IPSec/L2TP with pfSense 2.2
-
No. It must be tested from something outside completely separate from the firewall. If you have a second IP address on one of your WANs and another firewall/router you could connect from that so long as it's not on any other segment but WAN.
Connecting from a cell phone over 3G/4G is typically the easiest way to test, most phones have an L2TP+IPsec client.
-
This works, however, it doesn't work using L2TP/IPsec + Dou Security 2Fa…
Something about the authentication mechanism that Ldap sends to the radius proxy.
You get error
Missing or improperly-formatted passwordIf you point it at a regular Radius server however, it works just fine.
One thing I found that has to be very specific is the IPsec PSK.
This Identifier has to be set specifically to "allusers" then the psk of your choosing. If you set the identifier to some random word it doesn't work. -
Sp far I have no luck, but I got some clues:
The page in pfsense where you add the Pre-Shared keys says that the alluser account is named any/ANY - that's wrong. It is "allusers".
When creating the Phase 1 from the mobile users page it makes an agressive mode config - you can change that to main mode, but you can't change it back (you can select it, but it gets ignored) - never mind, as you want to use main mode…
On android, DO NOT USE AN IPSEC IDENTIFIER. Why capital? Because if you do it uses aggressive mode, if you leave it empty it uses main mode
On the shell you don't see any traffic on enc0. That's because the sysctl variables net.enc.in.ipsec_bpf_mask and net.enc.in.ipsec_bpf_mask might not be as desired... I could not figure, if they are wrong, but at least when changing them I see traffic on enc0 and getting pf to log the traffic on the right interface.
My problem is, I see L2TP requests on the enc0 interface, but no answers. the l2tp logging is also empty in this regard. I belive somehow the traffic does not make it from the interface to the daemon....
I also noted, that I have to unset the "Provide virtual ip address" - it is a transport mode ipsec... and it causes "no child SA" errors during the connection (and fails)
Any hints are welcome....
-
I try the same with android as client… the ciphers and hashes are different, but appart from that it is the same, see here: https://forum.pfsense.org/index.php?topic=83321.15
I belive I hit the exact same thing as this guy: http://lists.freebsd.org/pipermail/freebsd-questions/2013-December/254770.html
Unfortunately he never got a reply on how to fix it...
-
I've been playing with this all day, and have it working with both Windows 7 and OS X (Yosemite) clients.
My settings are as follows:
IPSec is enabled ;)
PHASE 1 SETTINGS
Phase 1 proposal (Authentication):
Authentication method: Mutual PSK
Negotiation mode: Main
My Identifier: My IP addressPhase 1 proposal (Algorithms):
Encryption algorithm: 3DES
Hash algroithm: SHA1
Dh key group: 2 (1024 bit)
Lifetime: 28800 secondsNOTE: there are other p1 algorithm combinations that will work, but this is the only combination that works for both win7 and OS X
for example: AES256, SHA1, and DH 14 (2048 bit) also work for windows 7, but not os xAdvanced options:
Disable rekey is off
Disable reauth is off
NAT Traversal is Auto (this should only matter if your VPN SERVER itself is behind another nat)
Dead Peer Detection is enabled (but both win 7 and OS X don't seem to support DPD0)PHASE 2 SETTINGS
Phase 2 settings are all the defaults except MODE which should be transport so:
MODE: Transport (this one f'd me up for a while, I kept setting it to tunnel)
Protocol: ESP
Encryption algrithms:AES (auto), blowfish (auto), 3DES, CAST128 all checked, (these are the defaults for p2)
Hash algorithems: MD5, SHA1 both checked (again this is the default)
PFS key group: off
Lifetime: 3600 secondsOn the mobile clients tab:
Enable IPsec mobile client support is checked
Everything else on this tab is unchecked
User Authentication is set to "Local Database" (which isn't actually used because Xauth isn't on in P1)
Group Authentication is set to noneOn the Pre-Shared Keys tabs:
Add a single PSK with the identifier "allusers", set this to something strongFirewall NAT:
- No special NAT rules added, outbound NAT is automatic
Firewall rules:
- No special WAN rules added
- No IPSec rules added
- L2TP VPN, add a rule for the VPN traffic you want to allow. I have a "pass-everything" rule here. Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.
