Hi,

 

I’m trying to setup ipsec\l2tp server for home and mobile employees to connect them to office network.

Connection Is ok, but when I’m trying to transmit big file via FTP some problems appear.

 

1) After 3-5 seconds of file transmission I see message in log:

 

Jul  9 11:27:10 vpn racoon: DEBUG: KA: 192.168.1.110[4500]->xx.xx.xx.xx[4500]

Jul  9 11:27:10 vpn racoon: DEBUG: sockname 192.168.1.110[4500]

Jul  9 11:27:10 vpn racoon: DEBUG: send packet from 192.168.1.110[4500]

Jul  9 11:27:10 vpn racoon: DEBUG: send packet to xx.xx.xx.xx[4500]

Jul  9 11:27:10 vpn racoon: DEBUG: src4 192.168.1.110[4500]

Jul  9 11:27:10 vpn racoon: DEBUG: dst4 xx.xx.xx.xx[4500]

Jul  9 11:27:10 vpn racoon: DEBUG: 1 times of 1 bytes message will be sent to xx.xx.xx.xx[4500]

Jul  9 11:27:10 vpn racoon: DEBUG: #012ff

 

At this moment transmission stops and connections freezes. Only reconnection helps.

To “solve” this I have disabled keep-alive messages by "natt-keepalive = 0 sec;" setting.

 

2) Without keep-alive messages transmission works 3-5 minutes, but after that I see message in log:

Jul  9 18:29:59 vpn racoon: INFO: respond new phase 2 negotiation: 192.168.1.110[4500]<=>xx.xx.xx.xx[56265]

Jul  9 18:29:59 vpn racoon: INFO: Adjusting my encmode UDP-Transport->Transport

Jul  9 18:29:59 vpn racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)

Jul  9 18:29:59 vpn racoon: INFO: purged IPsec-SA proto_id=ESP spi=2834276621.

Jul  9 18:30:29 vpn racoon: ERROR: xx.xx.xx.xx give up to get IPsec-SA due to time up to wait.

 

Than transmission stops and connection freezes.

 

Win7 client is behind NAT. Server is behind NAT also, but ports 500, 4500 and 1701 are forwarded. Nat traversal forced on in configuration.

Win7 client with public IP have same problems.

 

Server works as Xen DomU and connected to office network by bridge.

 

Speed limit on ftp client does not solve problem, but makes good transmission and connection time longer (5-10 minutes).

 

Why keep-alive messages kills connection? Why phase 2 appears in the middle of transmission and also kills connection? Is there any configuration for racoon\l2tp which works with Windows clients behind NAT?

 

Racoon.conf: http://paste.org.ru/?27lzaz

Setkey.conf: http://paste.org.ru/?sz8uov

Xl2tpd.conf: http://paste.org.ru/?aaayia

Options.xl2tp: http://paste.org.ru/?j55qpk

 

Debian squeeze

Linux 2.6.32-5-xen-amd64

ipsec-tools 0.7.3-12

xl2tpd 1.2.7+dfsg-1

 

Best regards,

Artem Popov.