Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec/L2TP for Mac OS X

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asyd
      last edited by

      Hello folks,

      here my first message, please don't be too rude with me! :)

      I'm trying to get IPSec/L2TP VPN working with as a Mac OS X as client.

      Here a part an overview of my setup:

      Here what happens:

      • Phase 1, 2 are ok
      
      Feb 24 14:51:10	racoon: [Self]: INFO: respond new phase 1 negotiation: pf_WAN[500]<=>client_pubIP[23109]
      Feb 24 14:51:10	racoon: INFO: begin Identity Protection mode.
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: RFC 3947
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Feb 24 14:51:10	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Feb 24 14:51:10	racoon: INFO: received Vendor ID: DPD
      Feb 24 14:51:10	racoon: [client_pubIP] INFO: Selected NAT-T version: RFC 3947
      Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
      Feb 24 14:51:11	racoon: INFO: NAT-D payload #0 verified
      Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
      Feb 24 14:51:11	racoon: INFO: NAT-D payload #1 doesn't match
      Feb 24 14:51:11	racoon: INFO: NAT detected: PEER
      Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
      Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
      Feb 24 14:51:11	racoon: INFO: Adding remote and local NAT-D payloads.
      Feb 24 14:51:12	racoon: [Self]: INFO: NAT-T: ports changed to: client_pubIP[20432]<->pf_WAN[4500]
      Feb 24 14:51:12	racoon: [Self]: INFO: KA list add: pf_WAN[4500]->client_pubIP[20432]
      Feb 24 14:51:12	racoon: [client_pubIP] INFO: received INITIAL-CONTACT
      Feb 24 14:51:12	racoon: [Self]: INFO: ISAKMP-SA established pf_WAN[4500]-client_pubIP[20432] spi:bcbef85b3a0a0887:a4e06de5868a4028
      Feb 24 14:51:12	racoon: [Self]: INFO: respond new phase 2 negotiation: pf_WAN[4500]<=>client_pubIP[20432]
      Feb 24 14:51:12	racoon: INFO: no policy found, try to generate the policy : client_intIP/32[54093] pf_WAN/32[1701] proto=udp dir=in
      Feb 24 14:51:12	racoon: INFO: Adjusting my encmode UDP-Transport->Transport
      Feb 24 14:51:12	racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
      Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=45029298(0x2af17b2)
      Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=118646864(0x7126850)
      
      
      • Mac OS try to reach the L2TP (mpd4) server using the pf_WAN IP address, through the IPSec tunnel
      • L2TP server respond to Mac using public_IP, but no through the IPSec tunnel

      Indeed, when I run tcpdump in pfSense on em0 (WAN interface) and port 1701, all I can see is:

      
      14:56:30.996706 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
      14:56:31.956424 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
      14:56:31.992758 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
      14:56:33.916780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
      14:56:33.992780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
      14:56:37.992833 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
      14:56:38.016666 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
      14:56:41.942886 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
      14:56:45.992894 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
      14:56:46.645184 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
      14:56:49.892173 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
      
      

      So, I guess there is an issue with my IPSec configuration, probably about the policy. But after made a lots of test, I'm not able to find the good configuration.

      Any help will be appreciated.

      IPSec/L2TP Configuration:

      
       <pfsense><ipsec><enable><client><enable><user_source>Local Database</user_source>
      			<group_source>system</group_source></enable></client> 
      		 <mobilekey><ident>client_PubIP</ident>
      			<pre-shared-key>xxxxx</pre-shared-key></mobilekey> 
      		 <phase1><ikeid>1</ikeid>
      			<interface>wan</interface>
      			 <mobile><mode>main</mode>
      			<protocol>inet</protocol>
      			<myid_type>myaddress</myid_type>
      			 <myid_data><encryption-algorithm><name>aes</name>
      				<keylen>256</keylen></encryption-algorithm> 
      			<hash-algorithm>sha1</hash-algorithm>
      			<dhgroup>2</dhgroup>
      			<lifetime>86400</lifetime>
      			<pre-shared-key>xxxxxx</pre-shared-key>
      			 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
      			<generate_policy>unique</generate_policy>
      			<proposal_check>strict</proposal_check>
      
      			<nat_traversal>force</nat_traversal>
      			<dpd_delay>10</dpd_delay>
      			<dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></myid_data></mobile></phase1> 
      		 <phase2><ikeid>1</ikeid>
      			<mode>tunnel</mode>
      			 <localid><type>wan</type></localid> 
      			 <remoteid><type>mobile</type></remoteid> 
      			<protocol>esp</protocol>
      			 <encryption-algorithm-option><name>aes</name>
      				<keylen>auto</keylen></encryption-algorithm-option> 
      			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
      			<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
      			<pfsgroup>0</pfsgroup>
      			<lifetime>3600</lifetime></phase2></enable></ipsec> 
      	 <l2tp><radius></radius> 
      		<remoteip>172.16.2.128</remoteip>
      		<localip>172.16.2.1</localip>
      		<l2tp_subnet>28</l2tp_subnet>
      		<mode>server</mode>
      		<interface>lan</interface>
      		<n_l2tp_units>1</n_l2tp_units>
      		 <secret><paporchap>chap</paporchap>
      		 <user><name>asyd</name>
      			 <ip><password>xxxxxxx</password></ip></user></secret></l2tp></pfsense> 
      
      
      1 Reply Last reply Reply Quote 0
      • A
        asyd
        last edited by

        I reply to myself.

        The issue with pfSense is the lack of control on how the SPD are generated. I succeeded to get my initial setup with a standard FreeBSD using ipsec-tools (aka Racoon 1) and MPD5.

        Just in case, don't loose your time trying to use raccoon 2, almost required options are not yet implemented.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.