@swill I believe windows natively support "L2TP” . And I see they negotiated both encryption and integrity . looks like the difference is this:
On OSX xl2tpd[2263]: control_finish: Peer requested tunnel 32 twice, ignoring second one. On windows it seems it trying to establish ‘child’ session. charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: CONNECTING => ESTABLISHED charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ] charon: 16[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] (76 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 04[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (444 bytes) charon: 04[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 04[IKE] changing received traffic selectors 172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT charon: 04[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 04[CFG] proposing traffic selectors for us: Can you post strongSwan configs : ipsec.conf, striongswan.cof, ipsec.secrets ? On 10/7/16, 10:46 AM, "swill" <g...@git.apache.org> wrote: Github user swill commented on the issue: https://github.com/apache/cloudstack/pull/872 If anyone has experience with Remote Access VPN on Windows and has any insight into why the following is failing, please let me know. **FAILING WINDOWS LOG:** ``` charon: 11[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] charon: 11[NET] waiting for data on sockets charon: 02[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] (408 bytes) charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ] charon: 02[CFG] looking for an ike config for 74.121.ff.gg...74.121.xx.yy charon: 02[CFG] candidate: 74.121.ff.gg...%any, prio 1052 charon: 02[CFG] found matching ike config: 74.121.ff.gg...%any with prio 1052 charon: 02[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01 charon: 02[IKE] received MS NT5 ISAKMPOAKLEY vendor ID charon: 02[IKE] received NAT-T (RFC 3947) vendor ID charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon: 02[IKE] received FRAGMENTATION vendor ID charon: 02[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 charon: 02[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 charon: 02[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52 charon: 02[IKE] 74.121.xx.yy is initiating a Main Mode IKE_SA charon: 02[IKE] IKE_SA (unnamed)[39] state change: CREATED => CONNECTING charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon: 02[CFG] selecting proposal: charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon: 02[CFG] selecting proposal: charon: 02[CFG] proposal matches charon: 02[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 charon: 02[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160, IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/ PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160 charon: 02[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 charon: 02[IKE] sending XAuth vendor ID charon: 02[IKE] sending DPD vendor ID charon: 02[IKE] sending NAT-T (RFC 3947) vendor ID charon: 02[ENC] generating ID_PROT response 0 [ SA V V V ] charon: 02[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] (136 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] charon: 11[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] charon: 11[NET] waiting for data on sockets charon: 05[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] (388 bytes) charon: 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] charon: 05[IKE] remote host is behind NAT charon: 05[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] charon: 05[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] (372 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 16[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (76 bytes) charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH ] charon: 16[CFG] looking for pre-shared key peer configs matching 74.121.ff.gg...74.121.xx.yy[172.16.11.171] charon: 16[CFG] candidate "L2TP-PSK", match: 1/1/1052 (me/other/ike) charon: 16[CFG] selected peer config "L2TP-PSK" charon: 16[IKE] IKE_SA L2TP-PSK[39] established between 74.121.ff.gg[74.121.ff.gg]...74.121.xx.yy[172.16.11.171] charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: CONNECTING => ESTABLISHED charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ] charon: 16[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] (76 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 04[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (444 bytes) charon: 04[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 04[IKE] changing received traffic selectors 172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT charon: 