L2TP VPN setup: (These are my settings, tweak to meet your needs:)
L2TP server is Enabled
Interface: LAN
Remote address range: a range that is a subset of the LAN subnet, that starts on a /29 boundary. I picked 192.168.x.208
Subnet mask: /29
Number of l2tp users: 8
Secret: (blank)
Authentication type: CHAP
Server address: is the next ip outside the remote address range, 192.168.x.216 in my case.The "secret" specified here is not the pre-shared key needed by the L2TP/IPSec clients. I'm not even sure this is used at all I don't see this value being passed on to the mpd config file in any way.
The subnet mask and number of users, seems redundant to me… L2TP is a PPP protocol so I'm not sure why there's a subnet mask at all. In my case I've picked /29 which corresponds to exactly 8 hosts matching my number of users, and made sure to start my range on a /29 boundary. The UI complains if put the server address in the remote address range / subnet mask. But the mpd.conf file that's generated only cares about the number of L2TP users, it doesn't seem to matter what you put in the subnet.
-
I've spent the whole day digging into this as well and had reached essentially the same configuration options as you, however, I still can't connect.
The IPsec piece seems to be working alright but nothing ever appears in the L2TP logs and the connection fails with "Error 809".
-
I get the same error code. I tried a number of different configurations and would get different error codes such as "789". There are some inconsistencies in terms of how L2TP / IPSEC should be configured. Some have set interface to LAN for L2TP while others say they set it to WAN.
Hopefully there will be a recommended / working configuration shortly.
Maybe some more context on LAN configuration e.g. IP subnet and such so we get a better idea how to configure L2TP? One of the configurations I tried did spawn child SA entry on IPSEC status page however I see out being zero. I already set the rule for L2TP VPN to allow any to any. I suspect it may have to do with IP / subnet we set for L2TP.
-
I have tried for several weeks off and on to get a stable working configuration for iOS devices to VPN back in using the built-in VPN client on iOS 8.1.2. At one point I could connect and browse LAN resources but never have I been able to pass traffic out to the Internet.
I would REALLY love it if someone could share a good, secure working config for iOS clients that passes all traffic, and allows access to local LAN resources as well as traffic out to the Internet.
Cheers!
-
I decided to try connecting via OSX and the configuration themaninblack describes worked fine. No luck with Windows 7, Windows 8.1 or Windows Phone 8.1, though. I did some research that implies this might be caused by Windows having poor NAT-T tolerance for L2TP+IPsec connections.
Hopefully the necessary IKEv2 components get integrated sooner rather than later as that would be a better solution for Windows clients than L2TP+IPsec anyway.
-
I've been playing with this all day, and have it working with both Windows 7 and OS X (Yosemite) clients.
My settings are as follows:
IPSec is enabled ;)
PHASE 1 SETTINGS
Phase 1 proposal (Authentication):
Authentication method: Mutual PSK
Negotiation mode: Main
My Identifier: My IP addressDoes this mean that you had to enter your external client's IP as the Phase 1 Peer IP? Or did you put your external WAN IP as this identifier?
~~I feel like this is a stupid question I just asked; but I am trying to figure out how PfSense can operate identically as to say a Cisco ASA or Windows server based VPN for Windows native clients. Having to enter in the IP of the connecting client is not feasible when dealing with external users; as they could be anywhere.So with v2.2, how do I set it up so that I can have a client connect from anywhere using their native clients on their devices?~~
I received my answer to this. The identifier is the firewall's IP address.
-
It seems I have IPSec part working but something is still wrong with L2TP part :(
The VPN client (iPad) gets the IP but cannot access resources on LAN.
