vpn - Peer requested tunnel 1 twice, ignoring second one

[PPisz]

I'm having trouble with VPN tunnels. Generally, once configured, they work correctly. However, after connecting and disconnecting the tunnel several times, no clients are accepted. The following information appears in the daemon.log:

Jul 16 18:36:56 systemvm ipsec[8324]: 07[IKE] 109.189.123.78 is initiating a Main Mode IKE_SA Jul 16 18:36:56 systemvm ipsec[8324]: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Jul 16 18:36:56 systemvm ipsec[8324]: 07[ENC] generating ID_PROT response 0 [ SA V V V V ] Jul 16 18:36:56 systemvm ipsec[8324]: 07[NET] sending packet: from 91.223.68.218[500] to 109.189.123.78[500] (160 bytes) Jul 16 18:36:56 systemvm ipsec[8324]: 11[NET] received packet: from 109.189.123.78[500] to 91.223.68.218[500] (388 bytes) Jul 16 18:36:56 systemvm ipsec[8324]: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jul 16 18:36:56 systemvm ipsec[8324]: 11[IKE] remote host is behind NAT Jul 16 18:36:56 systemvm ipsec[8324]: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Jul 16 18:36:56 systemvm ipsec[8324]: 11[NET] sending packet: from 91.223.68.218[500] to 109.189.123.78[500] (372 bytes) Jul 16 18:36:56 systemvm ipsec[8324]: 08[NET] received packet: from 109.189.123.78[4500] to 91.223.68.218[4500] (76 bytes) Jul 16 18:36:56 systemvm ipsec[8324]: 08[ENC] parsed ID_PROT request 0 [ ID HASH ] Jul 16 18:36:56 systemvm ipsec[8324]: 08[CFG] looking for pre-shared key peer configs matching 91.223.68.218...109.189.123.78[10.2.2.127] Jul 16 18:36:56 systemvm ipsec[8324]: 08[CFG] selected peer config "L2TP-PSK" Jul 16 18:36:56 systemvm ipsec[8324]: 08[IKE] IKE_SA L2TP-PSK[9] established between 91.223.68.218[91.223.68.218]...109.189.123.78[10.2.2.127] Jul 16 18:36:56 systemvm ipsec[8324]: 08[ENC] generating ID_PROT response 0 [ ID HASH ] Jul 16 18:36:56 systemvm ipsec[8324]: 08[NET] sending packet: from 91.223.68.218[4500] to 109.189.123.78[4500] (76 bytes) Jul 16 18:36:56 systemvm ipsec[8324]: 06[NET] received packet: from 109.189.123.78[4500] to 91.223.68.218[4500] (332 bytes) Jul 16 18:36:56 systemvm ipsec[8324]: 06[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ] Jul 16 18:36:56 systemvm ipsec[8324]: 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Jul 16 18:36:56 systemvm ipsec[8324]: 06[IKE] received 3600s lifetime, configured 0s Jul 16 18:36:56 systemvm ipsec[8324]: 06[IKE] received 250000000 lifebytes, configured 0 Jul 16 18:36:57 systemvm charon: 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Jul 16 18:36:57 systemvm ipsec[8324]: 06[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ] Jul 16 18:36:57 systemvm charon: 06[IKE] received 3600s lifetime, configured 0s Jul 16 18:36:57 systemvm charon: 06[IKE] received 250000000 lifebytes, configured 0 Jul 16 18:36:57 systemvm charon: 06[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ] Jul 16 18:36:57 systemvm charon: 06[NET] sending packet: from 91.223.68.218[4500] to 109.189.123.78[4500] (204 bytes) Jul 16 18:36:57 systemvm charon: 05[NET] received packet: from 109.189.123.78[4500] to 91.223.68.218[4500] (60 bytes) Jul 16 18:36:57 systemvm charon: 05[ENC] parsed QUICK_MODE request 1 [ HASH ] Jul 16 18:36:57 systemvm charon: 05[IKE] CHILD_SA