Support Center > Search Results > SecureKnowledge Details
Various L2TP issues with R80.x
Symptoms
  • Scenario 1:

    L2TP connection fail with the error: "The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer" on the client side.

    In vpnd.elg debug output, following logs are seen:
    [vpnd PID]@GW[DATE TIME][vpnd] vpn_delete_ike_sa_tree_trap: IKE SA is for L2TP. Will not delete IPsec SAs.
    [vpnd PID]@GW[DATE TIME][tunnel] MMProcess5: Will try with the L2TP PSK
    [vpnd PID]@GW[DATE TIME][tunnel] MMProcess5: Will not check ID of type 1 because this is a PSK connection for L2TP

  • Scenario 2:

    L2TP connection fail with the following error in the vpnd.elg:
    [vpnd PID]@GW[DATE TIME][tunnel] chooseProposalFromList: Failed to match proposal. Transform: 3DES, SHA1, UDP Encapsulation;
    Reason: Wrong value for: Encryption Algorithm Transform: 3DES, SHA1, UDP Encapsulation; Reason: Wrong value for: Encryption Algorithm Transform: 3DES, SHA1, UDP Encapsulation;
    Reason: Wrong value for: Encapsulation Mode Transform: 3DES, SHA1, UDP Encapsulation; Reason: Wrong value for: Encryption Algorithm Transform: 3DES, SHA1, UDP Encapsulation;
    Reason: Wrong value for: Encryption Algorithm
    [vpnd PID]@GW[DATE TIME][tunnel] QMCreate2ChooseProp: Cannot choose a proposal
    [vpnd PID]@GW[DATE TIME][tunnel] Error has occurred, or proposal list not supported

    OR

    QMCreate2ChooseProp: Not transport mode. We will still let it through if the dest is only for me
    QMCreate2ChooseProp: My range is a single IP. Let's check if it's mine
    QMCreate2ChooseProp: IP address 50cf5dc2 is not mine.

    :id (VPN_IKESA_ONLY_FOR_L2TP)
    :def_msg ("This certificate is only for L2TP and should not be used for regular access.")

    OR

    Error: "Quick Mode Sent Notification: no proposal chosen".

  • Scenario 3:

    L2TP with certificate authentication in R80.x doesn't work
    Errors in vpnd:
    [vpnd PID]@GW[DATE TIME] handle_SCCRQ: Entering...
    [vpnd PID]@GW[DATE TIME] handle_SCCRQ: Searching for MSPI in 1 instances
    [vpnd PID]@GW[DATE TIME] handle_SCCRQ: L2TP control connection not found or not encrypted. Dropping.
    [vpnd PID]@GW[DATE TIME] L2TP_packet_arrived: L2TP_control_packet_arrived returned an error
  • Scenario 4:

    L2TP with certificate authentication behind NAT in R80.x doesn't work

    Log will show successful login but immediately after the error:
    "remote access client IP address and port were changed"
    and
    Traffic being sent from the client to the gateway will be dropped for
    "clear text packet should be encrypted"
Solution
Note: To view this solution you need to Sign In .