Can someone share the working L2TP server config together with L2TP firewall rules?
I suspect something is wrong with LAN subnet, server address and VPN subnet combination.
Thanks!EDIT
Some details about my setup:
local LAN 192.168.5.0/24
L2TP server interface is WAN as shown in https://doc.pfsense.org/index.php/L2TP/IPsec_on_Android
L2TP server ip 192.168.155.254
L2TP client subnet 192.168.155.0/24in the log:
Jan 13 13:14:33 l2tps: [l2tp0] no interface to proxy arp on for 192.168.155.0 Jan 13 13:14:33 l2tps: [l2tp0] IFACE: Up event Jan 13 13:14:33 l2tps: 192.168.155.254 -> 192.168.155.0 Jan 13 13:14:33 l2tps: [l2tp0] IPCP: LayerUp Jan 13 13:14:33 l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened Jan 13 13:14:33 l2tps: PRIDNS 192.168.5.1 Jan 13 13:14:33 l2tps: IPADDR 192.168.155.0 Jan 13 13:14:33 l2tps: [l2tp0] IPCP: SendConfigAck #3 Jan 13 13:14:33 l2tps: PRIDNS 192.168.5.1 Jan 13 13:14:33 l2tps: 192.168.155.0 is OK Jan 13 13:14:33 l2tps: IPADDR 192.168.155.0
-
You probably have wrongly setup your l2tp seeing that .0 ip assigned.
-
Changed client subnet, similar result:
Jan 14 03:10:06 l2tps: [l2tp0] no interface to proxy arp on for 192.168.155.16 Jan 14 03:10:06 l2tps: [l2tp0] IFACE: Up event Jan 14 03:10:06 l2tps: 192.168.155.254 -> 192.168.155.16 Jan 14 03:10:06 l2tps: [l2tp0] IPCP: LayerUp Jan 14 03:10:06 l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened
-
Same (or similar) issue as Andrew…
I followed themaninblack's config (except for IPSec phase 1 proposal, adjusted for my device)... The connection is being made without any problems. After connecting, I can ping, both LAN hosts and external hosts, DNS works as well (since it's from my pfSense box), but anything else seems to get lost, even webconfig access. I created an "allow all" firewall rule for L2TP, but the logs still show things being blocked... is there another rule I need to add somewhere?
Could it be blocking all TCP? If I set the DNS client on my phone to force TCP, nothing is able to resolve anymore.
EDIT: I noticed in themaninblack's post that he mentions...
- L2TP VPN, add a rule for the VPN traffic you want to allow. I have a "pass-everything" rule here. Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.
It seems like it's block all TCP, not pass all TCP. And it doesn't appear to be something I can remove as it doesn't show in the rules.
-
Probably you have to enable MSS clamping on your tunnel.
-
No change. TCP still being blocked, while UDP and ICMP go just fine.
-
virgiliomi,
you're still more lucky than me :)
I do not even see l2tp in the firewall log. Could you please share your working config not hiding the private addresses you use.
Thanks! -
Basically, I followed themaninblack's config from earlier in this thread. The only changes I made are…
Phase 1 Algorithms:
Encryption: AES 256
Hash: SHA1
DH key group: 2 (1024 bit)Phase 2 Proposal:
Encryption: Only AES checked, 256 bit selected
Hash: Only SHA1 checkedThe IP Addresses I used in L2TP settings are a subset of my LAN subnet, just as mentioned by themaninblack. My LAN is 192.168.1.1/24, my L2TP is 192.168.1.208/29 and my server address is 192.168.1.216. If I use addresses outside of my LAN subnet (i.e. 192.168.51.208/29 and 192.168.51.216) then I get ping responses, but no TCP or UDP traffic (so no DNS).
-
Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?
If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.
-
Yep, that rule definitely fixed it for me. Works much better now!
