Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Layer 2 Tunneling Protocol with IPsec

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MrV0
      last edited by

      Hello

      Currently we are using PPTP for offsite employees.
      We would like to use L2TP/IPsec with our RADIS server.

      Firstly I would like to setup L2TP not using the RADIS server just for testing.

      I have L2TP/IPsec working fine internally (LAN) but when I test one of our laptops using a mobile network (EE) it does not work.

      Here is the IPsec log:

      Jun 9 11:32:44 charon: 16[IKE] deleting IKE_SA con1[278] between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
      Jun 9 11:32:44 charon: 16[IKE] <con1|278>deleting IKE_SA con1[278] between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
      Jun 9 11:32:44 charon: 16[IKE] received DELETE for IKE_SA con1[278]
      Jun 9 11:32:44 charon: 16[IKE] <con1|278>received DELETE for IKE_SA con1[278]
      Jun 9 11:32:44 charon: 16[ENC] parsed INFORMATIONAL_V1 request 4157059169 [ HASH D ]
      Jun 9 11:32:44 charon: 16[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (92 bytes)
      Jun 9 11:32:44 charon: 12[IKE] closing CHILD_SA con1{28} with SPIs ccdb2d32_i (864 bytes) 825a46b7_o (0 bytes) and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
      Jun 9 11:32:44 charon: 12[IKE] <con1|278>closing CHILD_SA con1{28} with SPIs ccdb2d32_i (864 bytes) 825a46b7_o (0 bytes) and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
      Jun 9 11:32:44 charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 825a46b7
      Jun 9 11:32:44 charon: 12[IKE] <con1|278>received DELETE for ESP CHILD_SA with SPI 825a46b7
      Jun 9 11:32:44 charon: 12[ENC] parsed INFORMATIONAL_V1 request 1103228700 [ HASH D ]
      Jun 9 11:32:44 charon: 12[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (76 bytes)
      Jun 9 11:32:09 charon: 07[IKE] CHILD_SA con1{28} established with SPIs ccdb2d32_i 825a46b7_o and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
      Jun 9 11:32:09 charon: 07[IKE] <con1|278>CHILD_SA con1{28} established with SPIs ccdb2d32_i 825a46b7_o and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
      Jun 9 11:32:09 charon: 07[ENC] parsed QUICK_MODE request 1 [ HASH ]
      Jun 9 11:32:09 charon: 07[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (60 bytes)
      Jun 9 11:32:09 charon: 07[NET] sending packet: from xxx.xxx.xxx.xx3[4500] to yyy.yyy.yyy.yy2[4500] (204 bytes)
      Jun 9 11:32:09 charon: 07[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
      Jun 9 11:32:09 charon: 07[IKE] received 250000000 lifebytes, configured 0
      Jun 9 11:32:09 charon: 07[IKE] <con1|278>received 250000000 lifebytes, configured 0
      Jun 9 11:32:09 charon: 07[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
      Jun 9 11:32:09 charon: 07[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (332 bytes)
      Jun 9 11:32:09 charon: 12[NET] sending packet: from xxx.xxx.xxx.xx3[4500] to yyy.yyy.yyy.yy2[4500] (76 bytes)
      Jun 9 11:32:09 charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
      Jun 9 11:32:09 charon: 12[IKE] DPD not supported by peer, disabled
      Jun 9 11:32:09 charon: 12[IKE] <con1|278>DPD not supported by peer, disabled
      Jun 9 11:32:09 charon: 12[IKE] maximum IKE_SA lifetime 28775s
      Jun 9 11:32:09 charon: 12[IKE] <con1|278>maximum IKE_SA lifetime 28775s
      Jun 9 11:32:09 charon: 12[IKE] scheduling reauthentication in 28235s
      Jun 9 11:32:09 charon: 12[IKE] <con1|278>scheduling reauthentication in 28235s
      Jun 9 11:32:09 charon: 12[IKE] IKE_SA con1[278] established between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
      Jun 9 11:32:09 charon: 12[IKE] <con1|278>IKE_SA con1[278] established between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
      Jun 9 11:32:09 charon: 12[CFG] selected peer config "con1"
      Jun 9 11:32:09 charon: 12[CFG] looking for pre-shared key peer configs matching xxx.xxx.xxx.xx3…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
      Jun 9 11:32:09 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
      Jun 9 11:32:09 charon: 12[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (76 bytes)
      Jun 9 11:32:08 charon: 12[NET] sending packet: from xxx.xxx.xxx.xx3[500] to yyy.yyy.yyy.yy2[500] (372 bytes)
      Jun 9 11:32:08 charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Jun 9 11:32:08 charon: 12[IKE] remote host is behind NAT
      Jun 9 11:32:08 charon: 12[IKE] <278> remote host is behind NAT
      Jun 9 11:32:08 charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Jun 9 11:32:08 charon: 12[NET] received packet: from yyy.yyy.yyy.yy2[500] to xxx.xxx.xxx.xx3[500] (388 bytes)
      Jun 9 11:32:08 charon: 12[NET] sending packet: from xxx.xxx.xxx.xx3[500] to yyy.yyy.yyy.yy2[500] (180 bytes)
      Jun 9 11:32:08 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V V V ]
      Jun 9 11:32:08 charon: 12[IKE] yyy.yyy.yyy.yy2 is initiating a Main Mode IKE_SA
      Jun 9 11:32:08 charon: 12[IKE] <278> yyy.yyy.yyy.yy2 is initiating a Main Mode IKE_SA
      Jun 9 11:32:08 charon: 12[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
      Jun 9 11:32:08 charon: 12[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
      Jun 9 11:32:08 charon: 12[ENC] received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
      Jun 9 11:32:08 charon: 12[IKE] received FRAGMENTATION vendor ID
      Jun 9 11:32:08 charon: 12[IKE] <278> received FRAGMENTATION vendor ID
      Jun 9 11:32:08 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jun 9 11:32:08 charon: 12[IKE] <278> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jun 9 11:32:08 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
      Jun 9 11:32:08 charon: 12[IKE] <278> received NAT-T (RFC 3947) vendor ID
      Jun 9 11:32:08 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
      Jun 9 11:32:08 charon: 12[IKE] <278> received MS NT5 ISAKMPOAKLEY vendor ID
      Jun 9 11:32:08 charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]</con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278>

      1 Reply Last reply Reply Quote 0
      • M
        MrV0
        last edited by

        Something that I have not tried, as I don't no if it can be done. Change or set IPsec to "IPSEC over UDP".
        Can this be done?

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Try with IKEv2 instead.

          1 Reply Last reply Reply Quote 0
          • M
            MrV0
            last edited by

            @doktornotor:

            Try with IKEv2 instead.

            Hello

            Ok I will see if I can set this up today.
            https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

            Thnaks

            1 Reply Last reply Reply Quote 0
            • M
              MrV0
              last edited by

              UPDATE

              Ok, I have followed this doc step by step https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
              I am now getting a windows VPN error 809 (LAN)

              1 Reply Last reply Reply Quote 0
              • M
                MrV0
                last edited by

                Anyone?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.