Unable to connect to L2TP+IPSec from Ubuntu 24.04 with kl2tpd

[amkrivenya]

Hello,

I've got a problem with l2tp connection on my newly installed Ubuntu

$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 24.04.1 LTS"

$ sudo apt-get install network-manager-l2tp network-manager-l2tp-gnome

$ ipsec --version
Linux strongSwan U5.9.13/K6.8.0-45-generic

from ubuntu 22.04 (with xl2tpd) connection established successfully.

I was advised here: NetworkManager-l2tp, and reveting l2tp daemon from kl2tpd to the xl2tpd solved my problem.

sudo apt install xl2tpd  
sudo apt purge go-l2tp

Could you help me to connect with the default daemon kl2tpd?

my log of kl2tpd connection (VPN server - Keenatic Peak), I googled nothing for message="failed to send SCCRQ message":

NetworkManager[914]: <info>  [1727172563.6346] vpn[0x57971b24fdb0,90e7b805-c712-4f76-8e3e-8213353f9e1e,"VPN 1"]: starting l2tp
NetworkManager[914]: <info>  [1727172563.6351] audit: op="connection-activate" uuid="90e7b805-c712-4f76-8e3e-8213353f9e1e" name="VPN 1" pid=1592 uid=1000 result="success"
NetworkManager[9605]: Stopping strongSwan IPsec failed: starter is not running
NetworkManager[9602]: Starting strongSwan 5.9.13 IPsec [starter]...
ipsec_starter[9602]: Starting strongSwan 5.9.13 IPsec [starter]...
NetworkManager[9602]: Loading config setup
NetworkManager[9602]: Loading conn '90e7b805-c712-4f76-8e3e-8213353f9e1e'
ipsec_starter[9602]: Loading config setup
ipsec_starter[9602]: Loading conn '90e7b805-c712-4f76-8e3e-8213353f9e1e'
ipsec_starter[9613]: Attempting to start charon...
charon[9614]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.13, Linux 6.8.0-45-generic, x86_64)
charon[9614]: 00[LIB] providers loaded by OpenSSL: legacy default
charon[9614]: 00[CFG] using '/sbin/resolvconf' to install DNS servers
charon[9614]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon[9614]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon[9614]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon[9614]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon[9614]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon[9614]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[9614]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[9614]: 00[CFG]   loaded IKE secret for %any
charon[9614]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
charon[9614]: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon[9614]: 00[JOB] spawning 16 worker threads
ipsec_starter[9613]: charon (9614) started after 40 ms
charon[9614]: 09[CFG] received stroke: add connection '90e7b805-c712-4f76-8e3e-8213353f9e1e'
charon[9614]: 17[LIB] resolving '(null)' failed: Name or service not known
charon[9614]: 09[CFG] left nor right host is our side, assuming left=local
charon[9614]: 09[CFG] added configuration '90e7b805-c712-4f76-8e3e-8213353f9e1e'
charon[9614]: 11[CFG] rereading secrets
charon[9614]: 11[CFG] loading secrets from '/etc/ipsec.secrets'
charon[9614]: 11[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[9614]: 11[CFG]   loaded IKE secret for %any
charon[9614]: 13[CFG] received stroke: initiate '90e7b805-c712-4f76-8e3e-8213353f9e1e'
charon[9614]: 17[LIB] resolving '(null)' failed: Name or service not known
charon[9614]: 15[IKE] initiating Main Mode IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] to {VPN_SERVER_IP}
charon[9614]: 15[IKE] initiating Main Mode IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] to {VPN_SERVER_IP}
charon[9614]: 15[ENC] generating ID_PROT request 0 [ SA V V V V V ]
charon[9614]: 15[NET] sending packet: from 0.0.0.0[500] to {VPN_SERVER_IP}[500] (532 bytes)
charon[9614]: 16[NET] received packet: from {VPN_SERVER_IP}[500] to 192.168.228.144[500] (144 bytes)
charon[9614]: 16[ENC] parsed ID_PROT response 0 [ SA V V V ]
charon[9614]: 16[IKE] received DPD vendor ID
charon[9614]: 16[IKE] received FRAGMENTATION vendor ID
charon[9614]: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon[9614]: 16[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon[9614]: 16[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon[9614]: 16[NET] sending packet: from 192.168.228.144[500] to {VPN_SERVER_IP}[500] (244 bytes)
charon[9614]: 05[NET] received packet: from {VPN_SERVER_IP}[500] to 192.168.228.144[500] (244 bytes)
charon[9614]: 05[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon[9614]: 05[IKE] local host is behind NAT, sending keep alives
charon[9614]: 05[ENC] generating ID_PROT request 0 [ ID HASH ]
charon[9614]: 05[NET] sending packet: from 192.168.228.144[4500] to {VPN_SERVER_IP}[4500] (68 bytes)
charon[9614]: 06[NET] received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.144[4500] (68 bytes)
charon[9614]: 06[ENC] parsed ID_PROT response 0 [ ID HASH ]
charon[9614]: 06[IKE] IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] established between 192.168.228.144[(null)]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
charon[9614]: 06[IKE] IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] established between 192.168.228.144[(null)]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
charon[9614]: 06[IKE] scheduling reauthentication in 9990s
charon[9614]: 06[IKE] maximum IKE_SA lifetime 10530s
charon[9614]: 06[ENC] generating QUICK_MODE request 66717060 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon[9614]: 06[NET] sending packet: from 192.168.228.144[4500] to {VPN_SERVER_IP}[4500] (244 bytes)
charon[9614]: 07[NET] received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.144[4500] (196 bytes)
charon[9614]: 07[ENC] parsed QUICK_MODE response 66717060 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon[9614]: 07[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon[9614]: 07[IKE] CHILD_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e{1} established with SPIs c75cb7cf_i cc6f3d6f_o and TS 192.168.228.144/32 === {VPN_SERVER_IP}/32[udp/l2f]
charon[9614]: 07[IKE] CHILD_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e{1} established with SPIs c75cb7cf_i cc6f3d6f_o and TS 192.168.228.144/32 === {VPN_SERVER_IP}/32[udp/l2f]
charon[9614]: 07[ENC] generating QUICK_MODE request 66717060 [ HASH ]
charon[9614]: 07[NET] sending packet: from 192.168.228.144[4500] to {VPN_SERVER_IP}[4500] (60 bytes)
