IPSec/L2TP with pfSense 2.2

relfie

Hi ….

I too am struggling with L2TP/IPSEC setup.  I have followed this doc https://doc.pfsense.org/index.php/L2TP/IPsec and it appears that IPSEC is negotiating but I am seeing the message "L2TP: connect: Address already in use" in l2tps.log - can anyone help with diagnosing or fixing??

Log extracts here :

IPSEC.LOG

charon: 08[IKE] <2049> received NAT-T (RFC 3947) vendor ID
charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 08[IKE] <2049> received FRAGMENTATION vendor ID
charon: 08[IKE] received FRAGMENTATION vendor ID
charon: 08[IKE] <2049> received DPD vendor ID
charon: 08[IKE] received DPD vendor ID
charon: 08[IKE] <2049> aa.aa.aa.aaa is initiating a Main Mode IKE_SA
charon: 08[IKE] aa.aa.aa.aaa is initiating a Main Mode IKE_SA
charon: 08[IKE] <2049> remote host is behind NAT
charon: 08[IKE] remote host is behind NAT
charon: 08[CFG] <2049> looking for pre-shared key peer configs matching bb.bb.bb.bb…aa.aa.aa.aaa[192.168.44.96]
charon: 08[CFG] looking for pre-shared key peer configs matching bb.bb.bb.bb…aa.aa.aa.aaa[192.168.44.96]
charon: 08[CFG] <2049> selected peer config "con15"
charon: 08[CFG] selected peer config "con15"
charon: 08[IKE] <con15|2049>IKE_SA con15[2049] established between bb.bb.bb.bb[bb.bb.bb.bb]…aa.aa.aa.aaa[192.168.44.96]
charon: 08[IKE] IKE_SA con15[2049] established between bb.bb.bb.bb[bb.bb.bb.bb]…aa.aa.aa.aaa[192.168.44.96]
charon: 08[IKE] <con15|2049>scheduling reauthentication in 28003s
charon: 08[IKE] scheduling reauthentication in 28003s
charon: 08[IKE] <con15|2049>maximum IKE_SA lifetime 28543s
charon: 08[IKE] maximum IKE_SA lifetime 28543s
charon: 16[IKE] <con15|2049>CHILD_SA con15{35} established with SPIs cda22b5e_i 0ae4a0dc_o and TS bb.bb.bb.bb/32|/0[udp/l2f] === aa.aa.aa.aaa/32|/0[udp/56000]
charon: 16[IKE] CHILD_SA con15{35} established with SPIs cda22b5e_i 0ae4a0dc_o and TS bb.bb.bb.bb/32|/0[udp/l2f] === aa.aa.aa.aaa/32|/0[udp/56000]

L2TPS.LOG

4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: L2TP: Control connection 0x803456308 terminated: 6 (expecting reply; none received)
4slgbmernfw01 l2tps: L2TP: Control connection 0x803456308 destroyed</con15|2049></con15|2049></con15|2049></con15|2049>

Slasky

@d-ron23:

I've set up IPSec With IKE and it Works like a charm on my mobile phone. I can Access internal web-servers and such, when i'm Connected and the internet is provided from 4G

Can you provide your config?

Since I posted this, the setup stopped working. Not sure why, but it might have something to do With recent packageinstallations, although it shouldn't.

Below are Attached images of my setup. I set this up after a guide I found on this forum. Mobile Phones tend to use IKEv1, so if you are using mobile Phones and Laptops, use Auto on Version. With this IKEv2 should be available too.

Not sure if you need to allow certain ports on the WAN Interface to allow (like port 500 and 4500), but I have added those just to be sure.

I also set a rule that allows all IPSec network Clients to my LAN.

Once Connected I could Reach my local web-servers With the local IPs without any issues.

sergiosmvc

hello,

With the new release 2.2.1 someone could establish one l2tp/ipsec connection with windows 7 / 8 native client?

ipitcher

I'm seeing the same behavior on 2.2.1, which is IPSec connecting, but no L2TP activity ie. "l2tps: L2TP: connect: Address already in use" messages in the VPN log.

almabes

I am seeing the same behavior as well.  I am running 2.2.1 on several customer firewalls.  I have configured IPSec/L2TP per JimP's instructions.  My clients are a Windows 7 box nat'd behind another pfSense 2.2.1 box, and an android device, either connected to 4G (nat'd by VZW) or wifi behind the same pfSense box.  The IPSec portion connects and establishes an SA, but I never see anything show up in the L2TP log. 
I have added rules on the WAN side to allow traffic from * to UDP 500, 4500 and 1701.  I have added a rule to allow traffic from IPSec to any.

stoofz

Same issue here with the L2TP / IPsec VPN, sigh. PPTP and OpenVPN both work flawless.

farion

Spent the last 3 days trying to get IPSec/L2TP on pfSense get working with no success.
Correctly followed this instructions, and some others, but got the same issue – clean logs on L2TP log tab, but IPsec tunnel seems to be working (no error in IPSec log tab).

