Only one user behind the same router can connect using L2TP client / L2TP users get disconnected when the pre-shared key is used

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk119141
Technical Level
Product	IPSec VPN
Version	R77.30, R80.10, R80.20
OS	Gaia
Platform / Model	All
Date Created	20-Jul-2017
Last Modified	15-Dec-2020

Symptoms

When a second user behind the same router connects with an L2TP client, the first user that is already connected gets disconnected.
L2TP users are getting disconnected when the pre-shared key is longer than 8 characters
Kernel debug will show:
[fw4_0];store_outbound_spi_in_msa: Replaced outbound in MSA;
IKE debugs will show the L2TP client is sending a delete packet to the gateway approximately 10 to 20 seconds after a successful phase 1 and 2 negotiations.

Cause

Environment: Using Pre-Shared key to authenticate L2TP

VPND generates the same "username" for all L2TP clients using the pre-shared key. So when two L2TP clients are also behind the same NAT, all their tunnel parameters, including peer IP address and username, will be identical.

Therefore, when a second client connects, it looks like a renewal of the existing tunnel with the first client.

The newly negotiated key is then used to encrypt both connections: the one belonging to the second client and the one belonging to the first client.

From the first client's point of view, it stops getting replies and therefore disconnects.

Solution

Note: To view this solution you need to Sign In .