NetworkManager[9655]: initiating Main Mode IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] to {VPN_SERVER_IP}
NetworkManager[9655]: generating ID_PROT request 0 [ SA V V V V V ]
NetworkManager[9655]: sending packet: from 0.0.0.0[500] to {VPN_SERVER_IP}[500] (532 bytes)
NetworkManager[9655]: received packet: from {VPN_SERVER_IP}[500] to 192.168.228.144[500] (144 bytes)
NetworkManager[9655]: parsed ID_PROT response 0 [ SA V V V ]
NetworkManager[9655]: received DPD vendor ID
NetworkManager[9655]: received FRAGMENTATION vendor ID
NetworkManager[9655]: received NAT-T (RFC 3947) vendor ID
NetworkManager[9655]: selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
NetworkManager[9655]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
NetworkManager[9655]: sending packet: from 192.168.228.144[500] to {VPN_SERVER_IP}[500] (244 bytes)
NetworkManager[9655]: received packet: from {VPN_SERVER_IP}[500] to 192.168.228.144[500] (244 bytes)
NetworkManager[9655]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
NetworkManager[9655]: local host is behind NAT, sending keep alives
NetworkManager[9655]: generating ID_PROT request 0 [ ID HASH ]
NetworkManager[9655]: sending packet: from 192.168.228.144[4500] to {VPN_SERVER_IP}[4500] (68 bytes)
NetworkManager[9655]: received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.144[4500] (68 bytes)
NetworkManager[9655]: parsed ID_PROT response 0 [ ID HASH ]
NetworkManager[9655]: IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] established between 192.168.228.144[(null)]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
NetworkManager[9655]: scheduling reauthentication in 9990s
NetworkManager[9655]: maximum IKE_SA lifetime 10530s
NetworkManager[9655]: generating QUICK_MODE request 66717060 [ HASH SA No ID ID NAT-OA NAT-OA ]
NetworkManager[9655]: sending packet: from 192.168.228.144[4500] to {VPN_SERVER_IP}[4500] (244 bytes)
NetworkManager[9655]: received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.144[4500] (196 bytes)
NetworkManager[9655]: parsed QUICK_MODE response 66717060 [ HASH SA No ID ID NAT-OA NAT-OA ]
NetworkManager[9655]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
NetworkManager[9655]: CHILD_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e{1} established with SPIs c75cb7cf_i cc6f3d6f_o and TS 192.168.228.144/32 === {VPN_SERVER_IP}/32[udp/l2f]
NetworkManager[9655]: generating QUICK_MODE request 66717060 [ HASH ]
NetworkManager[9655]: connection '90e7b805-c712-4f76-8e3e-8213353f9e1e' established successfully
nm-l2tp-service[9590]: strongSwan IPsec connection is up.
nm-l2tp-service[9590]: kl2tpd started with pid 9661
NetworkManager[9661]: level=info tunnel_name=t1 session_name=s1 message="new dynamic session" session_id=19715 peer_session_id=0 pseudowire=7
NetworkManager[9661]: level=info tunnel_name=t1 message="new dynamic tunnel" version=2 encap=UDP local= peer={VPN_SERVER_IP}:1701 tunnel_id=58056 peer_tunnel_id=0
NetworkManager[9661]: level=debug tunnel_name=t1 message="fsm event" event=open
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq ns=0 nr=0 isRetransmit=false
NetworkManager[9661]: level=info tunnel_name=t1 function=transport message=retransmit message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq ns=0 nr=0 isRetransmit=true
NetworkManager[9661]: level=info tunnel_name=t1 function=transport message=retransmit message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq ns=0 nr=0 isRetransmit=true
systemd-resolved[752]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 192.168.228.75.
NetworkManager[9661]: level=info tunnel_name=t1 function=transport message=retransmit message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message="send complete" message_type=avpMsgTypeSccrq error="transmit of avpMsgTypeSccrq failed after 3 retry attempts"
NetworkManager[9661]: level=error tunnel_name=t1 function=transport message="socket read failed" error="resource temporarily unavailable"
NetworkManager[9661]: level=error tunnel_name=t1 message="failed to send SCCRQ message" error="transmit of avpMsgTypeSccrq failed after 3 retry attempts"
NetworkManager[9661]: level=error tunnel_name=t1 function=transport message="transport down" error="transmit of avpMsgTypeSccrq failed after 3 retry attempts"
NetworkManager[9661]: level=info tunnel_name=t1 message=close
NetworkManager[914]: <warn>  [1727172584.0197] vpn[0x57971b24fdb0,90e7b805-c712-4f76-8e3e-8213353f9e1e,"VPN 1"]: dbus: failure: connect-failed (1)
NetworkManager[914]: <warn>  [1727172584.0199] vpn[0x57971b24fdb0,90e7b805-c712-4f76-8e3e-8213353f9e1e,"VPN 1"]: dbus: failure: connect-failed (1)
NetworkManager[9670]: Stopping strongSwan IPsec...
charon[9614]: 00[DMN] SIGINT received, shutting down
charon[9614]: 00[IKE] closing CHILD_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e{1} with SPIs c75cb7cf_i (0 bytes) cc6f3d6f_o (192 bytes) and TS 192.168.228.144/32 === {VPN_SERVER_IP}/32[udp/l2f]
charon[9614]: 00[IKE] closing CHILD_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e{1} with SPIs c75cb7cf_i (0 bytes) cc6f3d6f_o (192 bytes) and TS 192.168.228.144/32 === {VPN_SERVER_IP}/32[udp/l2f]
charon[9614]: 00[IKE] sending DELETE for ESP CHILD_SA with SPI c75cb7cf
charon[9614]: 00[ENC] generating INFORMATIONAL_V1 request 320293356 [ HASH D ]
charon[9614]: 00[NET] sending packet: from 192.168.228.144[4500] to {VPN_SERVER_IP}[4500] (76 bytes)
charon[9614]: 00[IKE] deleting IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] between 192.168.228.144[(null)]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
charon[9614]: 00[IKE] deleting IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1] between 192.168.228.144[(null)]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
charon[9614]: 00[IKE] sending DELETE for IKE_SA 90e7b805-c712-4f76-8e3e-8213353f9e1e[1]
charon[9614]: 00[ENC] generating INFORMATIONAL_V1 request 1277003383 [ HASH D ]
charon[9614]: 00[NET] sending packet: from 192.168.228.144[4500] to {VPN_SERVER_IP}[4500] (84 bytes)
ipsec_starter[9613]: child 9614 (charon) has quit (exit code 0)
ipsec_starter[9613]: 
ipsec_starter[9613]: charon stopped after 200 ms
ipsec_starter[9613]: ipsec starter stopped
nm-l2tp-service[9590]: ipsec shut down

