IPSec/L2TP listen address 0.0.0.0 on reboot
-
Weird one, running 2.4.4-p3 or 2.4.5-RC
WAN is PPPOE
L2TP interface = WAN
L2TP server address = 192.168.32.1
L2TP remote range = 192.168.32.128/25Whenever I reboot the pfsense box ipsec/l2tp ends up listening on 0.0.0.0 instead of my WAN IP:
Feb 11 20:05:47 pfSense l2tps: L2TP: waiting for connection on 0.0.0.0 1701
I know this isn't standard practice, but when I try initiate a VPN connection from my phone (192.168.1.141, connected to the LAN wifi) I get:
Feb 11 20:09:37 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51478 Feb 11 20:09:38 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51478 Feb 11 20:09:38 pfSense l2tps: L2TP: connect: Address already in use Feb 11 20:09:40 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51478 Feb 11 20:09:40 pfSense l2tps: L2TP: connect: Address already in use Feb 11 20:09:44 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51478 Feb 11 20:09:44 pfSense l2tps: L2TP: connect: Address already in use Feb 11 20:09:48 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51478 Feb 11 20:09:48 pfSense l2tps: L2TP: connect: Address already in use Feb 11 20:09:52 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51478 Feb 11 20:09:52 pfSense l2tps: L2TP: connect: Address already in use Feb 11 20:09:56 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51478 Feb 11 20:09:56 pfSense l2tps: L2TP: connect: Address already in use Feb 11 20:10:37 pfSense l2tps: L2TP: Control connection 0x803849310 terminated: 6 (expecting reply; none received) Feb 11 20:10:48 pfSense l2tps: L2TP: Control connection 0x803849310 destroyed
Until it fails.
If I disable then enable l2tp again, it listens on my WAN IP:
pfSense l2tps: L2TP: waiting for connection on 219.x.x.x 1701
And then I can connect from my phone, still connected to the LAN wifi:
Feb 11 20:38:12 pfSense l2tps: Incoming L2TP packet from 192.168.1.141 51411 Feb 11 20:38:12 pfSense l2tps: L2TP: Control connection 0x803849310 219.x.x.x 1701 <-> 192.168.1.141 51411 connected Feb 11 20:38:12 pfSense l2tps: L2TP: Incoming call #1 via connection 0x803849310 received Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] L2TP: Incoming call #1 via control connection 0x803849310 accepted Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] Link: OPEN event Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] LCP: Open event Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] LCP: state change Initial --> Starting Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] LCP: LayerStart Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] L2TP: Call #1 connected Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] Link: UP event Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] LCP: Up event Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] LCP: state change Starting --> Req-Sent Feb 11 20:38:12 pfSense l2tps: [l2tp_l-1] LCP: SendConfigReq #1
If I look at /var/etc/l2tp-vpn/mpd.conf, it appears to be missing set l2tp self <WAN IP>
startup: l2tps: set ippool add p0 192.168.32.128 192.168.32.129 create bundle template l2tp_b set bundle enable compression set bundle yes crypt-reqd set ccp yes mppc set iface name l2tp set iface group l2tp set iface up-script /usr/local/sbin/vpn-linkup-l2tp set iface down-script /usr/local/sbin/vpn-linkdown-l2tp set iface disable on-demand set iface enable proxy-arp set ipcp yes vjcomp set ipcp ranges 192.168.32.1/32 ippool p0 set ipcp dns 192.168.1.250 create link template l2tp_l l2tp set link action bundle l2tp_b set link yes acfcomp protocomp set link enable multilink set link no pap chap chap-msv2 set link enable chap set link keep-alive 10 180 set link enable incoming
When I restart l2tp:
startup: l2tps: set ippool add p0 192.168.32.128 192.168.32.129 create bundle template l2tp_b set bundle enable compression set bundle yes crypt-reqd set ccp yes mppc set iface name l2tp set iface group l2tp set iface up-script /usr/local/sbin/vpn-linkup-l2tp set iface down-script /usr/local/sbin/vpn-linkdown-l2tp set iface disable on-demand set iface enable proxy-arp set ipcp yes vjcomp set ipcp ranges 192.168.32.1/32 ippool p0 set ipcp dns 192.168.1.250 create link template l2tp_l l2tp set link action bundle l2tp_b set link yes acfcomp protocomp set link enable multilink set link no pap chap chap-msv2 set link enable chap set l2tp self 219.x.x.x set link keep-alive 10 180 set link enable incoming
I know its not normal to establish a VPN connection from within the LAN so I'm just trying to understand what's happening
Is it listening on 0.0.0.0 after a reboot because L2TP is starting before my WAN connection is up? Is this a bug or intended behaviour?
