The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Various L2TP issues with R80.x
Technical Level
Solution ID
sk145895
Technical Level
Product
IPSec VPN
Version
R80.10 (EOL), R80.20 (EOL), R80.30 (EOL)
OS
Gaia, Windows 10, Windows 7, Android, iOS, macOS
Platform / Model
All
Date Created
10-Feb-2019
Last Modified
01-Oct-2020
Symptoms
Scenario 1:
L2TP connection fail with the error: "The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer" on the client side.
In vpnd.elg debug output, following logs are seen:
[vpnd PID]@GW[DATE TIME][vpnd] vpn_delete_ike_sa_tree_trap: IKE SA is for L2TP. Will not delete IPsec SAs.
[vpnd PID]@GW[DATE TIME][tunnel] MMProcess5: Will try with the L2TP PSK
[vpnd PID]@GW[DATE TIME][tunnel] MMProcess5: Will not check ID of type 1 because this is a PSK connection for L2TP
Scenario 2:
L2TP connection fail with the following error in the vpnd.elg:
[vpnd PID]@GW[DATE TIME][tunnel] chooseProposalFromList: Failed to match proposal. Transform: 3DES, SHA1, UDP Encapsulation;
Reason: Wrong value for: Encryption Algorithm Transform: 3DES, SHA1, UDP Encapsulation; Reason: Wrong value for: Encryption Algorithm Transform: 3DES, SHA1, UDP Encapsulation;
Reason: Wrong value for: Encapsulation Mode Transform: 3DES, SHA1, UDP Encapsulation; Reason: Wrong value for: Encryption Algorithm Transform: 3DES, SHA1, UDP Encapsulation;
Reason: Wrong value for: Encryption Algorithm
[vpnd PID]@GW[DATE TIME][tunnel] QMCreate2ChooseProp: Cannot choose a proposal
[vpnd PID]@GW[DATE TIME][tunnel] Error has occurred, or proposal list not supported
OR
QMCreate2ChooseProp: Not transport mode. We will still let it through if the dest is only for me
QMCreate2ChooseProp: My range is a single IP. Let's check if it's mine
QMCreate2ChooseProp: IP address 50cf5dc2 is not mine.
:id (VPN_IKESA_ONLY_FOR_L2TP)
:def_msg ("This certificate is only for L2TP and should not be used for regular access.")
OR
Error: "Quick Mode Sent Notification: no proposal chosen".
Scenario 3:
L2TP with certificate authentication in R80.x doesn't work
Errors in vpnd:
[vpnd PID]@GW[DATE TIME] handle_SCCRQ: Entering...
[vpnd PID]@GW[DATE TIME] handle_SCCRQ: Searching for MSPI in 1 instances
[vpnd PID]@GW[DATE TIME] handle_SCCRQ: L2TP control connection not found or not encrypted. Dropping.
[vpnd PID]@GW[DATE TIME] L2TP_packet_arrived: L2TP_control_packet_arrived returned an error
Scenario 4:
L2TP with certificate authentication behind NAT in R80.x doesn't work
Log will show successful login but immediately after the error:
"remote access client IP address and port were changed"
and
Traffic being sent from the client to the gateway will be dropped for
"clear text packet should be encrypted"
Scenario 5:
L2TP client on MacOS cannot authenticate when using user certificate and L2TP connection certificate (only certificate is used).
Cause: MacOS L2TP with User certificate is not supported. MacOS does not support EAP-TLS with L2TP/IPsec which is the protocol used by The Security Gateway
during the L2TP certificate authentication.