[tomparkin]

Thanks for getting in touch and I'm sorry you're having issues with kl2tpd.

The log file shows that kl2tpd is trying to send the initial SCCRQ packet to initiate the L2TP tunnel with the peer on port 1701:

peer={VPN_SERVER_IP}:1701

However it ends up retrying and eventually giving up:

NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq ns=0 nr=0 isRetransmit=false
NetworkManager[9661]: level=info tunnel_name=t1 function=transport message=retransmit message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq ns=0 nr=0 isRetransmit=true
NetworkManager[9661]: level=info tunnel_name=t1 function=transport message=retransmit message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq ns=0 nr=0 isRetransmit=true
systemd-resolved[752]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 192.168.228.75.
NetworkManager[9661]: level=info tunnel_name=t1 function=transport message=retransmit message_type=avpMsgTypeSccrq
NetworkManager[9661]: level=debug tunnel_name=t1 function=transport message="send complete" message_type=avpMsgTypeSccrq error="transmit of avpMsgTypeSccrq failed after 3 retry attempts"
NetworkManager[9661]: level=error tunnel_name=t1 function=transport message="socket read failed" error="resource temporarily unavailable"
NetworkManager[9661]: level=error tunnel_name=t1 message="failed to send SCCRQ message" error="transmit of avpMsgTypeSccrq failed after 3 retry attempts"
NetworkManager[9661]: level=error tunnel_name=t1 function=transport message="transport down" error="transmit of avpMsgTypeSccrq failed after 3 retry attempts"
NetworkManager[9661]: level=info tunnel_name=t1 message=close

This occurs if kl2tpd doesn't receive a response from the peer in a timely manner.

