IPSec/L2TP with pfSense 2.2

tcw

It's connecting, but I'm having no success passing traffic. As the connection is established I am getting the following log entry:

charon: 09[KNL] can't install route for (device WAN IP)/32|/0[udp/([i]random port)] === (pfSense WAN IP)/32|/0[udp/l2f] in, conflicts with IKE traffic

Not sure if that is related, or if it is a separate config issue. I have IPsec and L2TP rules to pass all traffic, and WAN rules to pass UDP 1701, 500, and 4500. Right now I am troubleshooting with iOS 8.1 but I am in the process of setting up a Windows 7 laptop to continue troubleshooting.

eri--

Normally your phase2 should be only for port of L2TP traffic.

aaronouthier

@jimp:

Some of this has probably changed since the last time I tried it, but here is how I had it working before:

Create mobile IPsec P1 as usual, but use Mutual PSK, no xauth – MAIN mode, not aggressive, disable mobile options for IP assignment and network supply

Add P2 for transport mode, aes 128+sha1, etc.

On Pre-Shared Keys tab, add "allusers" PSK with the desired secret.

Setup L2TP, add L2TP users

Setup client, server IP = WAN IP, account = L2TP user, password =
L2TP password, Secret = IPsec allusers PSK

Add a system tunable net.inet.ipsec.filtertunnel=1 (this may not be required any longer)

Put the rules on the WAN interface and the IPsec tab (ditto, may not be required now, might just be IPsec tab)

Jimp, On your first point, please define "as usual".
Also, in phase1 setup, it asks for a PSK. what is supposed to go here, the same as the "allusers" PSK?

I have done all of this. Unable to connect from my iPhone 5s, running iOS 8.1. Error message on the phone is: The L2TP-VPN server did not respond.

aaronouthier

Excerpt from General System Log:

Oct 28 12:27:08	ipsec_starter[76515]: configuration 'con1' unrouted
Oct 28 12:27:08	ipsec_starter[76515]:
Oct 28 12:27:08	ipsec_starter[76515]: notifying watcher failed: Bad file descriptor
Oct 28 12:27:08	ipsec_starter[76515]: notifying watcher failed: Bad file descriptor
Oct 28 12:27:08	ipsec_starter[76515]: notifying watcher failed: Bad file descriptor
Oct 28 12:27:08	ipsec_starter[76515]: 'con1' routed
Oct 28 12:27:08	ipsec_starter[76515]:
Oct 28 12:27:08	ipsec_starter[76515]: notifying watcher failed: Bad file descriptor
Oct 28 12:27:08	check_reload_status: Reloading filter

Again, but from ipsec log:

Oct 28 12:27:08	charon: 02[CFG] added configuration 'con1'
Oct 28 12:27:08	charon: 02[CFG] received stroke: route 'con1'
Oct 28 12:27:19	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:27:19	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:27:19	charon: 13[IKE] <21> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:19	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:19	charon: 13[ENC] generating INFORMATIONAL_V1 request 1726922153 [ N(NO_PROP) ]
Oct 28 12:27:19	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)
Oct 28 12:27:22	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:27:22	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:27:22	charon: 13[IKE] <22> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:22	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:22	charon: 13[ENC] generating INFORMATIONAL_V1 request 3340988032 [ N(NO_PROP) ]
Oct 28 12:27:22	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)
Oct 28 12:27:26	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:27:26	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:27:26	charon: 13[IKE] <23> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:26	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:26	charon: 13[ENC] generating INFORMATIONAL_V1 request 2734004407 [ N(NO_PROP) ]
Oct 28 12:27:26	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)
Oct 28 12:27:29	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:27:29	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:27:29	charon: 13[IKE] <24> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:29	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:27:29	charon: 13[ENC] generating INFORMATIONAL_V1 request 318914860 [ N(NO_PROP) ]
Oct 28 12:27:29	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)
Oct 28 12:34:15	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:34:15	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:34:15	charon: 13[IKE] <25> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:15	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:15	charon: 13[ENC] generating INFORMATIONAL_V1 request 2414807965 [ N(NO_PROP) ]
Oct 28 12:34:15	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)
Oct 28 12:34:18	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:34:18	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:34:18	charon: 13[IKE] <26> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:18	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:18	charon: 13[ENC] generating INFORMATIONAL_V1 request 639189084 [ N(NO_PROP) ]
Oct 28 12:34:18	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)
Oct 28 12:34:21	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:34:21	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:34:21	charon: 13[IKE] <27> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:21	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:21	charon: 13[ENC] generating INFORMATIONAL_V1 request 3137640312 [ N(NO_PROP) ]
Oct 28 12:34:21	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)
Oct 28 12:34:25	charon: 13[NET] received packet: from [i]remote ip[/i][22966] to [i]pfsense ip[/i][500] (500 bytes)
Oct 28 12:34:25	charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Oct 28 12:34:25	charon: 13[IKE] <28> no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:25	charon: 13[IKE] no IKE config found for [i]pfsense ip[/i]...[i]remote ip[/i], sending NO_PROPOSAL_CHOSEN
Oct 28 12:34:25	charon: 13[ENC] generating INFORMATIONAL_V1 request 270404347 [ N(NO_PROP) ]
Oct 28 12:34:25	charon: 13[NET] sending packet: from [i]pfsense ip[/i][500] to [i]remote ip[/i][22966] (40 bytes)