-
For those having trouble getting it going, I started from scratch and got this to work, pfSense 2.2 vs Windows 8.1 client:
https://doc.pfsense.org/index.php/L2TP/IPsec
-
OK, I've deleted my previous config and followed the guide. Result is the same:
IPSec:Jan 21 01:57:26 charon: 08[KNL] 192.168.32.1 appeared on l2tp0 Jan 21 01:57:26 charon: 08[KNL] interface l2tp0 activated
L2TP:
Jan 21 01:57:26 l2tps: [l2tp0] rec'd unexpected protocol IP Jan 21 01:57:26 l2tps: [l2tp0] no interface to proxy arp on for 192.168.32.128 Jan 21 01:57:26 l2tps: [l2tp0] IFACE: Up event Jan 21 01:57:26 l2tps: 192.168.32.1 -> 192.168.32.128 Jan 21 01:57:26 l2tps: [l2tp0] IPCP: LayerUp Jan 21 01:57:26 l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened Jan 21 01:57:26 l2tps: PRIDNS 192.168.5.1 Jan 21 01:57:26 l2tps: IPADDR 192.168.32.128 Jan 21 01:57:26 l2tps: [l2tp0] IPCP: SendConfigAck #3 Jan 21 01:57:26 l2tps: PRIDNS 192.168.5.1 Jan 21 01:57:26 l2tps: 192.168.32.128 is OK Jan 21 01:57:26 l2tps: IPADDR 192.168.32.128
Nothing in firewall log, cannot access LAN. Tested from iPad. pfsense on nanobsd.
-
I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:
IPsec Phase 1:
- DH key group: 2 (1024)
~~Firewall - Rules, WAN tab
- see attached pic~~
(works without these rules)
Services - DNS Resolver - Access Lists
- allow 192.168.32.128/25
![Screenshot 2015-01-21 12.32.19.png](/public/imported_attachments/1/Screenshot 2015-01-21 12.32.19.png)
![Screenshot 2015-01-21 12.32.19.png_thumb](/public/imported_attachments/1/Screenshot 2015-01-21 12.32.19.png_thumb) -
I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:
I added those notes to https://doc.pfsense.org/index.php/L2TP/IPsec
-
Nothing in firewall log, cannot access LAN. Tested from iPad. pfsense on nanobsd.
What version of iOS? If you see anything at all in the L2TP log then the IPsec portion must be OK.
-
Services - DNS Resolver - Access Lists
- allow 192.168.32.128/25
This might be my issue - none of the guides I have seen so far have mentioned anything about DNS resolver…
-
What version of iOS? If you see anything at all in the L2TP log then the IPsec portion must be OK.
iOS 8.1.2
I mean the Firewall log has no records related to L2TP, but I do have something in both IPsec and L2TP logs, I mentioned this earlier in this thread.
Could it be related to nanobsd build? -
Not likely related to NanoBSD, but it could be related to the client configuration and/or L2TP settings. I don't have any devices with iOS 7.x or 8.x to test. I could try 6.x but that may have other unrelated issues.
-
I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.
