L2TP/IPSec dosen't work
-
Hi all
I try to configure L2TP/IPSec on pfsense 2.3.4-RELEASE (i386), I follow this guide https://doc.pfsense.org/index.php/L2TP/IPsec but doesn't work. The IPSec tunnel work, but after no response from L2TP server (UDP 1701)
TCPDUCMP:
21:01:37.651821 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:39.651812 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:41.779635 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:43.667297 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:45.652752 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:47.667426 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:49.666335 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:51.666811 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:53.667271 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69
21:01:55.683434 (authentic,confidential): SPI 0xc99c082c: IP <public client="" ip="">.36982 > <public ip="" pfsense="" (no="" rfc="" 1918)="">.1701: UDP, length 69I check the firewall log, nothing is blocking UDP 1701.
Under the Status/IPsec/Overview I see a successfully connection from the client (Android 7.1 L2TP/IPSec PSK) until the client close the connection because L2TP server is not responding.
Can be a problem if the PFSense is direct connect with a Public IP (no NAT)?
ipsec.conf:
_config setup
uniqueids = yesconn bypasslan
leftsubnet = XXXXXX
rightsubnet = XXXXXX
authby = never
type = passthrough
auto = routeconn con1
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = no
mobike = norekey = yes
installpolicy = yes
type = transport
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = %any
right = %any
leftid = <public ip="" pfsense="">ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha1-modp1024!
esp = aes128-sha1!
leftauth = psk
rightauth = psk
aggressive = no</public>_mpd.conf
_l2tps:
load l2tp0
load l2tp1
load l2tp2
load l2tp3
load l2tp4
load l2tp5
load l2tp6l2tp0:
new -i l2tp0 l2tp0 l2tp0
set ipcp ranges 10.0.0.2/32 10.0.0.64/32
load l2tp_standardl2tp1:
new -i l2tp1 l2tp1 l2tp1
set ipcp ranges 10.0.0.2/32 10.0.0.65/32
load l2tp_standardl2tp2:
new -i l2tp2 l2tp2 l2tp2
set ipcp ranges 10.0.0.2/32 10.0.0.66/32
load l2tp_standardl2tp3:
new -i l2tp3 l2tp3 l2tp3
set ipcp ranges 10.0.0.2/32 10.0.0.67/32
load l2tp_standardl2tp4:
new -i l2tp4 l2tp4 l2tp4
set ipcp ranges 10.0.0.2/32 10.0.0.68/32
load l2tp_standardl2tp5:
new -i l2tp5 l2tp5 l2tp5
set ipcp ranges 10.0.0.2/32 10.0.0.69/32
load l2tp_standardl2tp6:
new -i l2tp6 l2tp6 l2tp6
set ipcp ranges 10.0.0.2/32 10.0.0.70/32
load l2tp_standardl2tp_standard:
set bundle disable multilink
set bundle enable compression
set bundle yes crypt-reqd
set ipcp yes vjcomp
# set ipcp ranges 131.188.69.161/32 131.188.69.170/28
set ccp yes mppc
set iface disable on-demand
set iface enable proxy-arp
set iface up-script /usr/local/sbin/vpn-linkup
set iface down-script /usr/local/sbin/vpn-linkdown
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set l2tp self <public ip="" pfsense="">set link keep-alive 10 180
set ipcp dns</public>_Many thanks
Reeno</public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public></public>
-
Just to check, did you try this bit? https://doc.pfsense.org/index.php/L2TP/IPsec#Firewall_traffic_blocked_outbound
I had a very similar problem and the sloppy state bit fixed the problem for me. It's not that a specific firewall rule is blocking something, it's the state handling that interferes on the L2TP virtual interface.