aaronouthier

@tcw:

It's connecting, but I'm having no success passing traffic. As the connection is established I am getting the following log entry:

charon: 09[KNL] can't install route for (device WAN IP)/32|/0[udp/([i]random port)] === (pfSense WAN IP)/32|/0[udp/l2f] in, conflicts with IKE traffic

Not sure if that is related, or if it is a separate config issue. I have IPsec and L2TP rules to pass all traffic, and WAN rules to pass UDP 1701, 500, and 4500. Right now I am troubleshooting with iOS 8.1 but I am in the process of setting up a Windows 7 laptop to continue troubleshooting.

I was getting these messages in my log file, until I realized that after creating the initial section in VPN->IPSec, there appears as sub-section. Click the Plus (+) sign, next to "Show 0 Phase-2 entries", then, create a Phase-2 entry.

jimp

@aaronouthier:

Jimp, On your first point, please define "as usual".

Usual is: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

aaronouthier

I think I almost have it!

Getting no proposal found in my pfsense logs for IPSec. Would this cause an issue?

Specifics are:

charon: 11[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

charon: 11[CFG] configured proposals: IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

charon: 11[IKE] <111> no proposal found

charon: 11[IKE] no proposal found

charon: 11[ENC] generating INFORMATIONAL_V1 request 1347464895 [ N(NO_PROP) ]

jimp

If you look, your configured settings for encryption and hash do not line up with what the client is requesting. Change your settings to match any one of the received proposals and it may work.

mrhanman

Thanks to this thread, I've gotten IPsec/L2TP working to the point that clients connect and can talk to devices on the LAN. The only thing I haven't figured out is that clients can't connect to the internet. I have allow all rules set for IPsec and L2TP VPN. I have OpenVPN setup and working just fine, but I just can't figure this last bit out for IPsec/L2TP. Any help would be awesome and appreciated!

jimp

Check your outbound NAT settings. If the L2TP subnet is not listed in the automatic NAT list, switch to hybrid mode and add a rule to do outbound NAT for the L2TP subnet.

mrhanman

That was it! I had it set to manual, and forgot about making the rule for that subnet. Thanks jimp!

dstroot

@mrhanman - could you post some screen shots of your working config? It would be MUCH appreciated. Or even a description of the setup in detail? I'm banging my head on the wall. Thanks!

aaronouthier

Ok. I got passed that, now I'm getting this repeatedly:

charon: 08[IKE] <con1|1> received retransmit of request with ID 0, retransmitting response
charon: 08[IKE] received retransmit of request with ID 0, retransmitting response</con1|1>

Could some wise Guru point me in the direction I need to travel to obtain enlightenment on this subject.

jimp

Make sure you're connecting from a remote test location and not inside the LAN.
Also make sure your IPsec rules are set correctly to allow the L2TP traffic.

dstroot

Is there an easy way to config an opt interface as an external (i.e. remote) connection so I can test without having to drive to Starbucks? Since you can't test from inside the LAN this is a PITA to test.

jimp

No. It must be tested from something outside completely separate from the firewall. If you have a second IP address on one of your WANs and another firewall/router you could connect from that so long as it's not on any other segment but WAN.

Connecting from a cell phone over 3G/4G is typically the easiest way to test, most phones have an L2TP+IPsec client.

Amora

This works, however, it doesn't work using L2TP/IPsec + Dou Security 2Fa…

Something about the authentication mechanism that Ldap sends to the radius proxy.
You get error
Missing or improperly-formatted password

If you point it at a regular Radius server however, it works just fine.

One thing I found that has to be very specific is the IPsec PSK.
This Identifier has to be set specifically to "allusers" then the psk of your choosing. If you set the identifier to some random word it doesn't work.

