IPSec/L2TP with pfSense 2.2

eri--

You probably have wrongly setup your l2tp seeing that .0 ip assigned.

AndrewZ

Changed client subnet, similar result:

Jan 14 03:10:06 	l2tps: [l2tp0] no interface to proxy arp on for 192.168.155.16
Jan 14 03:10:06 	l2tps: [l2tp0] IFACE: Up event
Jan 14 03:10:06 	l2tps: 192.168.155.254 -> 192.168.155.16
Jan 14 03:10:06 	l2tps: [l2tp0] IPCP: LayerUp
Jan 14 03:10:06 	l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened

MikeV7896

Same (or similar) issue as Andrew…

I followed themaninblack's config (except for IPSec phase 1 proposal, adjusted for my device)... The connection is being made without any problems. After connecting, I can ping, both LAN hosts and external hosts, DNS works as well (since it's from my pfSense box), but anything else seems to get lost, even webconfig access. I created an "allow all" firewall rule for L2TP, but the logs still show things being blocked... is there another rule I need to add somewhere?

Could it be blocking all TCP? If I set the DNS client on my phone to force TCP, nothing is able to resolve anymore.

EDIT: I noticed in themaninblack's post that he mentions...

• L2TP VPN, add a rule for the VPN traffic you want to allow.  I have a "pass-everything" rule here.  Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.

It seems like it's block all TCP, not pass all TCP. And it doesn't appear to be something I can remove as it doesn't show in the rules.

eri--

Probably you have to enable MSS clamping on your tunnel.

MikeV7896

No change. TCP still being blocked, while UDP and ICMP go just fine.

AndrewZ

virgiliomi,
you're still more lucky than me :)
I do not even see l2tp in the firewall log. Could you please share your working config not hiding the private addresses you use.
Thanks!

MikeV7896

Basically, I followed themaninblack's config from earlier in this thread. The only changes I made are…

Phase 1 Algorithms:
Encryption: AES 256
Hash: SHA1
DH key group: 2 (1024 bit)

Phase 2 Proposal:
Encryption: Only AES checked, 256 bit selected
Hash: Only SHA1 checked

The IP Addresses I used in L2TP settings are a subset of my LAN subnet, just as mentioned by themaninblack. My LAN is 192.168.1.1/24, my L2TP is 192.168.1.208/29 and my server address is 192.168.1.216. If I use addresses outside of my LAN subnet (i.e. 192.168.51.208/29 and 192.168.51.216) then I get ping responses, but no TCP or UDP traffic (so no DNS).

jimp

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

MikeV7896

Yep, that rule definitely fixed it for me. Works much better now!

jimp

For those having trouble getting it going, I started from scratch and got this to work, pfSense 2.2 vs Windows 8.1 client:

https://doc.pfsense.org/index.php/L2TP/IPsec

AndrewZ

OK, I've deleted my previous config and followed the guide. Result is the same:
IPSec:

Jan 21 01:57:26 	charon: 08[KNL] 192.168.32.1 appeared on l2tp0
Jan 21 01:57:26 	charon: 08[KNL] interface l2tp0 activated

L2TP:

Jan 21 01:57:26 	l2tps: [l2tp0] rec'd unexpected protocol IP
Jan 21 01:57:26 	l2tps: [l2tp0] no interface to proxy arp on for 192.168.32.128
Jan 21 01:57:26 	l2tps: [l2tp0] IFACE: Up event
Jan 21 01:57:26 	l2tps: 192.168.32.1 -> 192.168.32.128
Jan 21 01:57:26 	l2tps: [l2tp0] IPCP: LayerUp
Jan 21 01:57:26 	l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened
Jan 21 01:57:26 	l2tps: PRIDNS 192.168.5.1
Jan 21 01:57:26 	l2tps: IPADDR 192.168.32.128
Jan 21 01:57:26 	l2tps: [l2tp0] IPCP: SendConfigAck #3
Jan 21 01:57:26 	l2tps: PRIDNS 192.168.5.1
Jan 21 01:57:26 	l2tps: 192.168.32.128 is OK
Jan 21 01:57:26 	l2tps: IPADDR 192.168.32.128

Nothing in firewall log, cannot access LAN. Tested from iPad. pfsense on nanobsd.