L2TP-PSK{7} established with SPIs c3e5d7ce_i 23e570fe_o and TS 91.223.68.218/32[udp/l2f] === 109.189.123.78/32[udp/l2f] Jul 16 18:36:58 systemvm charon: 08[KNL] creating acquire job for policy 83.168.93.105/32[udp/l2f] === 109.189.123.78/32[udp/l2f] with reqid {1} Jul 16 18:36:58 systemvm charon: 08[IKE] initiating IKE_SA L2TP-PSK[10] to 109.189.123.78 Jul 16 18:36:58 systemvm charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jul 16 18:36:58 systemvm charon: 08[NET] sending packet: from 83.168.93.105[500] to 109.189.123.78[500] (828 bytes) Jul 16 18:36:58 systemvm charon: 06[NET] received packet: from 109.189.123.78[500] to 83.168.93.105[500] (36 bytes) Jul 16 18:36:58 systemvm charon: 06[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] Jul 16 18:36:58 systemvm charon: 06[IKE] received NO_PROPOSAL_CHOSEN notify error Jul 16 18:37:00 systemvm xl2tpd[8347]: control_finish: Peer requested tunnel 5 twice, ignoring second one. Jul 16 18:37:02 systemvm systemd[1]: Started session-212.scope - Session 212 of User root. Jul 16 18:37:02 systemvm systemd[1]: session-212.scope: Deactivated successfully. Jul 16 18:37:04 systemvm xl2tpd[8347]: control_finish: Peer requested tunnel 5 twice, ignoring second one. Jul 16 18:37:12 systemvm xl2tpd[8347]: control_finish: Peer requested tunnel 5 twice, ignoring second one. Jul 16 18:37:22 systemvm xl2tpd[8347]: control_finish: Peer requested tunnel 5 twice, ignoring second one. Jul 16 18:37:29 systemvm xl2tpd[8347]: Maximum retries exceeded for tunnel 30141. Closing. Jul 16 18:37:29 systemvm xl2tpd[8347]: Connection 5 closed to 109.189.123.78, port 1701 (Timeout) Jul 16 18:37:32 systemvm charon: 16[NET] received packet: from 109.189.123.78[4500] to 91.223.68.218[4500] (76 bytes) Jul 16 18:37:32 systemvm charon: 16[ENC] parsed INFORMATIONAL_V1 request 3657915425 [ HASH D ] Jul 16 18:37:32 systemvm charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 23e570fe Jul 16 18:37:32 systemvm charon: 16[IKE] closing CHILD_SA L2TP-PSK{7} with SPIs c3e5d7ce_i (540 bytes) 23e570fe_o (0 bytes) and TS 91.223.68.218/32[udp/l2f] === 109.189.123.78/32[udp/l2f] Jul 16 18:37:32 systemvm systemd[1]: Started session-213.scope - Session 213 of User root. Jul 16 18:37:32 systemvm charon: 11[NET] received packet: from 109.189.123.78[4500] to 91.223.68.218[4500] (92 bytes) Jul 16 18:37:32 systemvm charon: 11[ENC] parsed INFORMATIONAL_V1 request 3648886364 [ HASH D ] Jul 16 18:37:32 systemvm charon: 11[IKE] received DELETE for IKE_SA L2TP-PSK[9] Jul 16 18:37:32 systemvm charon: 11[IKE] deleting IKE_SA L2TP-PSK[9] between 91.223.68.218[91.223.68.218]...109.189.123.78[10.2.2.127] Jul 16 18:37:32 systemvm systemd[1]: session-213.scope: Deactivated successfully.

I haven't found a way to restore the tunnel, restarting the network doesn't help. Please help :-(

[PPisz]

The cause was incorrect routing on the VR. The primary public IP was from one addressing, and the IP on which the SNAT was located was from a different addressing (and the default gw was set to that addressing). The VPN wouldn't connect because responses to the client were coming from the SNAT IP, not the primary IP. The solution was to swap the primary IP so that all public IPs were from the same network.