-
I think your problem here is that the phone is behind the firewall when you try to connect to pfSense.
As WAN is a PPPoE connection, the system expects the IP-address to change every now and then. So to listen on 0.0.0.0 is the better choice here.
Don't know enough about your topology to tell you where the problem is exactly, but I'd try to go with 0.0.0.0 and make it work that way.
-
@raab said in IPSec/L2TP listen address 0.0.0.0 on reboot:
set l2tp self
hi
This means that when mpd configs are created , the WAN interface does not yet have an IP address.set link enable chap set link keep-alive 10 180
When you restart l2tp:
set link enable chap set l2tp self 219.x.x.x set link keep-alive 10 180
-
This post is deleted! -
@Grimeton said in IPSec/L2TP listen address 0.0.0.0 on reboot:
I think your problem here is that the phone is behind the firewall when you try to connect to pfSense.
As WAN is a PPPoE connection, the system expects the IP-address to change every now and then. So to listen on 0.0.0.0 is the better choice here.
Don't know enough about your topology to tell you where the problem is exactly, but I'd try to go with 0.0.0.0 and make it work that way.
Yeah I know, which wouldn’t be a common scenario but I just find it annoying that l2tp starting before the WAN connection is up
My wan ip is static so I wouldn’t have that issue
Basically pfsense connected via rj45 to an ONT (fibre) pppoe is using igb0.10 (vlan 10).
igb1 connected to a Cisco SG500 switch, AP connected to that
Couple of vlans on igb1 for guest wireless and iot
Pretty simple setup.
I didn’t have this problem with the EdgeRouter 4 but I was able to specify the wan IP address in the config
I should add this doesn’t affect connections coming from the internet, when listening on 0.0.0.0
@Konstanti said in IPSec/L2TP listen address 0.0.0.0 on reboot:
@raab said in IPSec/L2TP listen address 0.0.0.0 on reboot:
set l2tp self
hi
This means that when mpd configs are created , the WAN interface does not yet have an IP address.set link enable chap set link keep-alive 10 180
When you restart l2tp:
set link enable chap set l2tp self 219.x.x.x set link keep-alive 10 180
Bug or intended behaviour?
-
The thing here is that even if you'd set the ip address in the l2tp config, the moment it starts it would not find the address as the pppoe starts afterwards. Also pppoe connections can go down, which deletes the interface IP.
I do not see a problem with l2tp listening to 0.0.0.0. The problem I see here is your testing scenario, because IPSec is pretty picky when it comes to subnets and the side you're on.
A simple solution for the l2tp problem could be to src nat everything going out on the LAN interface from l2tp to the WAN IP...
Problem solved.
-
@Grimeton said in IPSec/L2TP listen address 0.0.0.0 on reboot:
The thing here is that even if you'd set the ip address in the l2tp config, the moment it starts it would not find the address as the pppoe starts afterwards. Also pppoe connections can go down, which deletes the interface IP.
I do not see a problem with l2tp listening to 0.0.0.0. The problem I see here is your testing scenario, because IPSec is pretty picky when it comes to subnets and the side you're on.
A simple solution for the l2tp problem could be to src nat everything going out on the LAN interface from l2tp to the WAN IP...
Problem solved.
Yep fair enough, I’ll leave it be
-
Was able to get internal clients connecting just by adding a host override for my vpn domain name to point to pfsense e.g. 192.168.1.1 instead of trying to come in via the WAN IP
Not sure what I achieved in the end, but happy days..