Ok - thanks for the information.  I'm newish to L2TP/IPSec, but I think I understand what pfSense supports now and what it doesn't.

Awesome.

Thanks!

Probably because you're not really using L2TP, but L2TP+IPsec, and IPsec does static port outbound for udp/500, so the second client to try will probably fail.

If the server doesn't mind a random source port, switch to manual outbound NAT and remove the static port rules for isakmp.

You'll hit some kernel memory limits at some point but not sure what that point is (no one has ever gotten that high), into thousands for sure and maybe much higher.

Yep. It may be worth a feature request in redmine to look into adding support for those to the GUI at some point though. Now that they are actually RFC compliant it may be useful to some people.

There is an open feature request ticket:
http://redmine.pfsense.org/issues/1965

But there are no specific plans to make it happen in the near future. Unless someone submits a working patch, it's unlikely to be added in 2.1 at this point.

Solved it by adding a Virtual IP (Proxy ARP) in pfsense on the LAN interface for the remote side network!

If you can get the dyndns IP to follow the "active" wan then yes that would work.

@fsaltan:

Hi all,

I have similar problem. I set Ipsec VPN with pfsense and Checkpoint NGX R75.20, but I cant wake up VPN connection. You could see my configuration below.

And, my ıpsec logs are like below

Have can I achieve this problem?

ipsec-tools 0.7.2 is quite old. There have been a number of patches commited to ipsec-tools CVS since the release of ipsec-tools 0.8.0 a year ago, which may address the issues folks are seeing.

The ipsec-tools repository is hosted at NetBSD:
http://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/crypto/dist/ipsec-tools/

and the latest sources used from the CVS repository:
cvs -danoncvs@anoncvs.netbsd.org:/cvsroot co ipsec-tools

If anyone is considering building it for beta-testing, he should also apply any pfsense-specific patches:
https://github.com/bsdperimeter/pfsense-tools/tree/master/pfPorts/ipsec-tools-devel

I've checked out the bug reports and haven't found any information that helped.  I've also been through the recommendations listed on http://forum.pfsense.org/index.php?topic=46917.0.  Still haven't found anything that works.  While digging around and trying out different setting I have noticed a couple of other things though.

When I tell Cisco wireless router to connect it shows a status of up. I can see the connection initialized in the IPsec logs on my pfSense box. But if I look in my state table I don't see the client listed as I do with my other VPN tunnels that are working. Also when looking under the system logs I see the following error "php: /vpn_ipsec.php: Could not determine VPN endpoint for 'Mobile Client Access'".

Generally speaking one option to resolve addressing conflicts would be to NAT before VPN.

Post 'sainfo' section from your /var/etc/racoon.conf

According to a comment here, it works using ipsec-tools 0.8 and IOS4 (his config is for Debian wheezy).

Note: Comment is in German.

Harry Comp says:
13. November 2011 at 14:06

Hallo und danke für die Infos.
Leider fehlen aber hier essentielle Parts bei Racoon und Netzwerkplanung im Internet.
Auch der CA Part fehlt mir hier.
Für Info bitte einfach ein Email schicken.
Ich habe eine laufende Instanz und kann nur sagen, daß es ein langer Weg dahin war.
Enterprise Guide gibt schon einige Hints in Punkto Certificate handling.
So viel sei gesagt.

Racoon:
Es fehlt CA und CRL handling.
Im Dir. /etc/racoon/certs
CA: ln -s ca.crt openssl x509 -noout -subject_hash -in ca.crt.0
CRL: ln -s crl.pem openssl crl -noout -hash -in crl.r0
Hostkey darf kein password enthalten. (Wird bei xca export nachgefragt)
Sonst: openssl rsa -in host.key -out host.key.decr
Danach mv host.key.decr host.key (im Dir /etc/racoon/certs)
Was noch im Certs Dir sein muss:
ca.crt
host.crt
host.key
crl.pem
client key+crt (Alle clients)
Für Cert Handling verwende ich xca (debian paket)
racoon version 0.8.x (Debian wheezy)
Bez. xca. Bitte bei Issuer und CA: DNS:host.domain.com (angeben)
DNS sollte RR ausflösbar sein. (Sie Enterprise integration guide)

Iphone mit IOS4+ kann nur mehr aes 256.
Working demo Config:

path pre_shared_key “/etc/racoon/psk.txt”;
path certificate “/etc/racoon/certs”;

log info;

listen {
isakmp 192.168.200.1 [500]; #IP of gentoo box
isakmp_natt 192.168.200.1 [4500];
adminsock disabled;
}

remote anonymous {
exchange_mode main,aggressive;
my_identifier asn1dn;
verify_identifier on;
certificate_type x509 “host.crt” “host.key”;
ike_frag on; # use IKE fragmentation
proposal_check claim;
passive on;
support_proxy on;
generate_policy on; # automatically generate IPsec policies
nat_traversal force; # always use NAT-T
dpd_delay 20; # DPD poll every 20 seconds
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method xauth_rsa_server;
dh_group 5;
}
}

sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

mode_cfg {
auth_source pam; # validate logins against PAM
pool_size 20; # size of the VPN IP pool: 254 addresses
network4 192.168.1.100; # 1st address of VPN IPv4 pool
netmask4 255.255.255.0;
dns4 192.168.1.1; # IPv4 DNS server
default_domain “domain.com”;
banner “/etc/racoon/motd”;
pfs_group 2;
}

Firewall arno-iptables-firewall:
/etc/arno-iptables-firewall/plugins/ipsec-vpn.conf
ENABLED=1
IPSEC_VPN_NETS=”0/0″
IPSEC_ALLOWED_HOSTS=”0/0″
IPSEC_NAT_TRAVERSAL=1

/etc/arno-iptables-firewall/debconf.cfg (Asuzug)
DC_INT_IF=”eth0″ #(LAN)
DC_EXT_IF=”eth2″ #INTERNET INTERFACE (192.168.200.0/24)
DC_INTERNAL_NET=”192.168.1.0/24″
DC_NAT_INTERNAL_NET=”192.168.1.0/24″

IPHONE:
Konfigurationstool:
VPN(CISCO)
HOSTNAME: hostname wie im Cert DNS:
Account: Ausfüllen oder nicht (wie es beliebt)
Geräte-Auth: Cert
Zert importieren (Client Zertifikat Vorher im xca als p12 exportieren. Ohne Cert Chain !!!!)
Password vergeben. (Im Konfig Tool -> Zert auch das Password für den Export hinterlegen)
On demand bei Bedarf aktivieren. (Siehe Enterprise Guide Seite 36 für Optionen)
Hosts werden von rechts nach link gemacht.
example.com matcht also auch test.intern.example.com
Proxy: Nach belieben.

ACHTUNG !!!!! (CA Teil bevor das Profile auf das Iphone geladen wird)
Das CA Cert auf einem Webserver bereitstellen.
Im Iphone auf die Site via Safari Surfen.
Z.B. http://example.com/ca.crt
Danach dieses Installieren .
Im Konfigtool erscheint dann ein zweites Profile (Bei Geräte)
Danach kann das VPN Profile auf das Iphone geladen werden.
Damit Vertraut das Iphone deinem Client Cert.
Danach surfe mal ne Seite an die im OnDemand matched.
Username/Password einfach auf dem Host vergeben. (Via PAM; cp /etc/pam.d/sshd /etc/pam.d/racoon)
Dann funkts es auch schon.

Vielen Dank für deine Anleitung. Sie hat mich auf die richtige Spur gebracht.

Ciao
Comp