Phoenix

Sp far I have no luck, but I got some clues:

The page in pfsense where you add the Pre-Shared keys says that the alluser account is named any/ANY - that's wrong. It is "allusers".

When creating the Phase 1 from the mobile users page it makes an agressive mode config - you can change that to main mode, but you can't change it back (you can select it, but it gets ignored) - never mind, as you want to use main mode…

On android, DO NOT USE AN IPSEC IDENTIFIER. Why capital? Because if you do it uses aggressive mode, if you leave it empty it uses main mode

On the shell you don't see any traffic on enc0. That's because the sysctl variables net.enc.in.ipsec_bpf_mask and net.enc.in.ipsec_bpf_mask might not be as desired... I could not figure, if they are wrong, but at least when changing them I see traffic on enc0 and getting pf to log the traffic on the right interface.

My problem is, I see L2TP requests on the enc0 interface, but no answers. the l2tp logging is also empty in this regard. I belive somehow the traffic does not make it from the interface to the daemon....

I also noted, that I have to unset the "Provide virtual ip address" - it is a transport mode ipsec... and it causes "no child SA" errors during the connection (and fails)

Any hints are welcome....

Phoenix

I try the same with android as client… the ciphers and hashes are different, but appart from that it is the same, see here: https://forum.pfsense.org/index.php?topic=83321.15

I belive I hit the exact same thing as this guy: http://lists.freebsd.org/pipermail/freebsd-questions/2013-December/254770.html

Unfortunately he never got a reply on how to fix it...

themaninblack

I've been playing with this all day, and have it working with both Windows 7 and OS X (Yosemite) clients.

My settings are as follows:

IPSec is enabled ;)

PHASE 1 SETTINGS

Phase 1 proposal (Authentication):
Authentication method: Mutual PSK
Negotiation mode: Main
My Identifier: My IP address

Phase 1 proposal (Algorithms):
Encryption algorithm: 3DES
Hash algroithm: SHA1
Dh key group: 2 (1024 bit)
Lifetime: 28800 seconds

NOTE: there are other p1 algorithm combinations that will work, but this is the only combination that works for both win7 and OS X
for example: AES256, SHA1, and DH 14 (2048 bit) also work for windows 7, but not os x

Advanced options:
Disable rekey is off
Disable reauth is off
NAT Traversal is Auto (this should only matter if your VPN SERVER itself is behind another nat)
Dead Peer Detection is enabled (but both win 7 and OS X don't seem to support DPD0)

PHASE 2 SETTINGS

Phase 2 settings are all the defaults except MODE which should be transport so:

MODE: Transport (this one f'd me up for a while, I kept setting it to tunnel)
Protocol: ESP
Encryption algrithms:AES (auto), blowfish (auto), 3DES, CAST128 all checked, (these are the defaults for p2)
Hash algorithems: MD5, SHA1 both checked (again this is the default)
PFS key group: off
Lifetime: 3600 seconds

On the mobile clients tab:

Enable IPsec mobile client support is checked
Everything else on this tab is unchecked
User Authentication is set to "Local Database" (which isn't actually used because Xauth isn't on in P1)
Group Authentication is set to none

On the Pre-Shared Keys tabs:
Add a single PSK with the identifier "allusers", set this to something strong

Firewall NAT:

No special NAT rules added, outbound NAT is automatic

Firewall rules:

No special WAN rules added
No IPSec rules added
L2TP VPN, add a rule for the VPN traffic you want to allow. I have a "pass-everything" rule here. Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.

L2TP VPN setup: (These are my settings, tweak to meet your needs:)
L2TP server is Enabled
Interface: LAN
Remote address range: a range that is a subset of the LAN subnet, that starts on a /29 boundary. I picked 192.168.x.208
Subnet mask: /29
Number of l2tp users: 8
Secret: (blank)
Authentication type: CHAP
Server address: is the next ip outside the remote address range, 192.168.x.216 in my case.

The "secret" specified here is not the pre-shared key needed by the L2TP/IPSec clients. I'm not even sure this is used at all I don't see this value being passed on to the mpd config file in any way.

The subnet mask and number of users, seems redundant to me… L2TP is a PPP protocol so I'm not sure why there's a subnet mask at all. In my case I've picked /29 which corresponds to exactly 8 hosts matching my number of users, and made sure to start my range on a /29 boundary. The UI complains if put the server address in the remote address range / subnet mask. But the mpd.conf file that's generated only cares about the number of L2TP users, it doesn't seem to matter what you put in the subnet.