IPSec/L2TP with pfSense 2.2

jimp

Not likely related to NanoBSD, but it could be related to the client configuration and/or L2TP settings. I don't have any devices with iOS 7.x or 8.x to test. I could try 6.x but that may have other unrelated issues.

AndrewZ

I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.

Daemon is started as follows:
/usr/local/sbin/mpd4 -b -d /var/etc/l2tp-vpn -p /var/run/l2tp-vpn.pid -s l2tps l2tps

Configuration file /var/etc/l2tp-vpn/mpd.conf

l2tps:
	load l2tp0
	load l2tp1
	load l2tp2
	load l2tp3
	load l2tp4
	load l2tp5
	load l2tp6
	load l2tp7

l2tp0:
	new -i l2tp0 l2tp0 l2tp0
	set ipcp ranges 192.168.32.1/32 192.168.32.128/32
	load l2tp_standard

l2tp1:
	new -i l2tp1 l2tp1 l2tp1
	set ipcp ranges 192.168.32.1/32 192.168.32.129/32
	load l2tp_standard

l2tp2:
	new -i l2tp2 l2tp2 l2tp2
	set ipcp ranges 192.168.32.1/32 192.168.32.130/32
	load l2tp_standard

l2tp3:
	new -i l2tp3 l2tp3 l2tp3
	set ipcp ranges 192.168.32.1/32 192.168.32.131/32
	load l2tp_standard

l2tp4:
	new -i l2tp4 l2tp4 l2tp4
	set ipcp ranges 192.168.32.1/32 192.168.32.132/32
	load l2tp_standard

l2tp5:
	new -i l2tp5 l2tp5 l2tp5
	set ipcp ranges 192.168.32.1/32 192.168.32.133/32
	load l2tp_standard

l2tp6:
	new -i l2tp6 l2tp6 l2tp6
	set ipcp ranges 192.168.32.1/32 192.168.32.134/32
	load l2tp_standard

l2tp7:
	new -i l2tp7 l2tp7 l2tp7
	set ipcp ranges 192.168.32.1/32 192.168.32.135/32
	load l2tp_standard

l2tp_standard:
	set bundle disable multilink
	set bundle enable compression
	set bundle yes crypt-reqd
	set ipcp yes vjcomp
	# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
	set ccp yes mppc
	set iface disable on-demand
	set iface enable proxy-arp
	set iface up-script /usr/local/sbin/vpn-linkup
	set iface down-script /usr/local/sbin/vpn-linkdown
	set link yes acfcomp protocomp
	set link no pap chap
	set link enable chap
	set link keep-alive 10 180
	set ipcp dns 192.168.5.1

jimp

@AndrewZ:

I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.

That is normal. It only comes into play if you make the client subnet overlap another interface such as LAN, the firewall will proxy arp for the overlapping addresses so the clients can function. It's not related to any problem.

robertwh

Guys,
      I have been playing with the lastest build and trying to get the this to work.

This is the logs i get when trying to connect using windows 7.
According to the Ipsec logs I get this far and it just fails to connect
Jan 22 03:50:05 charon: 09[IKE] <con1|24>CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 03:50:05 charon: 09[IKE] CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]

If i connect using my iphone 6
it connects and gets a proper ip address.
I can ping the phone from my network but cannot connect anywhere from the phone (dns names or ip addresses)

I found an articale why windows may not be connecting but haven't had any luck getting it to work.

AssumeUDPEncapsulationContextOnSendRule

http://support2.microsoft.com/?kbid=947234

It appears to be valid for windows Vista - 8</con1|24>

jimp

@robertwh:

Jan 22 03:50:05 charon: 09[IKE] <con1|24>CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 03:50:05 charon: 09[IKE] CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]</con1|24>

That means the IPsec portion connected. From there, look in the L2TP settings/logs.

robertwh

I don't think the IPSEC tunnel is completly working though.
I suspect it may be NAT-T related

On the windows client it connects but never gets to the L2TP connection. It generates these logs and then drops with a 809 error.

