Help! L2TP/IPsec not working as of 2.3 upgrade



  • Hello all,
    I've got a couple clients that I need to setup with access to a network behind pfsense. they were able to connect up until I upgraded from 2.2.6  –>  2.3.1 .  I've used a fresh configuration with a guide for setting up L2TP/IPsec but still no success. It appears that both my remote pc and pfsense are able to communicate, but the connection quickly gets dropped. I'm very new to all of this. Can anyone provide me with any tips please? PfSense system logs are posted below (I hope I'm posting this properly...) :

    May 25 01:37:04 charon 15[NET] <4> received packet: from x.x.x.x[500] to y.y.y.y[500] (384 bytes)
    May 25 01:37:04 charon 15[ENC] <4> parsed ID_PROT request 0 [ SA V V V V V V V ]
    May 25 01:37:04 charon 15[IKE] <4> received MS NT5 ISAKMPOAKLEY vendor ID
    May 25 01:37:04 charon 15[IKE] <4> received NAT-T (RFC 3947) vendor ID
    May 25 01:37:04 charon 15[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 25 01:37:04 charon 15[IKE] <4> received FRAGMENTATION vendor ID
    May 25 01:37:04 charon 15[ENC] <4> received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    May 25 01:37:04 charon 15[ENC] <4> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    May 25 01:37:04 charon 15[ENC] <4> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    May 25 01:37:04 charon 15[IKE] <4> x.x.x.x is initiating a Main Mode IKE_SA
    May 25 01:37:04 charon 15[ENC] <4> generating ID_PROT response 0 [ SA V V V V ]
    May 25 01:37:04 charon 15[NET] <4> sending packet: from y.y.y.y[500] to x.x.x.x[500] (160 bytes)
    May 25 01:37:04 charon 15[NET] <4> received packet: from x.x.x.x[500] to y.y.y.y[500] (388 bytes)
    May 25 01:37:04 charon 15[ENC] <4> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 25 01:37:05 charon 15[IKE] <4> remote host is behind NAT
    May 25 01:37:05 charon 15[ENC] <4> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    May 25 01:37:05 charon 15[NET] <4> sending packet: from y.y.y.y[500] to x.x.x.x[500] (372 bytes)
    May 25 01:37:05 charon 15[NET] <4> received packet: from x.x.x.x[4500] to y.y.y.y[4500] (76 bytes)
    May 25 01:37:05 charon 15[ENC] <4> parsed ID_PROT request 0 [ ID HASH ]
    May 25 01:37:05 charon 15[CFG] <4> looking for pre-shared key peer configs matching y.y.y.y…x.x.x.x[10.0.1.20]
    May 25 01:37:05 charon 15[CFG] <4> selected peer config "con1"
    May 25 01:37:05 charon 15[IKE] <con1|4>IKE_SA con1[4] established between y.y.y.y[y.y.y.y]…x.x.x.x[10.0.1.20]
    May 25 01:37:05 charon 15[IKE] <con1|4>scheduling reauthentication in 27924s
    May 25 01:37:05 charon 15[IKE] <con1|4>maximum IKE_SA lifetime 28464s
    May 25 01:37:05 charon 15[IKE] <con1|4>DPD not supported by peer, disabled
    May 25 01:37:05 charon 15[ENC] <con1|4>generating ID_PROT response 0 [ ID HASH ]
    May 25 01:37:05 charon 15[NET] <con1|4>sending packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes)
    May 25 01:37:05 charon 16[NET] <con1|4>received packet: from x.x.x.x[4500] to y.y.y.y[4500] (332 bytes)
    May 25 01:37:05 charon 16[ENC] <con1|4>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 25 01:37:05 charon 16[IKE] <con1|4>received 250000000 lifebytes, configured 0
    May 25 01:37:05 charon 16[ENC] <con1|4>generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 25 01:37:05 charon 16[NET] <con1|4>sending packet: from y.y.y.y[4500] to x.x.x.x[4500] (204 bytes)
    May 25 01:37:05 charon 16[NET] <con1|4>received packet: from x.x.x.x[4500] to y.y.y.y[4500] (60 bytes)
    May 25 01:37:05 charon 16[ENC] <con1|4>parsed QUICK_MODE request 1 [ HASH ]
    May 25 01:37:05 charon 16[IKE] <con1|4>CHILD_SA con1{4} established with SPIs c1e87bbd_i 15a4bae3_o and TS y.y.y.y/32|/0[udp/l2f] === x.x.x.x/32|/0[udp/l2f]
    May 25 01:37:40 charon 12[NET] <con1|4>received packet: from x.x.x.x[4500] to y.y.y.y[4500] (76 bytes)
    May 25 01:37:40 charon 12[ENC] <con1|4>parsed INFORMATIONAL_V1 request 3411090219 [ HASH D ]
    May 25 01:37:40 charon 12[IKE] <con1|4>received DELETE for ESP CHILD_SA with SPI 15a4bae3
    May 25 01:37:40 charon 12[IKE] <con1|4>closing CHILD_SA con1{4} with SPIs c1e87bbd_i (635 bytes) 15a4bae3_o (0 bytes) and TS y.y.y.y/32|/0[udp/l2f] === x.x.x.x/32|/0[udp/l2f]
    May 25 01:37:40 charon 08[NET] <con1|4>received packet: from x.x.x.x[4500] to y.y.y.y[4500] (92 bytes)
    May 25 01:37:40 charon 08[ENC] <con1|4>parsed INFORMATIONAL_V1 request 3816224517 [ HASH D ]
    May 25 01:37:40 charon 08[IKE] <con1|4>received DELETE for IKE_SA con1[4]
    May 25 01:37:40 charon 08[IKE] <con1|4>deleting IKE_SA con1[4] between y.y.y.y[y.y.y.y]…x.x.x.x[10.0.1.20]

    I need to take a nap -.- please let me know if any more information is needed. Thanks!</con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>


Log in to reply