It's hard to know why kl2tpd isn't seeing a response: it could be a networking issue of some description, although the fact that xl2tpd works makes that somewhat less likely. It may be that the peer doesn't like the SCCRQ kl2tpd has sent for some reason -- possibly xl2tpd is sending AVPs which kl2tpd is not, for example.

Do you by any chance have access to logging from the VPN server which might help pinpoint the issue?

[amkrivenya]

Thank you for the answer))

Yes, I have.

Here it is:

ipsec: 08[IKE] received XAuth vendor ID 
ipsec: 08[IKE] received DPD vendor ID 
ipsec: 08[IKE] received FRAGMENTATION vendor ID 
ipsec: 08[IKE] received NAT-T (RFC 3947) vendor ID 
ipsec: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
ipsec: 08[IKE] 178.163.181.198 is initiating a Main Mode IKE_SA 
ipsec: 08[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
ipsec: 08[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_768, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:DES_CBC/HMAC_SHA1_96/PRF [...]
ipsec: 08[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
ipsec: 08[IKE] sending DPD vendor ID 
ipsec: 08[IKE] sending FRAGMENTATION vendor ID 
ipsec: 08[IKE] sending NAT-T (RFC 3947) vendor ID 
ipsec: 10[IKE] remote host is behind NAT 
ipsec: 10[IKE] linked key for crypto map '(unnamed)' is not found, still searching 
ipsec: 13[CFG] looking for pre-shared key peer configs matching {VPN_SERVER_IP}...178.163.181.198[192.168.228.213] 
ipsec: 13[CFG] selected peer config "VPNL2TPServer" 
ipsec: 13[IKE] IKE_SA VPNL2TPServer[5016] established between {VPN_SERVER_IP}[{VPN_SERVER_IP}]...178.163.181.198[192.168.228.213] 
ipsec: 09[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ 
ipsec: 09[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA2_256_128/NO_EXT_SEQ 
ipsec: 09[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ 
ipsec: 09[IKE] received 3600s lifetime, configured 0s 
ipsec: 05[IKE] CHILD_SA VPNL2TPServer{9344} established with SPIs c7800163_i ca5d3973_o and TS {VPN_SERVER_IP}/32[udp/l2tp] === 178.163.181.198/32 
ndm: IpSec::CryptoMapInfo: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "178.163.181.198" is established. 
ndm: IpSec::Netfilter: start reloading netfilter configuration... 
ndm: IpSec::Netfilter: netfilter configuration reloading is done. 
ipsec: 09[IKE] received DELETE for ESP CHILD_SA with SPI ca5d3973 
ipsec: 09[IKE] closing CHILD_SA VPNL2TPServer{9344} with SPIs c7800163_i (192 bytes) ca5d3973_o (0 bytes) and TS {VPN_SERVER_IP}/32[udp/l2tp] === 178.163.181.198/32 
ipsec: 08[IKE] received DELETE for IKE_SA VPNL2TPServer[5016] 
ipsec: 08[IKE] deleting IKE_SA VPNL2TPServer[5016] between {VPN_SERVER_IP}[{VPN_SERVER_IP}]...178.163.181.198[192.168.228.213] 
ndm: IpSec::Netfilter: start reloading netfilter configuration... 
ndm: IpSec::Netfilter: netfilter configuration reloading is done. 
ppp-l2tp: l2tp tunnel 29169-36052 (46.216.28.185:41500): discarding out of order message (packet Ns/Nr: 17062/35813, tunnel Ns/Nr: 35813/125, tunnel reception window size: 1024 bytes) 

[amkrivenya]

Please, take a look at the logs for the successful connection with xl2tpd
May be it'll help

and it also contains a warn about 1701

nm-l2tp-service[14627]: Can't bind to port 1701

client:

NetworkManager[924]: <info>  [1727270546.4216] vpn[0x624d700debc0,02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef,"VPN 1"]: starting l2tp
NetworkManager[924]: <info>  [1727270546.4221] audit: op="connection-activate" uuid="02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef" name="VPN 1" pid=1631 uid=1000 result="success"
nm-l2tp-service[14627]: Check port 1701
nm-l2tp-service[14627]: Can't bind to port 1701
NetworkManager[14642]: Stopping strongSwan IPsec failed: starter is not running
NetworkManager[14639]: Starting strongSwan 5.9.13 IPsec [starter]...
ipsec_starter[14639]: Starting strongSwan 5.9.13 IPsec [starter]...
NetworkManager[14639]: Loading config setup
NetworkManager[14639]: Loading conn '02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef'
ipsec_starter[14639]: Loading config setup
ipsec_starter[14639]: Loading conn '02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef'
ipsec_starter[14651]: Attempting to start charon...
charon[14652]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.13, Linux 6.8.0-45-generic, x86_64)
charon[14652]: 00[LIB] providers loaded by OpenSSL: legacy default
charon[14652]: 00[CFG] using '/sbin/resolvconf' to install DNS servers
charon[14652]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon[14652]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon[14652]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon[14652]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon[14652]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon[14652]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[14652]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[14652]: 00[CFG]   loaded IKE secret for %any
charon[14652]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
charon[14652]: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon[14652]: 00[JOB] spawning 16 worker threads
ipsec_starter[14651]: charon (14652) started after 40 ms
charon[14652]: 09[CFG] received stroke: add connection '02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef'
charon[14652]: 09[CFG] added configuration '02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef'
charon[14652]: 11[CFG] rereading secrets
charon[14652]: 11[CFG] loading secrets from '/etc/ipsec.secrets'
charon[14652]: 11[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[14652]: 11[CFG]   loaded IKE secret for %any
charon[14652]: 13[CFG] received stroke: initiate '02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef'
charon[14652]: 15[IKE] initiating Main Mode IKE_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef[1] to {VPN_SERVER_IP}
charon[14652]: 15[IKE] initiating Main Mode IKE_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef[1] to {VPN_SERVER_IP}
charon[14652]: 15[ENC] generating ID_PROT request 0 [ SA V V V V V ]
charon[14652]: 15[NET] sending packet: from 192.168.228.213[500] to {VPN_SERVER_IP}[500] (532 bytes)
charon[14652]: 16[NET] received packet: from {VPN_SERVER_IP}[500] to 192.168.228.213[500] (144 bytes)
charon[14652]: 16[ENC] parsed ID_PROT response 0 [ SA V V V ]
charon[14652]: 16[IKE] received DPD vendor ID
charon[14652]: 16[IKE] received FRAGMENTATION vendor ID
charon[14652]: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon[14652]: 16[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon[14652]: 16[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon[14652]: 16[NET] sending packet: from 192.168.228.213[500] to {VPN_SERVER_IP}[500] (244 bytes)
charon[14652]: 04[NET] received packet: from {VPN_SERVER_IP}[500] to 192.168.228.213[500] (244 bytes)
charon[14652]: 04[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon[14652]: 04[IKE] local host is behind NAT, sending keep alives
charon[14652]: 04[ENC] generating ID_PROT request 0 [ ID HASH ]
charon[14652]: 04[NET] sending packet: from 192.168.228.213[4500] to {VPN_SERVER_IP}[4500] (68 bytes)
charon[14652]: 06[NET] received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.213[4500] (68 bytes)
charon[14652]: 06[ENC] parsed ID_PROT response 0 [ ID HASH ]
charon[14652]: 06[IKE] IKE_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef[1] established between 192.168.228.213[192.168.228.213]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
charon[14652]: 06[IKE] IKE_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef[1] established between 192.168.228.213[192.168.228.213]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
charon[14652]: 06[IKE] scheduling reauthentication in 9722s
charon[14652]: 06[IKE] maximum IKE_SA lifetime 10262s
charon[14652]: 06[ENC] generating QUICK_MODE request 847354842 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon[14652]: 06[NET] sending packet: from 192.168.228.213[4500] to {VPN_SERVER_IP}[4500] (244 bytes)
charon[14652]: 07[NET] received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.213[4500] (196 bytes)
charon[14652]: 07[ENC] parsed QUICK_MODE response 847354842 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon[14652]: 07[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon[14652]: 07[IKE] CHILD_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef{1} established with SPIs c4ef4eb3_i c37d00ae_o and TS 192.168.228.213/32 === {VPN_SERVER_IP}/32[udp/l2f]
charon[14652]: 07[IKE] CHILD_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef{1} established with SPIs c4ef4eb3_i c37d00ae_o and TS 192.168.228.213/32 === {VPN_SERVER_IP}/32[udp/l2f]
charon[14652]: 07[ENC] generating QUICK_MODE request 847354842 [ HASH ]
NetworkManager[14692]: initiating Main Mode IKE_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef[1] to {VPN_SERVER_IP}
NetworkManager[14692]: generating ID_PROT request 0 [ SA V V V V V ]
NetworkManager[14692]: sending packet: from 192.168.228.213[500] to {VPN_SERVER_IP}[500] (532 bytes)
NetworkManager[14692]: received packet: from {VPN_SERVER_IP}[500] to 192.168.228.213[500] (144 bytes)
NetworkManager[14692]: parsed ID_PROT response 0 [ SA V V V ]