04[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 04[CFG] proposing traffic selectors for us: charon: 04[CFG] 74.121.ff.gg/32[udp/l2f] charon: 04[CFG] proposing traffic selectors for other: charon: 04[CFG] 0.0.0.0/0[udp] charon: 04[CFG] candidate "L2TP-PSK" with prio 5+1 charon: 04[CFG] found matching child config "L2TP-PSK" with prio 6 charon: 04[CFG] selecting traffic selectors for other: charon: 04[CFG] config: 0.0.0.0/0[udp], received: 74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f] charon: 04[CFG] selecting traffic selectors for us: charon: 04[CFG] config: 74.121.ff.gg/32[udp/l2f], received: 74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f] charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] proposal matches charon: 04[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ charon: 04[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ charon: 04[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 04[IKE] received 3600s lifetime, configured 0s charon: 04[IKE] received 250000000 lifebytes, configured 0 charon: 04[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 04[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] (204 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 01[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (60 bytes) charon: 01[ENC] parsed QUICK_MODE request 1 [ HASH ] charon: 01[CHD] using AES_CBC for encryption charon: 01[CHD] using HMAC_SHA1_96 for integrity charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 14[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (444 bytes) charon: 14[ENC] parsed QUICK_MODE request 4 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 14[IKE] changing received traffic selectors 172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT charon: 14[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 14[CFG] proposing traffic selectors for us: charon: 14[CFG] 74.121.ff.gg/32[udp/l2f] charon: 14[CFG] proposing traffic selectors for other: charon: 14[CFG] 0.0.0.0/0[udp] charon: 14[CFG] candidate "L2TP-PSK" with prio 5+1 charon: 14[CFG] found matching child config "L2TP-PSK" with prio 6 charon: 14[CFG] selecting traffic selectors for other: charon: 14[CFG] config: 0.0.0.0/0[udp], received: 74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f] charon: 14[CFG] selecting traffic selectors for us: charon: 14[CFG] config: 74.121.ff.gg/32[udp/l2f], received: 74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f] charon: 14[CFG] selecting proposal: charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 14[CFG] selecting proposal: charon: 14[CFG] proposal matches charon: 14[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ charon: 14[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 14[IKE] received 3600s lifetime, configured 0s charon: 14[IKE] received 250000000 lifebytes, configured 0 charon: 14[IKE] detected rekeying of CHILD_SA L2TP-PSK{31} charon: 14[ENC] generating QUICK_MODE response 4 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 14[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] (204 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 04[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (60 bytes) charon: 04[ENC] parsed QUICK_MODE request 4 [ HASH ] charon: 04[CHD] using AES_CBC for encryption charon: 04[CHD] using HMAC_SHA1_96 for integrity charon: 04[CHD] adding inbound ESP SA charon: 04[CHD] SPI 0xcb67a786, src 74.121.xx.yy dst 74.121.ff.gg charon: 04[CHD] adding outbound ESP SA charon: 04[CHD] SPI 0xf47c9bd6, src 74.121.ff.gg dst 74.121.xx.yy charon: 04[IKE] CHILD_SA L2TP-PSK{31} established with SPIs cb67a786_i f47c9bd6_o and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 01[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (76 bytes) charon: 01[ENC] parsed INFORMATIONAL_V1 request 713875247 [ HASH D ] charon: 01[IKE] received DELETE for ESP CHILD_SA with SPI 7cab1502 charon: 01[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs ca86fad4_i (0 bytes) 7cab1502_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 05[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (444 bytes) charon: 05[ENC] parsed QUICK_MODE request 5 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 05[IKE] changing received traffic selectors 172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT charon: 05[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 05[CFG] proposing traffic selectors for us: charon: 05[CFG] 74.121.ff.gg/32[udp/l2f] charon: 05[CFG] proposing traffic selectors for other: charon: 05[CFG] 0.0.0.0/0[udp] charon: 05[CFG] candidate "L2TP-PSK" with prio 5+1 charon: 05[CFG] found matching child config "L2TP-PSK" with prio 6 charon: 05[CFG] selecting