1 Reply Latest reply on Jan 5, 2012 3:03 AM by PhilM

    Trouble with L2TP w/IPSEC preshared key - Error 789 - Diagnostic log info

    hawkes

      Hello everyone.  HELP!  I am working on setting up a VPN server for a client.  Here is some background information:

       

      I will provide examples for the IP addresses.  These are not being used in production.

       

      SnapGear SG565 running version 4.0.10 firmware

      Static IP provides internet connectivity

      Port A1 vlan for company 1 (172.16.1.1)

      Port A2 vlan for company 2 (10.1.1.1)

      Port B is direct connect to internet and configured with static IP.

       

      Company 2 wants to provide VPN connectivity for a few workers.  I enabled L2TP w/IPSEC preshared key.

       

      IP Addresses to give remote hosts - 10.1.1.50-49

      IP Address to assign VPN server - Port A2

      Authentication Scheme - Encrypted Authentication (MS-CHAPv2)

      Required Encryption level - Strong

       

      User has been created and granted access to L2TP.  I've put both a static IP in for this user as well as leave it blank and I get the same response each time.  I don't think this matters right now anyway since I can't even get past the initial phase of negotiations.

       

       

      When trying to connect from any OS and any other location, I get error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

       

      The system log shows the following:

       

      Jan  4 11:23:15 pluto[985]: "Sample_Tunnel"[54] xxx.xxx.xxx.180 #36: cannot respond to IPsec SA request because no connection is known for xx.xxx.xx.6[+S=C]:17/1701...xxx.xxx.xxx.180[xxx.xx.xx.112,+S=C]:17/1701===xxx.x x.xx.112/32
      Jan  4 11:23:15 pluto[985]: "Sample_Tunnel"[54] xxx.xxx.xxx.180 #36: sending encrypted notification INVALID_ID_INFORMATION to xxx.xxx.xxx.180:4500

       

       

      I would appreciate any help/advice that might get me past this issue.  I would be happy to answer any additiaonl questions if I have not provided enough background.

       

      Thank you.

       

       

        • 1. Re: Trouble with L2TP w/IPSEC preshared key - Error 789 - Diagnostic log info
          PhilM

          My only IPSec exposure comes from configuring site-to-site VPNs (rather than client based connections). However, the "INVALID_ID_INFORMATION" response is something which I have seen before.

           

          As part of the initial negotiation phase (it may even take place before any pre-shared keys are exchanged), an "ID" value is sent from the originator end as part of the "I'd like to establish a tunnel with you" phase. Contained within that transaction is an "ID" value. For site-to-site VPNs this is, more often than not, the public IP address and this is then matched to the correct IPSec definition on the receiving end of the connection. However, the ID doesn't have to be an IP address and for client-based connections in particular (where the IP address is likely to have been dynamically assigned) another value is used. Based on my own experience I've normally used an e-mail address. It doesn't have to be a real one, but the value in question must exist in the configuration at both ends.

           

          From your log sample, this would appear to be a case where the client is trying to establish the connection, but the SnapGear is unable to match the credentials contained within the client connection request to a corresponding entry (which is how I would translate the first log entry).

           

          Having said all that, I've looked at my own SnapGear and I can't see anything withing the L2TP configuation where you can add or amend a value like this one. Whereas if you look at the contruction of an IPSec entry, there is an "Optional Endpoint ID" entry which is what I would use to change the ID from the default IP address value when configuring a site-to-site IPSec entry.

           

          Phil.