L2TP Server only allowing one VPN at a time
-
I'm using PFFSense 2.6.0-RELEASE and trying to setup a bunch of IOT devices that connect to PFSense's L2TP VPN Server.
I initially tried with one device and that's been working well for a couple of weeks so ordered some more.
Unfortunately, one device connects fine but a second or third does not; whichever device I power up first gets the VPN but the others never do.
Watching the external interface with tcpdump, I can see all of the devices trying to connect but /var/log/lt2ps.log never shows anything after the first device has connected.
I've set the number of L2TP users in the L2TP server configuration page to 253 and assigned specific IPs for each L2TP user.
I'm now kind of stuck with a pile of IOT devices that I can't use :(
Can anyone help and tell me how I can enable multiple simultaneous L2TP VPNs?
-
Are you actually using L2TP or LT2P over IPSec?
Are the IoT devices connecting from the same location?
You might be seeing a state conflict if they are?
Steve
-
@stephenw10 Most certainly L2TP with PAP/CHAP authentication all setup on PFSense's L2TP server config/L2TP users pages.
Yes the devices are all originating their connection to PFSense from the same IP/LNS but with different user credentials.
As I said each device will connect as long as there is not another one already connected.
FYI: I'm using these SIMs/Setup: https://www.aa.net.uk/voice-and-mobile/data-sims/relay-data-sims-your-own-network/
-
In the WAN pcap are they all trying to connect using the same source port?
Do you see only one state opened?
-
I have the same issue, the first L2TP connects , the rest can't.
I'm sure i was told that it won't be fixed.I'm now routing my L2TP connections out to the internet, of a Cisco ASA that doesn't have that issue.
/Bingo
-
@stephenw10 Yes same source port and no means to vary that.
On the states I'm not quite sure what I'm meant to be looking at (sorry for my ignorance).
PFSense's L2TP server is 10.0.1.254 and each device has an IP set in the L2TP users section within that /24 subnet.
With a device (10.0.1.167) connected but no traffic "pfctl -s state | grep l2" or "pfctl -s state | grep 10.0.1.167" show nothing.
If I ping the device "ping -c2 10.0.1.167 ; pfctl -s state | grep '10.0.1'" I get
all icmp 10.0.1.254:32860 -> 10.0.1.167:32860 0:0 all icmp 10.0.1.254:9987 -> 10.0.1.167:9987 0:0for a short while (the ping does get a reply).
I have a tcpdump (tcpdump -A -i igb2 port 1701) and I can periodically see one of the other devices trying to connect but either don't get anything in pfctl or I'm missing it.
Again for the record, nothing gets appended to the /var/log/l2tps.log after the first device is connected. Should I be looking somewhere else?
I'm very happy to run tests/grab logs/tweak stuff as I really need to get this working.
Thanks in advance.
-
Hmm, so whatever these devices are connecting through is not under your control? And it's not randomising the source port? Which I assume is also 1701?
Are you running the L2TP server on WAN directly?
-
@stephenw10 Yes 1701 and No not under my control. All I get to setup on the LNS is the IP address to connect to and an ID (which PFSense doesn't use).
If you look at the diagram on this link: https://www.aa.net.uk/voice-and-mobile/data-sims/relay-data-sims-your-own-network/ I think that makes it clear.
The IOT device with one of these SIMs connects to the A&A LNS over the mobile networkl and that LNS connects to my PFSense L2TP server. The IOT device then authenticates with PAP/CHAP.
Yes I'm running the PFSense L2TP server on my WAN port. If it makes any difference I actually have two PFSense boxen in a CARP setup but on the PFSense L2TP server config page I can't pick the CARP WAN interface so I'm running it on igb2.
-
If it's any help, here's the setup page on the A&A LNS for each SIM.
-
Sorry to bug you but do you think there's any hope of getting this fixed/working?
If not I need to be looking for some alternate L2TP server as I'm under pressure to get this rolled out.
Thanks.
-
Sorry, we are flat out to get snapshots stable enough for public testing.
Just to be clear each of these IoT devices has it's own SIM/mobile connection? But they all come into pfSense using the same source IP and source port?
Steve
-
Got it in one :)
Yes, they each have a SIM and each connect over the mobile network to the A&A LNS. The A&A LNS then connects to PFSense on port 1701. The A&A LNS tends to use the same IP for every connection.
For the A&A LNS to PFSense L2TP connection I can set a hostname (aka login) and password (aka secret) for the L2TP connection as the screenshot shows although PFSense doesn't seem to use that info.
Each SIM also has a 'dialing number'/ICCID but again PFSense doesn't seem to make use of that.
.
-
Hmm, but it's the individual IoT devices making the L2TP connection to pfSense?
Not one L2TP tunnel that all the IoT devices use?
I'm unclear how this can possibly work in the first instance because will all clients using the same source address and port the L2TP server has no way to know what traffic to send to which client.
And I assume there must be some NAT happening somewhere since the IoT devices must at some level be using different IP addresses. How does that NAT device know which client to send packets to?
There must be something I'm not understanding here because I can't see how that could ever work.
-
Among ISPs (IMHO) A&A and have got to be in the top 1%. It would definitely be worth giving their support a call about this.
But in addition to that overview diagram they have a load of detailed docs:
https://support.aa.net.uk/Category:L2TP_HandoverSo in fact this is one L2TP tunnel with multiple ppp sessions across it.
I'm not sure if you can do that in pfSense directly. Not without some custom scripting perhaps.
I've never seen it done.But the first thing to try would be to make sure you have the same hostname set for all clients. The docs there show that will create a single tunnel with multiple sessions across it which is what you need.
Steve
Steve
-
You Sir are a Genius a Gentleman and a Scholar!
Setting the hostname on the A&A SIM control page to the same for each device (well three so far but I'm excited and want to report back ASAP) works :-) :-) :-)
Never have thought of that in a million years.
Thanks muchly.
PS - Agree on A&A. Been using them for decades.
-
Awesome! Good to know that works. Let us know how it goes.
Steve
-
@bingo600 I'm wondering is you have found solution to this? Mine problem is similar only I user Conezilla to clone my hdd with Debian 9 stretch, three of clients can be working by getting their private ip. The others get duplicate ip and I can't find any clue. Please let me know if you happen to know it.
-
Did you reply on the wrong thread? This looks completely unrelated (or spam).
Steve
-
@stephenw10
The answer to the clonezilla issue above has to be 42And could "smell" of a wrong thread or as you mentioned. Someone "upping" their post count, in order to .......
/Bingo
-
sorry Im new to this forum, could someone tell me where to put this issue so that I can find my solution? Thanks.