traffic selectors for other: charon: 05[CFG] config: 0.0.0.0/0[udp], received: 74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f] charon: 05[CFG] selecting traffic selectors for us: charon: 05[CFG] config: 74.121.ff.gg/32[udp/l2f], received: 74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f] charon: 05[CFG] selecting proposal: charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 05[CFG] selecting proposal: charon: 05[CFG] proposal matches charon: 05[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ charon: 05[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ charon: 05[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 05[IKE] received 3600s lifetime, configured 0s charon: 05[IKE] received 250000000 lifebytes, configured 0 charon: 05[IKE] detected rekeying of CHILD_SA L2TP-PSK{31} charon: 05[ENC] generating QUICK_MODE response 5 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 05[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] (204 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 16[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (60 bytes) charon: 16[ENC] parsed QUICK_MODE request 5 [ HASH ] charon: 16[CHD] using AES_CBC for encryption charon: 16[CHD] using HMAC_SHA1_96 for integrity charon: 16[CHD] adding inbound ESP SA charon: 16[CHD] SPI 0xc5ee1900, src 74.121.xx.yy dst 74.121.ff.gg charon: 16[CHD] adding outbound ESP SA charon: 16[CHD] SPI 0x4c3a16f0, src 74.121.ff.gg dst 74.121.xx.yy charon: 16[IKE] CHILD_SA L2TP-PSK{31} established with SPIs c5ee1900_i 4c3a16f0_o and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 14[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (76 bytes) charon: 14[ENC] parsed INFORMATIONAL_V1 request 4253829990 [ HASH D ] charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI f47c9bd6 charon: 14[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs cb67a786_i (0 bytes) f47c9bd6_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 13[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (444 bytes) charon: 13[ENC] parsed QUICK_MODE request 6 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 13[IKE] changing received traffic selectors 172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT charon: 13[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 13[CFG] proposing traffic selectors for us: charon: 13[CFG] 74.121.ff.gg/32[udp/l2f] charon: 13[CFG] proposing traffic selectors for other: charon: 13[CFG] 0.0.0.0/0[udp] charon: 13[CFG] candidate "L2TP-PSK" with prio 5+1 charon: 13[CFG] found matching child config "L2TP-PSK" with prio 6 charon: 13[CFG] selecting traffic selectors for other: charon: 13[CFG] config: 0.0.0.0/0[udp], received: 74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f] charon: 13[CFG] selecting traffic selectors for us: charon: 13[CFG] config: 74.121.ff.gg/32[udp/l2f], received: 74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f] charon: 13[CFG] selecting proposal: charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 13[CFG] selecting proposal: charon: 13[CFG] proposal matches charon: 13[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ charon: 13[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ charon: 13[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ charon: 13[IKE] received 3600s lifetime, configured 0s charon: 13[IKE] received 250000000 lifebytes, configured 0 charon: 13[IKE] detected rekeying of CHILD_SA L2TP-PSK{31} charon: 13[ENC] generating QUICK_MODE response 6 [ HASH SA No ID ID NAT-OA NAT-OA ] charon: 13[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] (204 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to 74.121.xx.yy[64916] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 12[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (60 bytes) charon: 12[ENC] parsed QUICK_MODE request 6 [ HASH ] charon: 12[CHD] using AES_CBC for encryption charon: 12[CHD] using HMAC_SHA1_96 for integrity charon: 12[CHD] adding inbound ESP SA charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 12[CHD] SPI 0xc5f602ad, src 74.121.xx.yy dst 74.121.ff.gg charon: 11[NET] waiting for data on sockets charon: 12[CHD] adding outbound ESP SA charon: 12[CHD] SPI 0x09b7ea2c, src 74.121.ff.gg dst 74.121.xx.yy charon: 12[IKE] CHILD_SA L2TP-PSK{31} established with SPIs c5f602ad_i 09b7ea2c_o and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 09[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (76 bytes) charon: 09[ENC] parsed INFORMATIONAL_V1 request 1167094233 [ HASH D ] charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 4c3a16f0 charon: 09[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs c5ee1900_i (0 bytes) 