Jump to content


Photo

The L2TP connection attempt failed because the security layer encountered a processing error


  • Please log in to reply
1 reply to this topic

#1 Mike Wheeler

Mike Wheeler
  • Members
  • 6 posts

Posted 19 April 2018 - 04:30 PM

Hi Everyone,

I have a number of laptops with built in cellular using the Barracuda generated IPSEC vpn to connect to an SSL 380. Randomly I'll have clients that can't connect and get the message:

 

Can't connect to Barracuda IPsec

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

 

After they try a few times they can connect.

I've had them check the internet when they're having the problem and they can open a webpage.

Any ideas on how to troubleshoot or logs to look at?

I'm not seeing anything being blocked in the firewall.

I also have an SSL180 and have the same errors with it.

 

(FYI I've edited my original post and previously thought port 80 was being blocked but was looking at the wrong external IP)

 

Thanks

 



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 20 April 2018 - 05:14 AM

This issue is generally down to one of two things:

 

- Mutual authentication being wrong (i.e. mismatched certificate, or mismatched PSK)

- NAT being particularly "hostile" to IPsec (which was not designed for NAT tolerance originally)

 

If your PSK were wrong, then it would not flip between working/not working, so I think we can discount that. The Barracuda SSL VPN does not use certificates, so that's not the issue either.

 

This leave NAT issues, which makes sense when you say that your laptops are running off integrated cellular modems - cellular providers often have multiple layers of NAT even inside their own networks, because that's the necessity of getting hundreds of thousands of subscribers into a limited IPv4 address pool. For the most part this does work, but IPsec is particularly sensitive, all the NAT capability of IPsec is a relatively recent addition as the protocol was not originally built for it. This may be something you need to raise with your cellular provider - they may have a business plan which is more VPN friendly and involves fewer translations.