Jan 22 09:13:19	charon: 09[IKE] <con1|27>closing CHILD_SA con1{27} with SPIs cb8d4f49_i (774 bytes) c223e6e8_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 09:13:19	charon: 09[IKE] closing CHILD_SA con1{27} with SPIs cb8d4f49_i (774 bytes) c223e6e8_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 09:13:19	charon: 15[IKE] <con1|27>Hash => 20 bytes @ 0x80d545540
Jan 22 09:13:19	charon: 15[IKE] <con1|27>0: 00 F2 7E 7F 5D 3A C0 86 3F D1 78 60 08 82 8B 6C ..~.]:..?.x`...l
Jan 22 09:13:19	charon: 15[IKE] <con1|27>16: C8 DD FE 22 ..."
Jan 22 09:13:19	charon: 15[IKE] Hash => 20 bytes @ 0x80d545540
Jan 22 09:13:19	charon: 15[IKE] 0: 00 F2 7E 7F 5D 3A C0 86 3F D1 78 60 08 82 8B 6C ..~.]:..?.x`...l
Jan 22 09:13:19	charon: 15[IKE] 16: C8 DD FE 22 ..."
Jan 22 09:13:19	charon: 15[IKE] <con1|27>received DELETE for IKE_SA con1[27]
Jan 22 09:13:19	charon: 15[IKE] received DELETE for IKE_SA con1[27]
Jan 22 09:13:19	charon: 15[IKE] <con1|27>deleting IKE_SA con1[27] between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9]
Jan 22 09:13:19	charon: 15[IKE] deleting IKE_SA con1[27] between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9]
Jan 22 09:13:19	charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: ESTABLISHED => DELETING
Jan 22 09:13:19	charon: 15[IKE] IKE_SA con1[27] state change: ESTABLISHED => DELETING
Jan 22 09:13:19	charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: DELETING => DELETING
Jan 22 09:13:19	charon: 15[IKE] IKE_SA con1[27] state change: DELETING => DELETING
Jan 22 09:13:19	charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: DELETING => DESTROYING
Jan 22 09:13:19	charon: 15[IKE] IKE_SA con1[27] state change: DELETING => DESTROYING</con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27> 

robertwh

Here is the complete log when the ipsec established but i see nothing on the l2tp side.

I have tried setting the NAT-T to force and auto.