NetworkManager[14692]: received DPD vendor ID
NetworkManager[14692]: received FRAGMENTATION vendor ID
NetworkManager[14692]: received NAT-T (RFC 3947) vendor ID
NetworkManager[14692]: selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
NetworkManager[14692]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
NetworkManager[14692]: sending packet: from 192.168.228.213[500] to {VPN_SERVER_IP}[500] (244 bytes)
NetworkManager[14692]: received packet: from {VPN_SERVER_IP}[500] to 192.168.228.213[500] (244 bytes)
NetworkManager[14692]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
NetworkManager[14692]: local host is behind NAT, sending keep alives
NetworkManager[14692]: generating ID_PROT request 0 [ ID HASH ]
NetworkManager[14692]: sending packet: from 192.168.228.213[4500] to {VPN_SERVER_IP}[4500] (68 bytes)
NetworkManager[14692]: received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.213[4500] (68 bytes)
NetworkManager[14692]: parsed ID_PROT response 0 [ ID HASH ]
NetworkManager[14692]: IKE_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef[1] established between 192.168.228.213[192.168.228.213]...{VPN_SERVER_IP}[{VPN_SERVER_IP}]
NetworkManager[14692]: scheduling reauthentication in 9722s
NetworkManager[14692]: maximum IKE_SA lifetime 10262s
NetworkManager[14692]: generating QUICK_MODE request 847354842 [ HASH SA No ID ID NAT-OA NAT-OA ]
NetworkManager[14692]: sending packet: from 192.168.228.213[4500] to {VPN_SERVER_IP}[4500] (244 bytes)
NetworkManager[14692]: received packet: from {VPN_SERVER_IP}[4500] to 192.168.228.213[4500] (196 bytes)
NetworkManager[14692]: parsed QUICK_MODE response 847354842 [ HASH SA No ID ID NAT-OA NAT-OA ]
NetworkManager[14692]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
NetworkManager[14692]: CHILD_SA 02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef{1} established with SPIs c4ef4eb3_i c37d00ae_o and TS 192.168.228.213/32 === {VPN_SERVER_IP}/32[udp/l2f]
NetworkManager[14692]: generating QUICK_MODE request 847354842 [ HASH ]
NetworkManager[14692]: connection '02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef' established successfully
charon[14652]: 07[NET] sending packet: from 192.168.228.213[4500] to {VPN_SERVER_IP}[4500] (60 bytes)
nm-l2tp-service[14627]: strongSwan IPsec connection is up.
nm-l2tp-service[14627]: xl2tpd started with pid 14698
NetworkManager[14698]: xl2tpd[14698]: Not looking for kernel SAref support.
NetworkManager[14698]: xl2tpd[14698]: Using l2tp kernel support.
NetworkManager[14698]: xl2tpd[14698]: xl2tpd version xl2tpd-1.3.18 started on asus PID:14698
NetworkManager[14698]: xl2tpd[14698]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
NetworkManager[14698]: xl2tpd[14698]: Forked by Scott Balmos and David Stipp, (C) 2001
NetworkManager[14698]: xl2tpd[14698]: Inherited by Jeff McAdams, (C) 2002
NetworkManager[14698]: xl2tpd[14698]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
NetworkManager[14698]: xl2tpd[14698]: Listening on IP address 0.0.0.0, port 47180
NetworkManager[14698]: xl2tpd[14698]: Connecting to host {VPN_SERVER_IP}, port 1701
NetworkManager[14698]: xl2tpd[14698]: Connection established to {VPN_SERVER_IP}, 1701.  Local: 495, Remote: 816 (ref=0/0).
NetworkManager[14698]: xl2tpd[14698]: Calling on tunnel 495
NetworkManager[14698]: xl2tpd[14698]: Call established with {VPN_SERVER_IP}, Local: 20076, Remote: 34674, Serial: 1 (ref=0/0)
NetworkManager[14698]: xl2tpd[14698]: start_pppd: I'm running:
NetworkManager[14698]: xl2tpd[14698]: "/usr/sbin/pppd"
NetworkManager[14698]: xl2tpd[14698]: "plugin"
NetworkManager[14698]: xl2tpd[14698]: "pppol2tp.so"
NetworkManager[14698]: xl2tpd[14698]: "pppol2tp"
NetworkManager[14698]: xl2tpd[14698]: "7"
NetworkManager[14698]: xl2tpd[14698]: "passive"
NetworkManager[14698]: xl2tpd[14698]: "nodetach"
NetworkManager[14698]: xl2tpd[14698]: ":"
NetworkManager[14698]: xl2tpd[14698]: "file"
NetworkManager[14698]: xl2tpd[14698]: "/run/nm-l2tp-02d5b3b8-69a3-4ab3-8f8b-77cb9e69eaef/ppp-options"
pppd[14699]: Plugin pppol2tp.so loaded.
pppd[14699]: Plugin /usr/lib/pppd/2.4.9/nm-l2tp-pppd-plugin.so loaded.
pppd[14699]: pppd 2.4.9 started by root, uid 0
pppd[14699]: Using interface ppp0
pppd[14699]: Connect: ppp0 <-->
pppd[14699]: Overriding mtu 1500 to 1400
pppd[14699]: Overriding mru 1500 to mtu value 1400
NetworkManager[924]: <info>  [1727270551.3693] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/11)
pppd[14699]: CHAP authentication succeeded
charon[14652]: 04[KNL] 192.168.129.24 appeared on ppp0
charon[14652]: 13[KNL] 192.168.129.24 disappeared from ppp0
charon[14652]: 10[KNL] 192.168.129.24 appeared on ppp0
pppd[14699]: local  IP address 192.168.129.24
pppd[14699]: remote IP address 192.168.29.5
charon[14652]: 12[KNL] interface ppp0 activated
pppd[14699]: primary   DNS address 192.168.29.5
NetworkManager[924]: <info>  [1727270551.5603] device (ppp0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
NetworkManager[924]: <info>  [1727270551.5611] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external')
dbus-daemon[864]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.13' (uid=0 pid=924 comm="/usr/sbin/NetworkManager --no-daemon" label="unconfined")
systemd[1]: Starting NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service...
dbus-daemon[864]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
systemd[1]: Started NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service.
NetworkManager[924]: <info>  [1727270551.6066] policy: set 'VPN 1' (ppp0) as default for IPv4 routing and DNS
systemd-resolved[847]: enx328d0f8f4c2c: Bus client set default route setting: no
systemd-resolved[847]: enx328d0f8f4c2c: Bus client reset DNS server list.
systemd-resolved[847]: ppp0: Bus client set default route setting: yes
systemd-resolved[847]: ppp0: Bus client set DNS server list to: 192.168.29.5
systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.