I hope the community will find a solution to the problem, I REALLY need VPN working without third party apps and I don't want to use OpenVPN for the enterprise right now (not my decision).

@stoofz:

Same issue here with the L2TP / IPsec VPN, sigh. PPTP and OpenVPN both work flawless.

PPTP works, but, unfortunately, only for one connection (on pfSense 2.2.1 x64). More than one connection not working.

almabes

Not to hijack the topic, but PPTP can be made to work for multiple people if you have multiple public IPs (or ISPs).

Back to L2TP/IPSec, I tried by plugging my windows box directly into my cable modem, there by getting a public IP.  Still no luck.  IPSec SA would come up, but no L2TP traffic.

I enabled logging on my rules that pass traffic on the WAN interface.  I saw where the rules would pass traffic on UDP 500, 1500 and 1701.
I'm almost to the point of dropping $400 to have the Electric Sheep Fencers take a look.

mikesm

I can't seem to make it work either.

Is there a pointer to an up to date  walkthrough about setting up L2TP/IPSEC passthrough to an internal windows server?  I have a couple machines that should work fine for this until this is all worked out with pfsense.

stoofz

I don't think IPsec / L2TP is currently working with 2.2.1

viniciusferrao

I don't think L2TP/IPsec is broken under 2.2.1, but things isn't working here too.

I've followed the guides, but when I try to connect it hangs with those messages on IPsec log:

Mar 22 05:26:11	charon: 10[NET] sending packet: from 179.210.144.237[500] to 191.247.226.162[56312] (180 bytes)
Mar 22 05:26:12	charon: 10[NET] received packet: from 191.247.226.162[56312] to 179.210.144.237[500] (228 bytes)
Mar 22 05:26:12	charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 22 05:26:12	charon: 10[IKE] <12> remote host is behind NAT
Mar 22 05:26:12	charon: 10[IKE] remote host is behind NAT
Mar 22 05:26:12	charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 22 05:26:12	charon: 10[NET] sending packet: from 179.210.144.237[500] to 191.247.226.162[56312] (244 bytes)
Mar 22 05:26:41	charon: 10[JOB] deleting half open IKE_SA after timeout

It's really strange, since I can connect using the local IP address, but when I came from WAN this thing happens.

All the firewall rules are to "allow everything".

daereth

Hi all,

I'm also experiencing an issue with setting up L2TP/IPsec on pfSense 2.2, I have tried both pfSense 2.2.1 and also downgraded to 2.2 to see if it produced any better result unfortunately nogo.

I followed the guide at https://doc.pfsense.org/index.php/L2TP/IPsec and am finding the same troubles as other people in this forum, L2TP doesn't seem to do anything at all (L2TP Raw doesn't show anything when trying to connect with a client), I do see the IPsec establish fine so I know it's not a problem there.

I've tried Android, Windows 7 and Windows 8.1 from multiple locations.

Is there anyone out there that got this to work?? You would think if there is a howto that exists showing it working that it should work for others as well? :)

Appreciate any help in the matter! I'll provide some logs, etc if requested.

MitchMiller

I am having the exact same issues. I cannot get IPSEC/L2TP to connect following the guides.

micksel

Same problem here, I can see the IPSec tunnels created and then timeout but noting under L2TP.

I’ve tried with a Win7 client (behind NAT) and my Android Phone (Not NAT), none of them gets longer that IPSec. It seems that the traffic doesn’t get to the L2TP service?

I’s there anyone that has any ideas I really need to have this working asap

But this is very interesting If I try to connect to the VPN when I’m on my local LAN (any to my Local PFSense IP) than everything works okay? The L2TP/IPSec tunnel is created and I can see the established connection under IPsec and L2TP

So It must be some firewall-rule or something like that I’m missing

micksel

No luck with the Firewall rule, I create a Allow Everything rule but no success, almost seems like a bug…
anyone?

jimp

It may be a bug in strongSwan.

Client without NAT - works fine. Move the same client behind NAT, and the traffic never makes it through properly. IPsec layer connects, ESP traffic arrives, packets even show up on enc0 but somehow never make it to the L2TP daemon.

It's not exclusive to pfSense, either… https://lists.strongswan.org/pipermail/users/2014-September/006638.html

Judging by responses to other similar issues by the strongSwan folks, it sounds like they really don't like L2TP/IPsec with NAT and probably won't fix it since people have moved on to other things.

Switching to IKEv2 is probably best.

micksel

Thanks for your answer,
Seems that I will need to into that or look at placing a Windows RAS IPSec/L2TP behind PFsense With NAT (seems like a headeche to be)

mwp821

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

jimp

@mwp821:

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

It's mentioned in the guide: https://doc.pfsense.org/index.php/L2TP/IPsec

mwp821

@jimp:

@mwp821:

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

It's mentioned in the guide: https://doc.pfsense.org/index.php/L2TP/IPsec

Yes, but I couldn't even connect (via TCP) to any of my internal systems without it. Maybe change the description and/or move it out of "Troubleshooting" and into the main "Firewall Rules and NAT" section? Just a suggestion.