Last 500 IPsec log entries
Jan 22 10:21:32	charon: 16[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Jan 22 10:21:32	charon: 16[IKE] <40> received NAT-T (RFC 3947) vendor ID
Jan 22 10:21:32	charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Jan 22 10:21:32	charon: 16[IKE] <40> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 22 10:21:32	charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 22 10:21:32	charon: 16[IKE] <40> received FRAGMENTATION vendor ID
Jan 22 10:21:32	charon: 16[IKE] received FRAGMENTATION vendor ID
Jan 22 10:21:32	charon: 16[IKE] <40> 68.196.152.146 is initiating a Main Mode IKE_SA
Jan 22 10:21:32	charon: 16[IKE] 68.196.152.146 is initiating a Main Mode IKE_SA
Jan 22 10:21:32	charon: 16[IKE] <40> remote host is behind NAT
Jan 22 10:21:32	charon: 16[IKE] remote host is behind NAT
Jan 22 10:21:32	charon: 16[IKE] <con1|40>IKE_SA con1[40] established between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9]
Jan 22 10:21:32	charon: 16[IKE] IKE_SA con1[40] established between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9]
Jan 22 10:21:32	charon: 16[IKE] <con1|40>DPD not supported by peer, disabled
Jan 22 10:21:32	charon: 16[IKE] DPD not supported by peer, disabled
Jan 22 10:21:32	charon: 07[IKE] <con1|40>received 3600s lifetime, configured 0s
Jan 22 10:21:32	charon: 07[IKE] received 3600s lifetime, configured 0s
Jan 22 10:21:32	charon: 07[IKE] <con1|40>received 250000000 lifebytes, configured 0
Jan 22 10:21:32	charon: 07[IKE] received 250000000 lifebytes, configured 0
Jan 22 10:21:32	charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c2ac3083_i 791710e4_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:32	charon: 07[IKE] CHILD_SA con1{40} established with SPIs c2ac3083_i 791710e4_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:32	charon: 09[IKE] <con1|40>received 3600s lifetime, configured 0s
Jan 22 10:21:32	charon: 09[IKE] received 3600s lifetime, configured 0s
Jan 22 10:21:32	charon: 09[IKE] <con1|40>received 250000000 lifebytes, configured 0
Jan 22 10:21:32	charon: 09[IKE] received 250000000 lifebytes, configured 0
Jan 22 10:21:32	charon: 09[IKE] <con1|40>detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:32	charon: 09[IKE] detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:32	charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs ce98b678_i f53a2b36_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:32	charon: 07[IKE] CHILD_SA con1{40} established with SPIs ce98b678_i f53a2b36_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:32	charon: 14[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI 791710e4
Jan 22 10:21:32	charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI 791710e4
Jan 22 10:21:32	charon: 14[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c2ac3083_i (0 bytes) 791710e4_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:32	charon: 14[IKE] closing CHILD_SA con1{40} with SPIs c2ac3083_i (0 bytes) 791710e4_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:35	charon: 14[IKE] <con1|40>received 3600s lifetime, configured 0s
Jan 22 10:21:35	charon: 14[IKE] received 3600s lifetime, configured 0s
Jan 22 10:21:35	charon: 14[IKE] <con1|40>received 250000000 lifebytes, configured 0
Jan 22 10:21:35	charon: 14[IKE] received 250000000 lifebytes, configured 0
Jan 22 10:21:35	charon: 14[IKE] <con1|40>detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:35	charon: 14[IKE] detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:35	charon: 14[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c51633fb_i ca4d941f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:35	charon: 14[IKE] CHILD_SA con1{40} established with SPIs c51633fb_i ca4d941f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:35	charon: 16[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI f53a2b36
Jan 22 10:21:35	charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI f53a2b36
Jan 22 10:21:35	charon: 16[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs ce98b678_i (0 bytes) f53a2b36_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:35	charon: 16[IKE] closing CHILD_SA con1{40} with SPIs ce98b678_i (0 bytes) f53a2b36_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:39	charon: 16[IKE] <con1|40>received 3600s lifetime, configured 0s
Jan 22 10:21:39	charon: 16[IKE] received 3600s lifetime, configured 0s
Jan 22 10:21:39	charon: 16[IKE] <con1|40>received 250000000 lifebytes, configured 0
Jan 22 10:21:39	charon: 16[IKE] received 250000000 lifebytes, configured 0
Jan 22 10:21:39	charon: 16[IKE] <con1|40>detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:39	charon: 16[IKE] detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:39	charon: 16[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c0f69931_i fff6c3f5_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:39	charon: 16[IKE] CHILD_SA con1{40} established with SPIs c0f69931_i fff6c3f5_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:39	charon: 10[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI ca4d941f
Jan 22 10:21:39	charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI ca4d941f
Jan 22 10:21:39	charon: 10[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c51633fb_i (0 bytes) ca4d941f_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:39	charon: 10[IKE] closing CHILD_SA con1{40} with SPIs c51633fb_i (0 bytes) ca4d941f_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:47	charon: 10[IKE] <con1|40>received 3600s lifetime, configured 0s
Jan 22 10:21:47	charon: 10[IKE] received 3600s lifetime, configured 0s
Jan 22 10:21:47	charon: 10[IKE] <con1|40>received 250000000 lifebytes, configured 0
Jan 22 10:21:47	charon: 10[IKE] received 250000000 lifebytes, configured 0
Jan 22 10:21:47	charon: 10[IKE] <con1|40>detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:47	charon: 10[IKE] detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:47	charon: 10[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c9cfefb5_i 4d93f9c0_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:47	charon: 10[IKE] CHILD_SA con1{40} established with SPIs c9cfefb5_i 4d93f9c0_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:47	charon: 07[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI fff6c3f5
Jan 22 10:21:47	charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI fff6c3f5
Jan 22 10:21:47	charon: 07[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c0f69931_i (0 bytes) fff6c3f5_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:47	charon: 07[IKE] closing CHILD_SA con1{40} with SPIs c0f69931_i (0 bytes) fff6c3f5_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:57	charon: 07[IKE] <con1|40>received 3600s lifetime, configured 0s
Jan 22 10:21:57	charon: 07[IKE] received 3600s lifetime, configured 0s
Jan 22 10:21:57	charon: 07[IKE] <con1|40>received 250000000 lifebytes, configured 0
Jan 22 10:21:57	charon: 07[IKE] received 250000000 lifebytes, configured 0
Jan 22 10:21:57	charon: 07[IKE] <con1|40>detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:57	charon: 07[IKE] detected rekeying of CHILD_SA con1{40}
Jan 22 10:21:57	charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c13e2917_i d30e718f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:57	charon: 07[IKE] CHILD_SA con1{40} established with SPIs c13e2917_i d30e718f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:57	charon: 10[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI 4d93f9c0
Jan 22 10:21:57	charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI 4d93f9c0
Jan 22 10:21:57	charon: 10[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c9cfefb5_i (0 bytes) 4d93f9c0_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 10:21:57	charon: 10[IKE] closing CHILD_SA con1{40} with SPIs c9cfefb5_i (0 bytes) 4d93f9c0_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]</con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40> 