server:

ipsec: 06[IKE] received XAuth vendor ID 
ipsec: 06[IKE] received DPD vendor ID 
ipsec: 06[IKE] received FRAGMENTATION vendor ID 
ipsec: 06[IKE] received NAT-T (RFC 3947) vendor ID 
ipsec: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
ipsec: 06[IKE] 178.163.181.198 is initiating a Main Mode IKE_SA 
ipsec: 06[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
ipsec: 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_768, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:DES_CBC/HMAC_SHA1_96/PRF [...]
ipsec: 06[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
ipsec: 06[IKE] sending DPD vendor ID 
ipsec: 06[IKE] sending FRAGMENTATION vendor ID 
ipsec: 06[IKE] sending NAT-T (RFC 3947) vendor ID 
ipsec: 14[IKE] remote host is behind NAT 
ipsec: 14[IKE] linked key for crypto map '(unnamed)' is not found, still searching 
ipsec: 05[CFG] looking for pre-shared key peer configs matching {VPN_SERVER_IP}...178.163.181.198[192.168.228.213] 
ipsec: 05[CFG] selected peer config "VPNL2TPServer" 
ipsec: 05[IKE] IKE_SA VPNL2TPServer[5026] established between {VPN_SERVER_IP}[{VPN_SERVER_IP}]...178.163.181.198[192.168.228.213] 
ipsec: 03[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ 
ipsec: 03[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA2_256_128/NO_EXT_SEQ 
ipsec: 03[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ 
ipsec: 03[IKE] received 3600s lifetime, configured 0s 
ipsec: 10[IKE] CHILD_SA VPNL2TPServer{9382} established with SPIs c37d00ae_i c4ef4eb3_o and TS {VPN_SERVER_IP}/32[udp/l2tp] === 178.163.181.198/32 
ndm: IpSec::CryptoMapInfo: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "178.163.181.198" is established. 
ndm: IpSec::Netfilter: start reloading netfilter configuration... 
ndm: IpSec::Netfilter: netfilter configuration reloading is done. 
ppp-l2tp: l2tp: new tunnel 816-495 created following reception of SCCRQ from 178.163.181.198:47180 
ppp-l2tp: l2tp tunnel 816-495 (178.163.181.198:47180): established at {VPN_SERVER_IP}:1701 
ppp-l2tp: l2tp tunnel 816-495 (178.163.181.198:47180): new session 34674-20076 created following reception of ICRQ 
ppp-l2tp: ppp5:: connect: ppp5 <--> l2tp(178.163.181.198:47180 session 816-495, 34674-20076) 
ppp-l2tp: ppp5:krivenya_a: krivenya_a: authentication succeeded 
kernel: l2tp4: renamed from ppp5
ppp-l2tp: l2tp4:krivenya_a: session started over l2tp session 816-495, 34674-20076 
ndm: IpSec::CryptoMapInfo: "VPNL2TPServer": L2TP/IPsec client "krivenya_a" connected from "178.163.181.198" with address "192.168.129.24". 

[tomparkin]

Apologies for the delay!

This line from the server looks concerning:

ppp-l2tp: l2tp tunnel 29169-36052 (46.216.28.185:41500): discarding out of order message (packet Ns/Nr: 17062/35813, tunnel Ns/Nr: 35813/125, tunnel reception window size: 1024 bytes)

This implies that the packet is somehow mangled or there is some kind of confused state as the Ns/Nr values are mismatching.

The reported values for the tunnel are also much higher than I'd expect to see this early in trying to establish a connection.

Could I ask what's running on the server side? Possibly I could set up a test environment to investigate further.