Ocid

I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:

IPsec Phase 1:

• DH key group: 2 (1024)

~~Firewall - Rules, WAN tab

• see attached pic~~
  (works without these rules)

Services - DNS Resolver - Access Lists

• allow 192.168.32.128/25


jimp

@Ocid:

I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:

I added those notes to https://doc.pfsense.org/index.php/L2TP/IPsec

jimp

@AndrewZ:

Nothing in firewall log, cannot access LAN. Tested from iPad. pfsense on nanobsd.

What version of iOS? If you see anything at all in the L2TP log then the IPsec portion must be OK.

dstroot

Services - DNS Resolver - Access Lists

• allow 192.168.32.128/25

This might be my issue - none of the guides I have seen so far have mentioned anything about DNS resolver…

AndrewZ

@jimp:

What version of iOS? If you see anything at all in the L2TP log then the IPsec portion must be OK.

iOS 8.1.2
I mean the Firewall log has no records related to L2TP, but I do have something in both IPsec and L2TP logs, I mentioned this earlier in this thread.
Could it be related to nanobsd build?

jimp

Not likely related to NanoBSD, but it could be related to the client configuration and/or L2TP settings. I don't have any devices with iOS 7.x or 8.x to test. I could try 6.x but that may have other unrelated issues.

AndrewZ

I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.

Daemon is started as follows:
/usr/local/sbin/mpd4 -b -d /var/etc/l2tp-vpn -p /var/run/l2tp-vpn.pid -s l2tps l2tps

Configuration file /var/etc/l2tp-vpn/mpd.conf

l2tps:
	load l2tp0
	load l2tp1
	load l2tp2
	load l2tp3
	load l2tp4
	load l2tp5
	load l2tp6
	load l2tp7

l2tp0:
	new -i l2tp0 l2tp0 l2tp0
	set ipcp ranges 192.168.32.1/32 192.168.32.128/32
	load l2tp_standard

l2tp1:
	new -i l2tp1 l2tp1 l2tp1
	set ipcp ranges 192.168.32.1/32 192.168.32.129/32
	load l2tp_standard

l2tp2:
	new -i l2tp2 l2tp2 l2tp2
	set ipcp ranges 192.168.32.1/32 192.168.32.130/32
	load l2tp_standard

l2tp3:
	new -i l2tp3 l2tp3 l2tp3
	set ipcp ranges 192.168.32.1/32 192.168.32.131/32
	load l2tp_standard

l2tp4:
	new -i l2tp4 l2tp4 l2tp4
	set ipcp ranges 192.168.32.1/32 192.168.32.132/32
	load l2tp_standard

l2tp5:
	new -i l2tp5 l2tp5 l2tp5
	set ipcp ranges 192.168.32.1/32 192.168.32.133/32
	load l2tp_standard

l2tp6:
	new -i l2tp6 l2tp6 l2tp6
	set ipcp ranges 192.168.32.1/32 192.168.32.134/32
	load l2tp_standard

l2tp7:
	new -i l2tp7 l2tp7 l2tp7
	set ipcp ranges 192.168.32.1/32 192.168.32.135/32
	load l2tp_standard

l2tp_standard:
	set bundle disable multilink
	set bundle enable compression
	set bundle yes crypt-reqd
	set ipcp yes vjcomp
	# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
	set ccp yes mppc
	set iface disable on-demand
	set iface enable proxy-arp
	set iface up-script /usr/local/sbin/vpn-linkup
	set iface down-script /usr/local/sbin/vpn-linkdown
	set link yes acfcomp protocomp
	set link no pap chap
	set link enable chap
	set link keep-alive 10 180
	set ipcp dns 192.168.5.1

jimp

@AndrewZ:

I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.

That is normal. It only comes into play if you make the client subnet overlap another interface such as LAN, the firewall will proxy arp for the overlapping addresses so the clients can function. It's not related to any problem.

robertwh

Guys,
      I have been playing with the lastest build and trying to get the this to work.

This is the logs i get when trying to connect using windows 7.
According to the Ipsec logs I get this far and it just fails to connect
Jan 22 03:50:05 charon: 09[IKE] <con1|24>CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 03:50:05 charon: 09[IKE] CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]

If i connect using my iphone 6
it connects and gets a proper ip address.
I can ping the phone from my network but cannot connect anywhere from the phone (dns names or ip addresses)

I found an articale why windows may not be connecting but haven't had any luck getting it to work.

AssumeUDPEncapsulationContextOnSendRule

http://support2.microsoft.com/?kbid=947234

It appears to be valid for windows Vista - 8</con1|24>