eri--

Probably you have to disable rekey on this tunnel.

robertwh

Here are my settings below, and it doesn't work.

PHASE 1 SETTINGS

Phase 1 proposal (Authentication):
Authentication method: Mutual PSK
Negotiation mode: Main
My Identifier: My IP address

Phase 1 proposal (Algorithms):
Encryption algorithm: 3DES
Hash algroithm: SHA1
Dh key group: 2 (1024 bit)
Lifetime: 28800 seconds

Advanced options:
Disable rekey is off
Disable reauth is off
NAT Traversal is Auto
Dead Peer Detection is enabled

PHASE 2 SETTINGS

Phase 2 settings are all the defaults except MODE which should be transport so:

MODE: Transport (this one f'd me up for a while, I kept setting it to tunnel)
Protocol: ESP
Encryption algrithms: AES (128 bits), 3DES, CAST128, DES
Hash algorithems: MD5, SHA1, SHA256, SHA384, SHA512, AES-XCBC
PFS key group: off
Lifetime: 3600 seconds

On the mobile clients tab:

Enable IPsec mobile client support is checked
Everything else on this tab is unchecked
User Authentication is set to "Local Database" (which isn't actually used because Xauth isn't on in P1)
Group Authentication is set to none

On the Pre-Shared Keys tabs:
Add a single PSK with the identifier "allusers", set this to something strong

Firewall NAT:

• No special NAT rules added, outbound NAT is automatic

Firewall rules:

• No special WAN rules added
• No IPSec rules added
• L2TP VPN, add a rule for the VPN traffic you want to allow.  I have a "pass-everything" rule here.  Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.

L2TP VPN setup:
L2TP server is Enabled
Interface: LAN
Remote address range: a range that is a subset of the LAN subnet, that starts on a /29 boundary.  I picked 192.168.x.208
Subnet mask: /29
Number of l2tp users: 8
Secret: (blank)
Authentication type: CHAP
Server address: is the next ip outside the remote address range, 192.168.x.216 in my case.

jimp

@robertwh:

Interface: LAN

Should be WAN, not LAN (See https://doc.pfsense.org/index.php/L2TP/IPsec )

robertwh

I have tried both it doesn't seem to matter for L2TP.

I can still establish a  connection from the phone but not from windows client.

jimp

@robertwh:

I have tried both it doesn't seem to matter for L2TP.