Daemon is started as follows:
/usr/local/sbin/mpd4 -b -d /var/etc/l2tp-vpn -p /var/run/l2tp-vpn.pid -s l2tps l2tpsConfiguration file /var/etc/l2tp-vpn/mpd.conf
l2tps: load l2tp0 load l2tp1 load l2tp2 load l2tp3 load l2tp4 load l2tp5 load l2tp6 load l2tp7 l2tp0: new -i l2tp0 l2tp0 l2tp0 set ipcp ranges 192.168.32.1/32 192.168.32.128/32 load l2tp_standard l2tp1: new -i l2tp1 l2tp1 l2tp1 set ipcp ranges 192.168.32.1/32 192.168.32.129/32 load l2tp_standard l2tp2: new -i l2tp2 l2tp2 l2tp2 set ipcp ranges 192.168.32.1/32 192.168.32.130/32 load l2tp_standard l2tp3: new -i l2tp3 l2tp3 l2tp3 set ipcp ranges 192.168.32.1/32 192.168.32.131/32 load l2tp_standard l2tp4: new -i l2tp4 l2tp4 l2tp4 set ipcp ranges 192.168.32.1/32 192.168.32.132/32 load l2tp_standard l2tp5: new -i l2tp5 l2tp5 l2tp5 set ipcp ranges 192.168.32.1/32 192.168.32.133/32 load l2tp_standard l2tp6: new -i l2tp6 l2tp6 l2tp6 set ipcp ranges 192.168.32.1/32 192.168.32.134/32 load l2tp_standard l2tp7: new -i l2tp7 l2tp7 l2tp7 set ipcp ranges 192.168.32.1/32 192.168.32.135/32 load l2tp_standard l2tp_standard: set bundle disable multilink set bundle enable compression set bundle yes crypt-reqd set ipcp yes vjcomp # set ipcp ranges 131.188.69.161/32 131.188.69.170/28 set ccp yes mppc set iface disable on-demand set iface enable proxy-arp set iface up-script /usr/local/sbin/vpn-linkup set iface down-script /usr/local/sbin/vpn-linkdown set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 180 set ipcp dns 192.168.5.1
-
I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.
That is normal. It only comes into play if you make the client subnet overlap another interface such as LAN, the firewall will proxy arp for the overlapping addresses so the clients can function. It's not related to any problem.
-
Guys,
I have been playing with the lastest build and trying to get the this to work.This is the logs i get when trying to connect using windows 7.
According to the Ipsec logs I get this far and it just fails to connect
Jan 22 03:50:05 charon: 09[IKE] <con1|24>CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 03:50:05 charon: 09[IKE] CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]If i connect using my iphone 6
it connects and gets a proper ip address.
I can ping the phone from my network but cannot connect anywhere from the phone (dns names or ip addresses)I found an articale why windows may not be connecting but haven't had any luck getting it to work.
AssumeUDPEncapsulationContextOnSendRule
http://support2.microsoft.com/?kbid=947234
It appears to be valid for windows Vista - 8</con1|24>
-
Jan 22 03:50:05 charon: 09[IKE] <con1|24>CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 03:50:05 charon: 09[IKE] CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]</con1|24>That means the IPsec portion connected. From there, look in the L2TP settings/logs.
-
I don't think the IPSEC tunnel is completly working though.
I suspect it may be NAT-T relatedOn the windows client it connects but never gets to the L2TP connection. It generates these logs and then drops with a 809 error.
Jan 22 09:13:19 charon: 09[IKE] <con1|27>closing CHILD_SA con1{27} with SPIs cb8d4f49_i (774 bytes) c223e6e8_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 09:13:19 charon: 09[IKE] closing CHILD_SA con1{27} with SPIs cb8d4f49_i (774 bytes) c223e6e8_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 09:13:19 charon: 15[IKE] <con1|27>Hash => 20 bytes @ 0x80d545540 Jan 22 09:13:19 charon: 15[IKE] <con1|27>0: 00 F2 7E 7F 5D 3A C0 86 3F D1 78 60 08 82 8B 6C ..~.]:..?.x`...l Jan 22 09:13:19 charon: 15[IKE] <con1|27>16: C8 DD FE 22 ..." Jan 22 09:13:19 charon: 15[IKE] Hash => 20 bytes @ 0x80d545540 Jan 22 09:13:19 charon: 15[IKE] 0: 00 F2 7E 7F 5D 3A C0 86 3F D1 78 60 08 82 8B 6C ..~.]:..?.x`...l Jan 22 09:13:19 charon: 15[IKE] 16: C8 DD FE 22 ..." Jan 22 09:13:19 charon: 15[IKE] <con1|27>received DELETE for IKE_SA con1[27] Jan 22 09:13:19 charon: 15[IKE] received DELETE for IKE_SA con1[27] Jan 22 09:13:19 charon: 15[IKE] <con1|27>deleting IKE_SA con1[27] between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 09:13:19 charon: 15[IKE] deleting IKE_SA con1[27] between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 09:13:19 charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: ESTABLISHED => DELETING Jan 22 09:13:19 charon: 15[IKE] IKE_SA con1[27] state change: ESTABLISHED => DELETING Jan 22 09:13:19 charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: DELETING => DELETING Jan 22 09:13:19 charon: 15[IKE] IKE_SA con1[27] state change: DELETING => DELETING Jan 22 09:13:19 charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: DELETING => DESTROYING Jan 22 09:13:19 charon: 15[IKE] IKE_SA con1[27] state change: DELETING => DESTROYING</con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27>
-
Here is the complete log when the ipsec established but i see nothing on the l2tp side.
