Support Center > Search Results > SecureKnowledge Details
Only one user behind the same router can connect using L2TP client / L2TP users get disconnected when the pre-shared key is used Technical Level
  • When a second user behind the same router connects with an L2TP client, the first user that is already connected gets disconnected.
  • L2TP users are getting disconnected when the pre-shared key is longer than 8 characters
  • Kernel debug will show:
    [fw4_0];store_outbound_spi_in_msa: Replaced outbound in MSA;
  • IKE debugs will show the L2TP client is sending a delete packet to the gateway approximately 10 to 20 seconds after a successful phase 1 and 2 negotiations.

Environment: Using Pre-Shared key to authenticate L2TP

VPND generates the same "username" for all L2TP clients using the pre-shared key. So when two L2TP clients are also behind the same NAT, all their tunnel parameters, including peer IP address and username, will be identical.

Therefore, when a second client connects, it looks like a renewal of the existing tunnel with the first client.

The newly negotiated key is then used to encrypt both connections: the one belonging to the second client and the one belonging to the first client.

From the first client's point of view, it stops getting replies and therefore disconnects.

Note: To view this solution you need to Sign In .