L2TP/IPSec dosen't work

A Former User

Hi all

I try to configure L2TP/IPSec on pfsense 2.3.4-RELEASE (i386), I follow this guide https://doc.pfsense.org/index.php/L2TP/IPsec but doesn't work. The IPSec tunnel work, but after no response from L2TP server (UDP 1701)

TCPDUCMP:

21:01:37.651821 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:39.651812 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:41.779635 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:43.667297 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:45.652752 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:47.667426 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:49.666335 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:51.666811 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:53.667271 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:55.683434 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69

I check the firewall log, nothing is blocking UDP 1701.

Under the Status/IPsec/Overview I see a successfully connection from the client (Android 7.1 L2TP/IPSec PSK) until the client close the connection because L2TP server is not responding.

Can be a problem if the PFSense is direct connect with a Public IP (no NAT)?

ipsec.conf:

_config setup
        uniqueids = yes

conn bypasslan
        leftsubnet = XXXXXX
        rightsubnet = XXXXXX
        authby = never
        type = passthrough
        auto = route

conn con1
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no

rekey = yes
        installpolicy = yes
        type = transport
        dpdaction = clear
        dpddelay = 10s
        dpdtimeout = 60s
        auto = add
        left = %any
        right = %any
        leftid = <public ip="" pfsense="">ikelifetime = 28800s
        lifetime = 3600s
        ike = aes256-sha1-modp1024!
        esp = aes128-sha1!
        leftauth = psk
        rightauth = psk
        aggressive = no</public>_

mpd.conf
_l2tps:
        load l2tp0
        load l2tp1
        load l2tp2
        load l2tp3
        load l2tp4
        load l2tp5
        load l2tp6

l2tp0:
        new -i l2tp0 l2tp0 l2tp0
        set ipcp ranges 10.0.0.2/32 10.0.0.64/32
        load l2tp_standard

l2tp1:
        new -i l2tp1 l2tp1 l2tp1
        set ipcp ranges 10.0.0.2/32 10.0.0.65/32
        load l2tp_standard

l2tp2:
        new -i l2tp2 l2tp2 l2tp2
        set ipcp ranges 10.0.0.2/32 10.0.0.66/32
        load l2tp_standard

l2tp3:
        new -i l2tp3 l2tp3 l2tp3
        set ipcp ranges 10.0.0.2/32 10.0.0.67/32
        load l2tp_standard

l2tp4:
        new -i l2tp4 l2tp4 l2tp4
        set ipcp ranges 10.0.0.2/32 10.0.0.68/32
        load l2tp_standard

l2tp5:
        new -i l2tp5 l2tp5 l2tp5
        set ipcp ranges 10.0.0.2/32 10.0.0.69/32
        load l2tp_standard

l2tp6:
        new -i l2tp6 l2tp6 l2tp6
        set ipcp ranges 10.0.0.2/32 10.0.0.70/32
        load l2tp_standard

l2tp_standard:
        set bundle disable multilink
        set bundle enable compression
        set bundle yes crypt-reqd
        set ipcp yes vjcomp
        # set ipcp ranges 131.188.69.161/32 131.188.69.170/28
        set ccp yes mppc
        set iface disable on-demand
        set iface enable proxy-arp
        set iface up-script /usr/local/sbin/vpn-linkup
        set iface down-script /usr/local/sbin/vpn-linkdown
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
        set l2tp self <public ip="" pfsense="">set link keep-alive 10 180
        set ipcp dns</public>_

Many thanks

Reeno</public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public>

beatvjiking

Just to check, did you try this bit? https://doc.pfsense.org/index.php/L2TP/IPsec#Firewall_traffic_blocked_outbound

I had a very similar problem and the sloppy state bit fixed the problem for me. It's not that a specific firewall rule is blocking something, it's the state handling that interferes on the L2TP virtual interface.