I have tried setting the NAT-T to force and auto.
Last 500 IPsec log entries Jan 22 10:21:32 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> received NAT-T (RFC 3947) vendor ID Jan 22 10:21:32 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 22 10:21:32 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> received FRAGMENTATION vendor ID Jan 22 10:21:32 charon: 16[IKE] received FRAGMENTATION vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> 68.196.152.146 is initiating a Main Mode IKE_SA Jan 22 10:21:32 charon: 16[IKE] 68.196.152.146 is initiating a Main Mode IKE_SA Jan 22 10:21:32 charon: 16[IKE] <40> remote host is behind NAT Jan 22 10:21:32 charon: 16[IKE] remote host is behind NAT Jan 22 10:21:32 charon: 16[IKE] <con1|40>IKE_SA con1[40] established between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 10:21:32 charon: 16[IKE] IKE_SA con1[40] established between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 10:21:32 charon: 16[IKE] <con1|40>DPD not supported by peer, disabled Jan 22 10:21:32 charon: 16[IKE] DPD not supported by peer, disabled Jan 22 10:21:32 charon: 07[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 07[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 07[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 07[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c2ac3083_i 791710e4_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 07[IKE] CHILD_SA con1{40} established with SPIs c2ac3083_i 791710e4_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 09[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 09[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 09[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 09[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 09[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:32 charon: 09[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:32 charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs ce98b678_i f53a2b36_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 07[IKE] CHILD_SA con1{40} established with SPIs ce98b678_i f53a2b36_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 14[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI 791710e4 Jan 22 10:21:32 charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI 791710e4 Jan 22 10:21:32 charon: 14[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c2ac3083_i (0 bytes) 791710e4_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 14[IKE] closing CHILD_SA con1{40} with SPIs c2ac3083_i (0 bytes) 791710e4_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 14[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:35 charon: 14[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:35 charon: 14[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:35 charon: 14[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:35 charon: 14[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:35 charon: 14[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:35 charon: 14[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c51633fb_i ca4d941f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 14[IKE] CHILD_SA con1{40} established with SPIs c51633fb_i ca4d941f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 16[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI f53a2b36 Jan 22 10:21:35 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI f53a2b36 Jan 22 10:21:35 charon: 16[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs ce98b678_i (0 bytes) f53a2b36_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 16[IKE] closing CHILD_SA con1{40} with SPIs ce98b678_i (0 bytes) f53a2b36_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 16[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:39 charon: 16[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:39 charon: 16[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:39 charon: 16[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:39 charon: 16[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:39 charon: 16[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:39 charon: 16[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c0f69931_i fff6c3f5_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 16[IKE] CHILD_SA con1{40} established with SPIs c0f69931_i fff6c3f5_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 10[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI ca4d941f Jan 22 10:21:39 charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI ca4d941f Jan 22 10:21:39 charon: 10[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c51633fb_i (0 bytes) ca4d941f_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 10[IKE] closing CHILD_SA con1{40} with SPIs c51633fb_i (0 bytes) ca4d941f_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 