Glorious Error 789 or 13801 for IKEv2

Fauk · Nov 2, 2015, 1:18 PM

Hello folks,

I have a huge problem with vpn using l2tp and ipsec with pfsense. Up to this point I used pptp but since it is unsecure and I have more time I wanted to switch to l2tp over ipsec but the error Code 789 is killing me for more than one week now.

So here is what I did:

I installed and configured pfsense in the version: 2.2.4
I configured pptp and I have a windows 8 client, everything works fine, so the client can connect to it and use the vpn, but I want to switch to l2tp now. So I did everything the official how to told me to do, but no success. It gives me the error 789 all the time.

My L2tp Configuration looks like this:

Enabled L2TP Server
Server Address = New Unused Adress ((192.168.60.254)
Remote Address Range = New Unused Adress Range (192.168.60.0/24)
Subnet Mask = 24
No Secret
Authentication Type = Chap
Two legit DNS servers

I also created a test user with dynamic IP address

IPsec Looks like this:

Phase 1:

Key: V1
IP: IPv4
Interface: WAN

Phase 1 Authentication
Method: Mutual PSK
Negotiation: Main
Identifier: My Ip address

Phase 1 Algorithms
Encryption: 3DES
Hash: SHA1
DH key Group: 2 (1024)
Lifetime 28800
Nat Traversel = auto

Mobile clients
Enabled ipsec Mobile Client Support
Virtual Adress Pool: 192.168.60.0/24

Pre-Shared-Key
allusers PSK 123
any PSK 123

The system log repeats itself with the following errors:

Sep 22 11:37:44 charon: 12[ENC] <2> generating INFORMATIONAL_V1 request 3035542370 [ HASH N(PLD_MAL) ]
Sep 22 11:37:44	charon: 12[NET] <2> sending packet: from 212.90.100.194[500] to 176.4.74.75[500] (68 bytes)
Sep 22 11:37:44	charon: 12[IKE] <2> ID_PROT request with message ID 0 processing failed
Sep 22 11:37:44	charon: 12[IKE] <2> ID_PROT request with message ID 0 processing failed
Sep 22 11:37:45	charon: 11[NET] <2> received packet: from 176.4.74.75[4500] to 212.90.100.194[4500] (68 bytes)
Sep 22 11:37:45	charon: 11[ENC] <2> invalid ID_V1 payload length, decryption failed?
Sep 22 11:37:45	charon: 11[ENC] <2> could not decrypt payloads
Sep 22 11:37:45	charon: 11[IKE] <2> message parsing failed
Sep 22 11:37:45	charon: 11[IKE] <2> message parsing failed

I allowed any traffic in the Firewall-> Rules tab for IPsec and L2tp and on the wan interface allowed ports UDP(500), UDP(4500), TCP/UDP(1701), and ESP.

On Windows VPN looks like this:

VPN-TYPE: Layer-2-Tunneling-Protocoll with Ipsec
Advanced settings has the PSK(123) installed

Dataencyption is set to optional
the following protocols are allowed:
PAP, CHAP, MS-CHAP v2

Any help would be appreciated

David_W · Oct 27, 2015, 9:32 AM

As jimp has stated in the forums several times recently, IPsec using IKEv2 is probably a better option than L2TP/IPsec at this point.

I have no problems using Windows 7 Professional clients with pfSense's IKEv2 support.

Fauk · Nov 2, 2015, 2:38 PM

@David_W:

As jimp has stated in the forums several times recently, IPsec using IKEv2 is probably a better option than L2TP/IPsec at this point.

I have no problems using Windows 7 Professional clients with pfSense's IKEv2 support.

Ok did that, and it worked ^^