Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OSX 10.10 cannot connect to pfSense IPSec/L2TP. Multiple server setup possible?

    Scheduled Pinned Locked Moved IPsec
    9 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lifeboyL
      lifeboy
      last edited by

      pfSense is set up as described here, except that some of the options are not shown in pfSense 2.2 any more.

      I can connect from Linux (Ubuntu) & Mikrotik successfully.

      However, OSX just plays dumb.  Using OSX 10.10.2 with the native client as described here, I get the following in the /var/log/system.log regardless of what changes I try on the server.  There's pretty much nothing to change on the client.  It has so few options to set.

      
      Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: pppd 2.4.2 (Apple version 786.10.1) started by carelvandermerwe, uid 501
      Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: l2tp_get_router_address
      Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: l2tp_get_router_address 192.168.88.1 from dict 1
      Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: L2TP connecting to server '41.yy.xx.130' (41.71.68.130)...
      Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: IPSec connection started
      Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: plogsetfile: about to add racoon log file: /var/log/racoon.log
      Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: accepted connection on vpn control socket.
      Mar 16 23:23:12 --- last message repeated 1 time ---
      Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: Connecting.
      Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: IPSec Phase 1 started (Initiated by me).
      Mar 16 23:23:12 --- last message repeated 1 time ---
      Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
      Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: >>>>> phase change status = Phase 1 started by us
      Mar 16 23:23:13 --- last message repeated 1 time ---
      Mar 16 23:23:13 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
      Mar 16 23:23:16 --- last message repeated 1 time ---
      Mar 16 23:23:16 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
      Mar 16 23:23:16 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
      Mar 16 23:23:19 --- last message repeated 1 time ---
      Mar 16 23:23:19 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
      Mar 16 23:23:19 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
      Mar 16 23:23:22 --- last message repeated 1 time ---
      Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
      Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
      Mar 16 23:23:22 --- last message repeated 1 time ---
      Mar 16 23:23:22 Carel-Macbook-Pro.local pppd[6789]: IPSec connection failed
      Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: IPSec disconnecting from server 41.yy.xx.130
      Mar 16 23:23:22 --- last message repeated 1 time ---
      Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: glob found no matches for path "/var/run/racoon/*.conf"
      
      

      I have unloaded (stopped) and loaded (started) racoon on the Mac, it makes no difference.

      I'm at a loss for other options.

      Does this work on a Mac?  I have even installed IPSecuritas, but it also gives a very similar error so I unstalled it again.

      (Update: Also test on OSX 10.6, same problem)

      1 Reply Last reply Reply Quote 0
      • lifeboyL
        lifeboy
        last edited by

        I've actually tested this on older versions of OSX.  10.6 doens't work either and gives the same result.

        Is it possible to set up different phase1/2 setups for different clients?  I have permanent connections via VPN that work well and I don't want to break them, so if I could set up a different set of server settings, maybe that would allow me to connect?  I don't know how this would work though…

        1 Reply Last reply Reply Quote 0
        • O
          okaenrique
          last edited by

          https://forum.pfsense.org/index.php?topic=92197.0

          1 Reply Last reply Reply Quote 0
          • M
            MrMoo
            last edited by

            I have vanilla IPsec from OS X and iOS working to StrongSWAN but fails when using IPsec + L2TP.  Using another StrongSWAN client, ChromeOS, works fine so something special with Apple I would think.

            1 Reply Last reply Reply Quote 0
            • dennypageD
              dennypage
              last edited by

              Forgive me for what may be a stupid question, but why do you want to use L2TP?

              @MrMoo:

              I have vanilla IPsec from OS X and iOS working to StrongSWAN but fails when using IPsec + L2TP.

              1 Reply Last reply Reply Quote 0
              • M
                MrMoo
                last edited by

                @dennypage:

                Forgive me for what may be a stupid question, but why do you want to use L2TP?

                iOS only has limited IKEv2 support through its enterprise deployment tools.

                1 Reply Last reply Reply Quote 0
                • dennypageD
                  dennypage
                  last edited by

                  Perhaps another stupid question…

                  Why is L2TP related to IKEv2?

                  IKEv2 is certainly desirable for IPSEC. However, L2TP doesn't come into play until after the IPSEC tunnel has been established, and doesn't offer any security of it's own...

                  @MrMoo:

                  iOS only has limited IKEv2 support through its enterprise deployment tools.

                  1 Reply Last reply Reply Quote 0
                  • M
                    MrMoo
                    last edited by

                    @dennypage:

                    Why is L2TP related to IKEv2?

                    L2TP is used to pass multiple VLANs over a single IPsec connection but often in implementation requires two additional daemons - xl2tpd and pppd, IKEv2 allows you to specify multiple subnets for leftsubnet= and rightsubnet=.

                    1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage
                      last edited by

                      I wasn't aware of that. Thanks.

                      @MrMoo:

                      IKEv2 allows you to specify multiple subnets for leftsubnet= and rightsubnet=.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.