10[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:47 charon: 10[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:47 charon: 10[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:47 charon: 10[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:47 charon: 10[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:47 charon: 10[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:47 charon: 10[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c9cfefb5_i 4d93f9c0_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 10[IKE] CHILD_SA con1{40} established with SPIs c9cfefb5_i 4d93f9c0_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 07[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI fff6c3f5 Jan 22 10:21:47 charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI fff6c3f5 Jan 22 10:21:47 charon: 07[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c0f69931_i (0 bytes) fff6c3f5_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 07[IKE] closing CHILD_SA con1{40} with SPIs c0f69931_i (0 bytes) fff6c3f5_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 07[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:57 charon: 07[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:57 charon: 07[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:57 charon: 07[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:57 charon: 07[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:57 charon: 07[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:57 charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c13e2917_i d30e718f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 07[IKE] CHILD_SA con1{40} established with SPIs c13e2917_i d30e718f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 10[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI 4d93f9c0 Jan 22 10:21:57 charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI 4d93f9c0 Jan 22 10:21:57 charon: 10[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c9cfefb5_i (0 bytes) 4d93f9c0_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 10[IKE] closing CHILD_SA con1{40} with SPIs c9cfefb5_i (0 bytes) 4d93f9c0_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]</con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40>
-
Probably you have to disable rekey on this tunnel.
-
Here are my settings below, and it doesn't work.
PHASE 1 SETTINGS
Phase 1 proposal (Authentication):
Authentication method: Mutual PSK
Negotiation mode: Main
My Identifier: My IP addressPhase 1 proposal (Algorithms):
Encryption algorithm: 3DES
Hash algroithm: SHA1
Dh key group: 2 (1024 bit)
Lifetime: 28800 secondsAdvanced options:
Disable rekey is off
Disable reauth is off
NAT Traversal is Auto
Dead Peer Detection is enabledPHASE 2 SETTINGS
Phase 2 settings are all the defaults except MODE which should be transport so:
MODE: Transport (this one f'd me up for a while, I kept setting it to tunnel)
Protocol: ESP
Encryption algrithms: AES (128 bits), 3DES, CAST128, DES
Hash algorithems: MD5, SHA1, SHA256, SHA384, SHA512, AES-XCBC
PFS key group: off
Lifetime: 3600 secondsOn the mobile clients tab:
Enable IPsec mobile client support is checked
Everything else on this tab is unchecked
User Authentication is set to "Local Database" (which isn't actually used because Xauth isn't on in P1)
Group Authentication is set to noneOn the Pre-Shared Keys tabs:
Add a single PSK with the identifier "allusers", set this to something strongFirewall NAT:
- No special NAT rules added, outbound NAT is automatic
Firewall rules:
- No special WAN rules added
- No IPSec rules added
- L2TP VPN, add a rule for the VPN traffic you want to allow. I have a "pass-everything" rule here. Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.
L2TP VPN setup:
L2TP server is Enabled
Interface: LAN
Remote address range: a range that is a subset of the LAN subnet, that starts on a /29 boundary. I picked 192.168.x.208
Subnet mask: /29
Number of l2tp users: 8
Secret: (blank)
Authentication type: CHAP
Server address: is the next ip outside the remote address range, 192.168.x.216 in my case. -
Interface: LAN
Should be WAN, not LAN (See https://doc.pfsense.org/index.php/L2TP/IPsec )
-
I have tried both it doesn't seem to matter for L2TP.
I can still establish a connection from the phone but not from windows client.
-
I have tried both it doesn't seem to matter for L2TP.
I can still establish a connection from the phone but not from windows client.
The interface matters for L2TP. The transport mode IPsec tunnel is built between the client's IP address and the WAN IP address of the firewall. The L2TP client will send the L2TP request to the WAN IP of the firewall.
Using the exact settings on the guide, a Windows 8.1 client will connect and route. I haven't tried other versions of Windows though.
-
Jimp what version of the snapshot are you using?