IPSec/L2TP for Mac OS X



  • Hello folks,

    here my first message, please don't be too rude with me! :)

    I'm trying to get IPSec/L2TP VPN working with as a Mac OS X as client.

    Here a part an overview of my setup:

    Here what happens:

    • Phase 1, 2 are ok
    
    Feb 24 14:51:10	racoon: [Self]: INFO: respond new phase 1 negotiation: pf_WAN[500]<=>client_pubIP[23109]
    Feb 24 14:51:10	racoon: INFO: begin Identity Protection mode.
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: RFC 3947
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Feb 24 14:51:10	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 24 14:51:10	racoon: INFO: received Vendor ID: DPD
    Feb 24 14:51:10	racoon: [client_pubIP] INFO: Selected NAT-T version: RFC 3947
    Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
    Feb 24 14:51:11	racoon: INFO: NAT-D payload #0 verified
    Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
    Feb 24 14:51:11	racoon: INFO: NAT-D payload #1 doesn't match
    Feb 24 14:51:11	racoon: INFO: NAT detected: PEER
    Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
    Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
    Feb 24 14:51:11	racoon: INFO: Adding remote and local NAT-D payloads.
    Feb 24 14:51:12	racoon: [Self]: INFO: NAT-T: ports changed to: client_pubIP[20432]<->pf_WAN[4500]
    Feb 24 14:51:12	racoon: [Self]: INFO: KA list add: pf_WAN[4500]->client_pubIP[20432]
    Feb 24 14:51:12	racoon: [client_pubIP] INFO: received INITIAL-CONTACT
    Feb 24 14:51:12	racoon: [Self]: INFO: ISAKMP-SA established pf_WAN[4500]-client_pubIP[20432] spi:bcbef85b3a0a0887:a4e06de5868a4028
    Feb 24 14:51:12	racoon: [Self]: INFO: respond new phase 2 negotiation: pf_WAN[4500]<=>client_pubIP[20432]
    Feb 24 14:51:12	racoon: INFO: no policy found, try to generate the policy : client_intIP/32[54093] pf_WAN/32[1701] proto=udp dir=in
    Feb 24 14:51:12	racoon: INFO: Adjusting my encmode UDP-Transport->Transport
    Feb 24 14:51:12	racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
    Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=45029298(0x2af17b2)
    Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=118646864(0x7126850)
    
    
    • Mac OS try to reach the L2TP (mpd4) server using the pf_WAN IP address, through the IPSec tunnel
    • L2TP server respond to Mac using public_IP, but no through the IPSec tunnel

    Indeed, when I run tcpdump in pfSense on em0 (WAN interface) and port 1701, all I can see is:

    
    14:56:30.996706 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
    14:56:31.956424 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
    14:56:31.992758 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
    14:56:33.916780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
    14:56:33.992780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
    14:56:37.992833 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
    14:56:38.016666 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
    14:56:41.942886 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
    14:56:45.992894 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
    14:56:46.645184 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
    14:56:49.892173 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
    
    

    So, I guess there is an issue with my IPSec configuration, probably about the policy. But after made a lots of test, I'm not able to find the good configuration.

    Any help will be appreciated.

    IPSec/L2TP Configuration:

    
     <pfsense><ipsec><enable><client><enable><user_source>Local Database</user_source>
    			<group_source>system</group_source></enable></client> 
    		 <mobilekey><ident>client_PubIP</ident>
    			<pre-shared-key>xxxxx</pre-shared-key></mobilekey> 
    		 <phase1><ikeid>1</ikeid>
    			<interface>wan</interface>
    			 <mobile><mode>main</mode>
    			<protocol>inet</protocol>
    			<myid_type>myaddress</myid_type>
    			 <myid_data><encryption-algorithm><name>aes</name>
    				<keylen>256</keylen></encryption-algorithm> 
    			<hash-algorithm>sha1</hash-algorithm>
    			<dhgroup>2</dhgroup>
    			<lifetime>86400</lifetime>
    			<pre-shared-key>xxxxxx</pre-shared-key>
    			 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
    			<generate_policy>unique</generate_policy>
    			<proposal_check>strict</proposal_check>
    
    			<nat_traversal>force</nat_traversal>
    			<dpd_delay>10</dpd_delay>
    			<dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></myid_data></mobile></phase1> 
    		 <phase2><ikeid>1</ikeid>
    			<mode>tunnel</mode>
    			 <localid><type>wan</type></localid> 
    			 <remoteid><type>mobile</type></remoteid> 
    			<protocol>esp</protocol>
    			 <encryption-algorithm-option><name>aes</name>
    				<keylen>auto</keylen></encryption-algorithm-option> 
    			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    			<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    			<pfsgroup>0</pfsgroup>
    			<lifetime>3600</lifetime></phase2></enable></ipsec> 
    	 <l2tp><radius></radius> 
    		<remoteip>172.16.2.128</remoteip>
    		<localip>172.16.2.1</localip>
    		<l2tp_subnet>28</l2tp_subnet>
    		<mode>server</mode>
    		<interface>lan</interface>
    		<n_l2tp_units>1</n_l2tp_units>
    		 <secret><paporchap>chap</paporchap>
    		 <user><name>asyd</name>
    			 <ip><password>xxxxxxx</password></ip></user></secret></l2tp></pfsense> 
    
    


  • I reply to myself.

    The issue with pfSense is the lack of control on how the SPD are generated. I succeeded to get my initial setup with a standard FreeBSD using ipsec-tools (aka Racoon 1) and MPD5.

    Just in case, don't loose your time trying to use raccoon 2, almost required options are not yet implemented.