Pfsense 2.3 l2tp ipsec mobile clients



  • Доброго дня. Обращаюсь к Вам за помощью. Чтение WiKi, мануалов на протяжении недели не помогло. Вы моя последняя надежда в понимании происходящего.
    Пытаюсь настроить VPN подключение l2tp ipsec для уделенных сотрудников(mobile clients).
    Настройка производится на pfsense 2.3.3-RELEASE.
    Клиентом выступает Windows 10.

    Лог ipsec:
    Mar 17 10:01:30 charon 07[NET] <8> received packet: from 194.1.156.30[500] to 178.70.69.71[500] (408 bytes)
    Mar 17 10:01:30 charon 07[ENC] <8> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
    Mar 17 10:01:30 charon 07[IKE] <8> received MS NT5 ISAKMPOAKLEY vendor ID
    Mar 17 10:01:30 charon 07[IKE] <8> received NAT-T (RFC 3947) vendor ID
    Mar 17 10:01:30 charon 07[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 17 10:01:30 charon 07[IKE] <8> received FRAGMENTATION vendor ID
    Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Mar 17 10:01:30 charon 07[ENC] <8> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    Mar 17 10:01:30 charon 07[IKE] <8> 194.1.156.30 is initiating a Main Mode IKE_SA
    Mar 17 10:01:30 charon 07[ENC] <8> generating ID_PROT response 0 [ SA V V V V ]
    Mar 17 10:01:30 charon 07[NET] <8> sending packet: from 178.70.69.71[500] to 194.1.156.30[500] (160 bytes)
    Mar 17 10:01:30 charon 06[NET] <8> received packet: from 194.1.156.30[500] to 178.70.69.71[500] (388 bytes)
    Mar 17 10:01:30 charon 06[ENC] <8> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Mar 17 10:01:30 charon 06[IKE] <8> remote host is behind NAT
    Mar 17 10:01:30 charon 06[ENC] <8> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Mar 17 10:01:30 charon 06[NET] <8> sending packet: from 178.70.69.71[500] to 194.1.156.30[500] (372 bytes)
    Mar 17 10:01:30 charon 06[NET] <8> received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (76 bytes)
    Mar 17 10:01:30 charon 06[ENC] <8> parsed ID_PROT request 0 [ ID HASH ]
    Mar 17 10:01:30 charon 06[CFG] <8> looking for pre-shared key peer configs matching 178.70.69.71…194.1.156.30[192.168.5.130]
    Mar 17 10:01:30 charon 06[CFG] <8> selected peer config "con1"
    Mar 17 10:01:30 charon 06[IKE] <con1|8>IKE_SA con1[8] established between 178.70.69.71[178.70.69.71]…194.1.156.30[192.168.5.130]
    Mar 17 10:01:30 charon 06[IKE] <con1|8>scheduling reauthentication in 28258s
    Mar 17 10:01:30 charon 06[IKE] <con1|8>maximum IKE_SA lifetime 28798s
    Mar 17 10:01:30 charon 06[IKE] <con1|8>DPD not supported by peer, disabled
    Mar 17 10:01:30 charon 06[ENC] <con1|8>generating ID_PROT response 0 [ ID HASH ]
    Mar 17 10:01:30 charon 06[NET] <con1|8>sending packet: from 178.70.69.71[4500] to 194.1.156.30[4500] (76 bytes)
    Mar 17 10:01:30 charon 11[NET] <con1|8>received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (444 bytes)
    Mar 17 10:01:30 charon 11[ENC] <con1|8>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Mar 17 10:01:30 charon 11[IKE] <con1|8>received 250000000 lifebytes, configured 0
    Mar 17 10:01:30 charon 11[ENC] <con1|8>generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Mar 17 10:01:30 charon 11[NET] <con1|8>sending packet: from 178.70.69.71[4500] to 194.1.156.30[4500] (204 bytes)
    Mar 17 10:01:30 charon 11[NET] <con1|8>received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (60 bytes)
    Mar 17 10:01:30 charon 11[ENC] <con1|8>parsed QUICK_MODE request 1 [ HASH ]
    Mar 17 10:01:30 charon 11[IKE] <con1|8>CHILD_SA con1{3} established with SPIs cc9595da_i 34d6240a_o and TS 178.70.69.71/32|/0[udp/l2f] === 194.1.156.30/32|/0[udp/l2f]
    Mar 17 10:02:06 charon 08[NET] <con1|8>received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (76 bytes)
    Mar 17 10:02:06 charon 08[ENC] <con1|8>parsed INFORMATIONAL_V1 request 3625319790 [ HASH D ]
    Mar 17 10:02:06 charon 08[IKE] <con1|8>received DELETE for ESP CHILD_SA with SPI 34d6240a
    Mar 17 10:02:06 charon 08[IKE] <con1|8>closing CHILD_SA con1{3} with SPIs cc9595da_i (876 bytes) 34d6240a_o (0 bytes) and TS 178.70.69.71/32|/0[udp/l2f] === 194.1.156.30/32|/0[udp/l2f]
    Mar 17 10:02:06 charon 13[NET] <con1|8>received packet: from 194.1.156.30[4500] to 178.70.69.71[4500] (92 bytes)
    Mar 17 10:02:06 charon 13[ENC] <con1|8>parsed INFORMATIONAL_V1 request 1181827563 [ HASH D ]
    Mar 17 10:02:06 charon 13[IKE] <con1|8>received DELETE for IKE_SA con1[8]
    Mar 17 10:02:06 charon 13[IKE] <con1|8>deleting IKE_SA con1[8] between 178.70.69.71[178.70.69.71]…194.1.156.30[192.168.5.130]

    Просьба не ругать сильно. Пытаюсь разобраться и понять принцип работы. Хочется научиться.
    По возможности объясните пожалуйста в чем я не прав. Спасибо за понимание.


    ![firewall ipsec.PNG](/public/imported_attachments/1/firewall ipsec.PNG)
    ![firewall ipsec.PNG_thumb](/public/imported_attachments/1/firewall ipsec.PNG_thumb)
    ![firewall l2tp.PNG](/public/imported_attachments/1/firewall l2tp.PNG)
    ![firewall l2tp.PNG_thumb](/public/imported_attachments/1/firewall l2tp.PNG_thumb)</con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>





  • Если Windows 10 находится за NAT, то на обычном l2tp/ipsec не выйдет, хотя с mikrotik при похожих настройках почему-то получется.
    на wiki это явно прописано на самом верху.

    Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, Windows clients will most likely not function. Consider an IKEv2 implementation instead.