I have an issue with my VPN on a Ubiquiti USG Pro device as well as others such as a Gateway 3P. It seems isolated and a re-occurrence behind the same NAT Public IP every time when the issue arises. The behavior of this pattern is almost as if the previous sessions are still active or “stuck” not allowing any new connections to be established hence it failing from said Public IP. But if you connect from another completely different public IP it will allow you to establish the session.
A couple of work around's we have in place are:
1.Connect to a different VPN first then while still connected to the other VPN, connect to the original VPN For Example:
When trying to connect to VPN A:
Connect to VPN B First then connect to VPN A
2.Reset the VPN Tunnel by issuing the VPN Reset Command.
I have pulled the logs with the sudo swanctl --log command and have provided it via the attachment, please let me know how we can resolve this issue.
#1 Updated by Tobias Brunner 7 months ago
- Status changed from New to Feedback
- Priority changed from High to Normal
Your first problem is that you use IKEv1 (just bad in general). The second that you use L2TP (also bad in general, but especially over NATs), which will cause duplicate policies if multiple clients connect from behind the same NAT (their private IP is replaced by the public one), as can be seen in the log:
08[CFG] unable to install policy 126.96.36.199/32[udp/l2f] === 188.8.131.52/32[udp/l2f] out (mark 0/0x00000000) for reqid 89, the same policy for reqid 15 exists
There are some hackish workarounds for this (see connmark and L2TP), but I wouldn't recommend them. Instead try to switch to IKEv2.