4c3a16f0_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 05[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (76 bytes) charon: 05[ENC] parsed INFORMATIONAL_V1 request 3486435093 [ HASH D ] charon: 05[IKE] received DELETE for ESP CHILD_SA with SPI 09b7ea2c charon: 05[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs c5f602ad_i (0 bytes) 09b7ea2c_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f] charon: 16[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (92 bytes) charon: 16[ENC] parsed INFORMATIONAL_V1 request 3988841069 [ HASH D ] charon: 16[IKE] received DELETE for IKE_SA L2TP-PSK[39] charon: 16[IKE] deleting IKE_SA L2TP-PSK[39] between 74.121.ff.gg[74.121.ff.gg]...74.121.xx.yy[172.16.11.171] charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: ESTABLISHED => DELETING charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: DELETING => DELETING charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: DELETING => DESTROYING ``` The same config works for Mac OSX. SUCCESSFUL MAC LOG: ``` charon: 11[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] charon: 11[NET] waiting for data on sockets charon: 04[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] (788 bytes) charon: 04[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ] charon: 04[CFG] looking for an ike config for 74.121.ff.gg...74.121.xx.yy charon: 04[CFG] candidate: 74.121.ff.gg...%any, prio 1052 charon: 04[CFG] found matching ike config: 74.121.ff.gg...%any with prio 1052 charon: 04[IKE] received NAT-T (RFC 3947) vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon: 04[IKE] received FRAGMENTATION vendor ID charon: 04[IKE] received DPD vendor ID charon: 04[IKE] 74.121.xx.yy is initiating a Main Mode IKE_SA charon: 04[IKE] IKE_SA (unnamed)[40] state change: CREATED => CONNECTING charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found charon: 04[CFG] selecting proposal: charon: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found charon: 04[CFG] selecting proposal: charon: 04[CFG] proposal matches charon: 04[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 charon: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160, IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/ PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160 charon: 04[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 charon: 04[IKE] sending XAuth vendor ID charon: 04[IKE] sending DPD vendor ID charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ] charon: 04[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] (136 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] charon: 11[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] charon: 11[NET] waiting for data on sockets charon: 01[NET] received packet: from 74.121.xx.yy[1011] to 74.121.ff.gg[500] (380 bytes) charon: 01[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] charon: 01[IKE] remote host is behind NAT charon: 01[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] charon: 01[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] (396 bytes) charon: 08[NET] sending packet: from 74.121.ff.gg[500] to 74.121.xx.yy[1011] charon: 11[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] charon: 11[NET] waiting for data on sockets charon: 06[NET] received packet: from 74.121.xx.yy[64916] to 74.121.ff.gg[4500] (108 bytes) charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] charon: 06[CFG] looking for pre-shared key peer configs matching 74.121.ff.gg...74.121.xx.yy[172.16.11.144] charon: 06[CFG] candidate "L2TP-PSK", match: 1/1/1052 (me/other/ike) xl2tpd[2263]: control_finish: Peer requested tunnel 32 twice, ignoring second one. xl2tpd[2263]: Connection established to 74.121.xx.yy, 55281. Local: 16822, Remote: 32 (ref=0/0). LNS session is 'default' xl2tpd[2263]: start_pppd: I'm running: xl2tpd[2263]: "/usr/sbin/pppd" xl2tpd[2263]: "passive" xl2tpd[2263]: "nodetach" xl2tpd[2263]: "10.10.2.1:10.10.2.2" xl2tpd[2263]: "refuse-pap" xl2tpd[2263]: "file" xl2tpd[2263]: "/etc/ppp/options.xl2tpd" xl2tpd[2263]: "ipparam" xl2tpd[2263]: "74.121.xx.yy" xl2tpd[2263]: "/dev/pts/1" xl2tpd[2263]: Call established with 74.121.xx.yy, Local: 22684, Remote: 32335, Serial: 1 charon: 04[KNL] 10.10.2.1 appeared on ppp0 charon: 06[KNL] 10.10.2.1 disappeared from ppp0 charon: 12[KNL] 10.10.2.1 appeared on ppp0 charon: 03[KNL] interface ppp0 activated charon: 02[IKE] keeping connection path 74.121.ff.gg - 74.121.xx.yy charon: 02[IKE] keeping connection path 74.121.ff.gg - 74.121.xx.yy ntpd[3211]: Listen normally on 12 ppp0 10.10.2.1 UDP 123 ntpd[3211]: peers refreshed ``` Any insights welcome. :) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---