4. IPSec/L2TP for Mac OS X

IPSec/L2TP for Mac OS X

  • A

    Hello folks,

    here my first message, please don't be too rude with me! :)

    I'm trying to get IPSec/L2TP VPN working with as a Mac OS X as client.

    Here a part an overview of my setup:

    Here what happens:

    • Phase 1, 2 are ok
    
Feb 24 14:51:10	racoon: [Self]: INFO: respond new phase 1 negotiation: pf_WAN[500]<=>client_pubIP[23109]
Feb 24 14:51:10	racoon: INFO: begin Identity Protection mode.
Feb 24 14:51:10	racoon: INFO: received Vendor ID: RFC 3947
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 24 14:51:10	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 24 14:51:10	racoon: INFO: received Vendor ID: DPD
Feb 24 14:51:10	racoon: [client_pubIP] INFO: Selected NAT-T version: RFC 3947
Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
Feb 24 14:51:11	racoon: INFO: NAT-D payload #0 verified
Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
Feb 24 14:51:11	racoon: INFO: NAT-D payload #1 doesn't match
Feb 24 14:51:11	racoon: INFO: NAT detected: PEER
Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
Feb 24 14:51:11	racoon: INFO: Adding remote and local NAT-D payloads.
Feb 24 14:51:12	racoon: [Self]: INFO: NAT-T: ports changed to: client_pubIP[20432]<->pf_WAN[4500]
Feb 24 14:51:12	racoon: [Self]: INFO: KA list add: pf_WAN[4500]->client_pubIP[20432]
Feb 24 14:51:12	racoon: [client_pubIP] INFO: received INITIAL-CONTACT
Feb 24 14:51:12	racoon: [Self]: INFO: ISAKMP-SA established pf_WAN[4500]-client_pubIP[20432] spi:bcbef85b3a0a0887:a4e06de5868a4028
Feb 24 14:51:12	racoon: [Self]: INFO: respond new phase 2 negotiation: pf_WAN[4500]<=>client_pubIP[20432]
Feb 24 14:51:12	racoon: INFO: no policy found, try to generate the policy : client_intIP/32[54093] pf_WAN/32[1701] proto=udp dir=in
Feb 24 14:51:12	racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Feb 24 14:51:12	racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=45029298(0x2af17b2)
Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=118646864(0x7126850)
    • Mac OS try to reach the L2TP (mpd4) server using the pf_WAN IP address, through the IPSec tunnel
    • L2TP server respond to Mac using public_IP, but no through the IPSec tunnel

    Indeed, when I run tcpdump in pfSense on em0 (WAN interface) and port 1701, all I can see is:

    
14:56:30.996706 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:31.956424 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:31.992758 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:33.916780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:33.992780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:37.992833 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:38.016666 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:41.942886 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:45.992894 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:46.645184 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:49.892173 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB

    So, I guess there is an issue with my IPSec configuration, probably about the policy. But after made a lots of test, I'm not able to find the good configuration.

    Any help will be appreciated.

    IPSec/L2TP Configuration:

    
 <pfsense><ipsec><enable><client><enable><user_source>Local Database</user_source>
			<group_source>system</group_source></enable></client> 
		 <mobilekey><ident>client_PubIP</ident>
			<pre-shared-key>xxxxx</pre-shared-key></mobilekey> 
		 <phase1><ikeid>1</ikeid>
			<interface>wan</interface>
			 <mobile><mode>main</mode>
			<protocol>inet</protocol>
			<myid_type>myaddress</myid_type>
			 <myid_data><encryption-algorithm><name>aes</name>
				<keylen>256</keylen></encryption-algorithm> 
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			<lifetime>86400</lifetime>
			<pre-shared-key>xxxxxx</pre-shared-key>
			 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
			<generate_policy>unique</generate_policy>
			<proposal_check>strict</proposal_check>

			<nat_traversal>force</nat_traversal>
			<dpd_delay>10</dpd_delay>
			<dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></myid_data></mobile></phase1> 
		 <phase2><ikeid>1</ikeid>
			<mode>tunnel</mode>
			 <localid><type>wan</type></localid> 
			 <remoteid><type>mobile</type></remoteid> 
			<protocol>esp</protocol>
			 <encryption-algorithm-option><name>aes</name>
				<keylen>auto</keylen></encryption-algorithm-option> 
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
			<pfsgroup>0</pfsgroup>
			<lifetime>3600</lifetime></phase2></enable></ipsec> 
	 <l2tp><radius></radius> 
		<remoteip>172.16.2.128</remoteip>
		<localip>172.16.2.1</localip>
		<l2tp_subnet>28</l2tp_subnet>
		<mode>server</mode>
		<interface>lan</interface>
		<n_l2tp_units>1</n_l2tp_units>
		 <secret><paporchap>chap</paporchap>
		 <user><name>asyd</name>
			 <ip><password>xxxxxxx</password></ip></user></secret></l2tp></pfsense>
    0
  • A

    I reply to myself.

    The issue with pfSense is the lack of control on how the SPD are generated. I succeeded to get my initial setup with a standard FreeBSD using ipsec-tools (aka Racoon 1) and MPD5.

    Just in case, don't loose your time trying to use raccoon 2, almost required options are not yet implemented.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy