROUTER_IP[4500] to USER_PUBLIC_IP[4500] (204 bytes
)
13[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (60 bytes)
13[ENC] parsed QUICK_MODE request 1 [ HASH ]
13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[ud
p/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[IKE] unable to install IPsec policies (SPD) in kernel
13[KNL] deleting policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out failed, not found
13[KNL] deleting policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in failed, not found
13[KNL] deleting policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out failed, not found
13[KNL] deleting policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in failed, not found
13[IKE] sending DELETE for ESP CHILD_SA with SPI 740d890e
13[ENC] generating INFORMATIONAL_V1 request 3087336472 [ HASH D ]
13[NET] sending packet: from EDGE_ROUTER_IP[4500] to USER_PUBLIC_IP[4500] (76 bytes)
14[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (76 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2912129370 [ HASH D ]
14[IKE] received DELETE for ESP CHILD_SA with SPI 740d890e
14[IKE] CHILD_SA not found, ignored
04[NET] received packet: from USER_PUBLIC_IP[4500] to EDGE_ROUTER_IP[4500] (92 bytes)
04[ENC] parsed INFORMATIONAL_V1 request 1035896583 [ HASH D ]
04[IKE] received DELETE for IKE_SA remote-access[63]
04[IKE] deleting IKE_SA remote-access[63] between EDGE_ROUTER_IP[EDGE_ROUTER_IP]...USER_PUBLIC_IP[192.168.0.16]

Checking the logs, I can see everything is working properly until this messages start to appear.

13[CFG] unable to install policy EDGE_ROUTER_IP/32[udp/l2f] === USER_PUBLIC_IP/32[udp/l2f] out (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists
13[CFG] unable to install policy USER_PUBLIC_IP/32[udp/l2f] === EDGE_ROUTER_IP/32[udp/l2f] in (mark 0/0x00000000) for reqid 35, the same policy for reqid 14 exists

It can't install the policy for reqid 35 because there is an existing reqid (14) which has the same policy.

Indeed there is, policy remote-access policy 14 is a child of remote-access 28

remote-access: #28, ESTABLISHED, IKEv1, 2dba0e93f1dc2f3c:4a212e556a07f9b7
  local  'EDGE_ROUTER_IP' @ EDGE_ROUTER_IP
  remote '192.168.0.8' @ USER_PUBLIC_IP
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  established 75540s ago
  remote-access: #14, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 75207 ago
    in  c9a20ab8, 2965565 bytes, 32775 packets,  8314s ago
    out 8fadd716, 44934358 bytes, 50838 packets,  8268s ago
    local  EDGE_ROUTER_IP/32[udp/l2f]
    remote USER_PUBLIC_IP/32[udp/l2f]

This leads me to believe the user maybe already be connected via another machine, but the user doesn't show as online when using show vpn remote-access.

Any idea how to fix the conflict with the duplicate policies and why it is happening?

Only thing I haven't done is rebooting the edge router since other users are working fine and don't want to cause a disruption for them.

@black3dynamite But is it still doing a MITM to block it or is it doing it some other way?

Does Squidguard block https sites now? I used to have it setup on our pfSense firewall but it didn't block https back when we used it.

@jaredbusch Great thank you =), enjoy the rest of your vacations.

@jaredbusch I can reach https://my-pbx-url.com:1443 manually just fine, but the phones don't seem to even try to reach the URL and once I change to HTTP and its port the phones download the config file just fine.

@jaredbusch They are running 66.83.0.30

@JaredBusch I cannot get the T42S to talk to the pbx using https. I had to use http after reading your thread on the FreePBX forum and it started working. Hadn't even realized your trouble was only for the G models.

Sorry to resurrect an old thread

@JaredBusch Did you ever get the phones to talk to the pbx (Freepbx 14) via https using the Let's Encrypt certs?

Best wishes

The documentation says text mode doesn't allow LVM setup

Docs

But the installer does allow the option now so that probably means it they have been working on it

@scottalanmiller Lol well I missed that, but I did get into text mode.

@scottalanmiller What was the alternative installer options, basic graphics mode?

inst.xdriver=vesa or inst.text

@wls-itguy search for the margin properties, headers usually have by default a lot more than paragraphs.

Usually people reset all the margins and paddings on the page elements to 0 and then set them to the value of their choosing.

For example, here in yellow are the default margins for an h5 set by the nodebb devs and shown in mangolassi.

@scottalanmiller said in What Are You Doing Right Now:

@romo said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

@kelly said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Keeping an eye on the Panama Belgium game.

I forgot that these were going on. Now I know what I'm going to have running in the background...

Some HUGE upsets yesterday. Switzerland stopped Brasil's opening win streak running since 1978. And Mexico upset Germany in a win so big and unexpected that when the winning goal was made Mexico City registered an earthquake from the people jumping and stamping!

Great upset indeed, we celebrated really hard but no earthquake was registered, that was a pretty big exaggeration.

SSN (Servicio Sismoligico Nacional) which is our official research center for seismic activity (twitter handle https://twitter.com/sismologicomx?lang=en) has already denied the different stories written due to that tweet.

But it is still so much easier and attractive to keep running a fake story due to a soccer win from our national team and especially against Germany.

@scottalanmiller said in What Are You Doing Right Now:

@kelly said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Keeping an eye on the Panama Belgium game.

I forgot that these were going on. Now I know what I'm going to have running in the background...

Some HUGE upsets yesterday. Switzerland stopped Brasil's opening win streak running since 1978. And Mexico upset Germany in a win so big and unexpected that when the winning goal was made Mexico City registered an earthquake from the people jumping and stamping!

Great upset indeed, we celebrated really hard but no earthquake was registered, that was a pretty big exaggeration.