I can still establish a  connection from the phone but not from windows client.

The interface matters for L2TP. The transport mode IPsec tunnel is built between the client's IP address and the WAN IP address of the firewall. The L2TP client will send the L2TP request to the WAN IP of the firewall.

Using the exact settings on the guide, a Windows 8.1 client will connect and route. I haven't tried other versions of Windows though.

robertwh

Jimp what version of the snapshot are you using?

jimp

I've tried it with the most recent public build and with some of the newer builds we have been testing internally in preparation for release.

robertwh

I have matched the configuration letter for letter and now matter what i do i cannot connect from windows 8.1 / 7

the one confusing part in L2TP

Current LAN: 192.168.1.1/24

Server Address 192.168.1.2
first starting 192.168.1.128 /25

Is this correct?

jimp

@robertwh:

I have matched the configuration letter for letter and now matter what i do i cannot connect from windows 8.1 / 7

the one confusing part in L2TP

Current LAN: 192.168.1.1/24

Server Address 192.168.1.2
first starting 192.168.1.128 /25

Is this correct?

While that technically should work, I have not tested overlapping the LAN. It's best to use a different subnet.

AndrewZ

Got it partially working…
1. this Floating rule for TCP is important, but I haven't seen the records in the log until #2 below
2. the most annoying: I had to set "Send All Traffic" enabled on iPad in order to access my local resources. Without this I had no traffic coming to PF over the tunnel.

Any idea how to avoid this #2 and send over the VPN only the traffic for my LAN?

opti2k4

Robert,

did you make any progress? I am having same issue, not seeing anything inside the log related to L2TP. Tried android and win 8.1, both not working. Simply i am not getting l2tp response from the server even though it's on WAN interface.

Phoenix

If any forum admin reads this: Please open a category for L2TP, like there is one for IPSec, PPTP and OpenVPN.

I do have the same trouble. I am very confident, that is is no IPSec issue. I do belive it is a issue with the network stack somehow, see my insights below:

I locate the mpd4 PID
[2.2-RELEASE][root@vicinity.dominion.ch]/var/etc: ps ax | grep mpd
7069  -  Ss    0:02.69 /usr/local/sbin/mpd5 -b -k -d /var/etc -f mpd_wan.conf -p /var/run/pppoe_wan.pid -s ppp pppoeclient
37089  -  Ss    0:00.02 /usr/local/sbin/mpd4 -b -k -d /var/etc/l2tp-vpn -p /var/run/l2tp-vpn.pid -s l2tps l2tps
54867  0  S+    0:00.01 grep mpd

and KILL it
[2.2-RELEASE][root@vicinity.dominion.ch]/var/etc: kill 37089

I start a background tcpdump on the pflog interface, the ip is my public ip I originate from (NATed of course)
[2.2-RELEASE][root@vicinity.dominion.ch]/var/etc: tcpdump -n -e -ttt -i pflog0 host 194.230.155.137 &
[1] 29082
[2.2-RELEASE][root@vicinity.dominion.ch]/var/etc: tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
capability mode sandbox enabled

I start a fake daemon with netcat
[2.2-RELEASE][root@vicinity.dominion.ch]/var/etc: nc -l -u 1701
00:00:00.000000 rule 104..16777216/0(match): pass in on pppoe1: 194.230.155.137.43933 > 212.25.10.250.500: isakmp: phase 1 I ident
00:00:03.975271 rule 89..16777216/0(match): pass in on enc0: 194.230.155.137.55697 > 212.25.10.250.1701:  l2tp:TLSNs=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(63285) *RECV_WIN_SIZE(1)
^C

I do see traffic PASS on enc0, but I see no traffic hitting netcat - that is probably why I see NO LOGs

At that point I am lost, I don't know where my packet vanishes.

meta4

i'm unable to get a working config using:

https://doc.pfsense.org/index.php?title=L2TP/IPsec&oldid=7045

i also altered the config using the setup posted by themaninblack earlier in this thread without any success.

trying to connect from osx client and ios.