[amkrivenya]

Server is running on Keenetic Peak KN-2710

[dkosovic]

For laughs, I fed the 3 logs to GitHub Copilot Pro, it came back with the following. It mentions an inconsistent source IP address, not sure if that is the issue.

Debugging kl2tpd Connection Failures

Problem Description

User reports that kl2tpd fails to connect to their VPN server, but xl2tpd works fine.
The error shows that SCCRQ messages are sent but no SCCRP response is received.

ROOT CAUSE IDENTIFIED

Server logs reveal the critical issue:

Server-Side Evidence:

ipsec: 05[IKE] CHILD_SA established with SPIs c7800163_i ca5d3973_o 
and TS {VPN_SERVER_IP}/32[udp/l2tp] === 178.163.181.198/32

ipsec: 09[IKE] received DELETE for ESP CHILD_SA with SPI ca5d3973
ipsec: 09[IKE] closing CHILD_SA with SPIs c7800163_i (192 bytes) ca5d3973_o (0 bytes)

ppp-l2tp: l2tp tunnel 29169-36052 (46.216.28.185:41500): discarding out of order message

The Problem:

1. IPsec Policy Mismatch Due to Source IP Change:

   • IPsec SA established for traffic: {VPN_SERVER_IP}/32 ↔ 178.163.181.198/32
   • L2TP packet arrives from: 46.216.28.185:41500 (different IP!)
   • Packet doesn't match IPsec traffic selector
   • Gets sent in cleartext or to wrong tunnel

2. Why Different Source IPs:

   • Client behind NAT: 192.168.228.144 → external IP 178.163.181.198
   • When kl2tpd binds to 0.0.0.0:0, NAT might translate differently
   • L2TP packets appear from different IP: 46.216.28.185
   • This breaks IPsec policy matching!

3. Evidence from Byte Counts:

   • Inbound: 192 bytes (only the SCCRQ attempts)
   • Outbound: 0 bytes (server sent nothing)
   • Server never saw encrypted packets, only cleartext from wrong IP

Root Cause:

Binding to 0.0.0.0:0 causes NAT/routing to assign different source IP than IPsec negotiation used, breaking IPsec policy matching. Packets are sent unencrypted or matched to wrong tunnel and discarded.

Why xl2tpd Works

xl2tpd likely doesn't bind to 0.0.0.0:0 at all, or binds differently, ensuring:

1. Consistent source IP - Same IP for IPsec and L2TP packets
2. Proper IPsec policy matching - All packets get ESP-encapsulated
3. No NAT translation differences - Single, consistent source IP through NAT

Immediate Workaround for Client

Option 1: Clear server-side tunnel state

On the VPN server, restart the L2TP service to clear stale tunnels.

Option 2: Wait between connection attempts

Ensure sufficient time (30-60 seconds) between disconnecting and reconnecting to allow
server-side tunnel cleanup.

Option 3: Use unique tunnel IDs

This is already implemented (random IDs), but stale state causes collisions.

Questions for Client

1. Does the issue happen on FIRST connection or only on RECONNECTION?

   • If only reconnection: It's a cleanup issue
   • If first connection: Server has very old stale state

2. Check server logs for tunnel cleanup:

   # On server, look for StopCCN or tunnel deletion messages
   grep -i "stopccn\|tunnel.*clos\|tunnel.*delet" /var/log/syslog

3. Verify kl2tpd sends StopCCN on disconnect:

   • Check kl2tpd logs when disconnecting
   • Should see "sending StopCCN" or similar

Code Analysis

Current kl2tpd Tunnel Cleanup

kl2tpd DOES send StopCCN when closing (verified in code), but:

• If server isn't responding to SCCRQ, it won't respond to StopCCN either
• Server is left with stale tunnel state
• Next connection attempt matches the stale tunnel and packets are rejected

The Actual Issue in Detail

From server logs:

ipsec: 05[IKE] CHILD_SA VPNL2TPServer{9344} established with SPIs c7800163_i ca5d3973_o 
      and TS {VPN_SERVER_IP}/32[udp/l2tp] === 178.163.181.198/32
ipsec: 09[IKE] received DELETE for ESP CHILD_SA with SPI ca5d3973
ipsec: 09[IKE] closing CHILD_SA VPNL2TPServer{9344}
ipsec: 08[IKE] received DELETE for IKE_SA VPNL2TPServer[5016]
ipsec: 08[IKE] deleting IKE_SA VPNL2TPServer[5016]
ppp-l2tp: l2tp tunnel 29169-36052 (46.216.28.185:41500): discarding out of order message

Timeline:

1. IPsec SA established successfully between server and client 178.163.181.198
2. IPsec SA gets DELETED (client sent DELETE)
3. After IPsec deletion, L2TP packets arrive and are rejected

This means:

• kl2tpd establishes IPsec
• kl2tpd tries to send L2TP SCCRQ
• Something tears down the IPsec SA before/during L2TP communication
• L2TP packets then arrive without IPsec or to wrong tunnel