2.2.2 L2TP/IPsec not working (OS X and iOS clients)

kitzy

Hello,

I'm attempting to set up an L2TP/IPsec VPN configuration with the intent to use it for OS X and iOS clients.

I'm following this guide: https://doc.pfsense.org/index.php/L2TP/IPsec

On my clients, after attempting a connection, I get an error that the server did not respond.

Logs from the client:

May 10 17:47:14 Ares.local racoon[2379]: accepted connection on vpn control socket.
May 10 17:47:14 Ares.local racoon[2379]: Connecting.
May 10 17:47:14 Ares.local racoon[2379]: IPSec Phase 1 started (Initiated by me).
May 10 17:47:14 Ares.local racoon[2379]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
May 10 17:47:14 Ares.local racoon[2379]: >>>>> phase change status = Phase 1 started by us
May 10 17:47:14 Ares.local racoon[2379]: none message must be encrypted
May 10 17:47:17 Ares.local racoon[2379]: IKE Packet: transmit success. (Phase 1 Retransmit).
May 10 17:47:18 Ares.local racoon[2379]: none message must be encrypted
May 10 17:47:20 Ares.local racoon[2379]: IKE Packet: transmit success. (Phase 1 Retransmit).
May 10 17:47:20 Ares.local racoon[2379]: none message must be encrypted
May 10 17:47:24 Ares.local racoon[2379]: IKE Packet: transmit success. (Phase 1 Retransmit).
May 10 17:47:24 Ares.local racoon[2379]: none message must be encrypted
May 10 17:47:24 Ares.local racoon[2379]: IPSec disconnecting from server 69.245.176.205

Logs from the server:

May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 10 17:57:44 charon: 15[IKE] <7> received DPD vendor ID
May 10 17:57:44 charon: 15[IKE] <7> received DPD vendor ID
May 10 17:57:44 charon: 15[IKE] <7> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
May 10 17:57:44 charon: 15[IKE] <7> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
May 10 17:57:44 charon: 15[CFG] <7> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
May 10 17:57:44 charon: 15[CFG] <7> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
May 10 17:57:44 charon: 15[IKE] <7> no proposal found
May 10 17:57:44 charon: 15[IKE] <7> no proposal found
May 10 17:57:44 charon: 15[ENC] <7> generating INFORMATIONAL_V1 request 3443684692 [ N(NO_PROP) ]
May 10 17:57:44 charon: 15[NET] <7> sending packet: from 69.245.176.205[500] to 70.194.101.18[8255] (56 bytes)
May 10 17:57:47 charon: 15[NET] <8> received packet: from 70.194.101.18[8255] to 69.245.176.205[500] (663 bytes)
May 10 17:57:47 charon: 15[ENC] <8> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V ]
May 10 17:57:47 charon: 15[IKE] <8> received FRAGMENTATION vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received FRAGMENTATION vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received NAT-T (RFC 3947) vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received NAT-T (RFC 3947) vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received DPD vendor ID
May 10 17:57:47 charon: 15[IKE] <8> received DPD vendor ID
May 10 17:57:47 charon: 15[IKE] <8> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
May 10 17:57:47 charon: 15[IKE] <8> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
May 10 17:57:47 charon: 15[CFG] <8> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
May 10 17:57:47 charon: 15[CFG] <8> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
May 10 17:57:47 charon: 15[IKE] <8> no proposal found
May 10 17:57:47 charon: 15[IKE] <8> no proposal found
May 10 17:57:47 charon: 15[ENC] <8> generating INFORMATIONAL_V1 request 3406957689 [ N(NO_PROP) ]
May 10 17:57:47 charon: 15[NET] <8> sending packet: from 69.245.176.205[500] to 70.194.101.18[8255] (56 bytes)

Any ideas what I might be doing wrong?

kitzy

Ok, I think I've got it somewhat sorted. I had a mismatch on proposals.

May 10 17:57:44  charon: 15[CFG] <7> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May 10 17:57:44  charon: 15[CFG] <7> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

I was able to switch my DH key group from 4 (2048 bit) to 2 (1024 bit) and now I'm getting a successful connection.

It looks like DNS isn't working right, but I think I can get that sorted. Hopefully this helps someone else!

EDIT: DNS is working just fine (verified via nslookup on OS X client), and I can ping hosts on the network, but I can't access those hosts via a web browser, nor can I access the internet once I'm connected via VPN.

I don't think it's outbound NAT, as I have that set to automatic generation and I can see the VPN subnet in the rules. What else could it be?