Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec/L2TP for Mac OS X

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asyd
      last edited by

      Hello folks,

      here my first message, please don't be too rude with me! :)

      I'm trying to get IPSec/L2TP VPN working with as a Mac OS X as client.

      Here a part an overview of my setup:

      Here what happens:

      • Phase 1, 2 are ok
      
Feb 24 14:51:10	racoon: [Self]: INFO: respond new phase 1 negotiation: pf_WAN[500]<=>client_pubIP[23109]
Feb 24 14:51:10	racoon: INFO: begin Identity Protection mode.
Feb 24 14:51:10	racoon: INFO: received Vendor ID: RFC 3947
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 24 14:51:10	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 24 14:51:10	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 24 14:51:10	racoon: INFO: received Vendor ID: DPD
Feb 24 14:51:10	racoon: [client_pubIP] INFO: Selected NAT-T version: RFC 3947
Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
Feb 24 14:51:11	racoon: INFO: NAT-D payload #0 verified
Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
Feb 24 14:51:11	racoon: INFO: NAT-D payload #1 doesn't match
Feb 24 14:51:11	racoon: INFO: NAT detected: PEER
Feb 24 14:51:11	racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2
Feb 24 14:51:11	racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2
Feb 24 14:51:11	racoon: INFO: Adding remote and local NAT-D payloads.
Feb 24 14:51:12	racoon: [Self]: INFO: NAT-T: ports changed to: client_pubIP[20432]<->pf_WAN[4500]
Feb 24 14:51:12	racoon: [Self]: INFO: KA list add: pf_WAN[4500]->client_pubIP[20432]
Feb 24 14:51:12	racoon: [client_pubIP] INFO: received INITIAL-CONTACT
Feb 24 14:51:12	racoon: [Self]: INFO: ISAKMP-SA established pf_WAN[4500]-client_pubIP[20432] spi:bcbef85b3a0a0887:a4e06de5868a4028
Feb 24 14:51:12	racoon: [Self]: INFO: respond new phase 2 negotiation: pf_WAN[4500]<=>client_pubIP[20432]
Feb 24 14:51:12	racoon: INFO: no policy found, try to generate the policy : client_intIP/32[54093] pf_WAN/32[1701] proto=udp dir=in
Feb 24 14:51:12	racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Feb 24 14:51:12	racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=45029298(0x2af17b2)
Feb 24 14:51:12	racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=118646864(0x7126850)
      • Mac OS try to reach the L2TP (mpd4) server using the pf_WAN IP address, through the IPSec tunnel
      • L2TP server respond to Mac using public_IP, but no through the IPSec tunnel

      Indeed, when I run tcpdump in pfSense on em0 (WAN interface) and port 1701, all I can see is:

      
14:56:30.996706 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:31.956424 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:31.992758 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:33.916780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:33.992780 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:37.992833 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:38.016666 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:41.942886 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:45.992894 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |...
14:56:46.645184 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
14:56:49.892173 IP pf_WAN.1701 > client_pubIP.50075:  l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB

      So, I guess there is an issue with my IPSec configuration, probably about the policy. But after made a lots of test, I'm not able to find the good configuration.

      Any help will be appreciated.

      IPSec/L2TP Configuration:

      
 <pfsense><ipsec><enable><client><enable><user_source>Local Database</user_source>
			<group_source>system</group_source></enable></client> 
		 <mobilekey><ident>client_PubIP</ident>
			<pre-shared-key>xxxxx</pre-shared-key></mobilekey> 
		 <phase1><ikeid>1</ikeid>
			<interface>wan</interface>
			 <mobile><mode>main</mode>
			<protocol>inet</protocol>
			<myid_type>myaddress</myid_type>
			 <myid_data><encryption-algorithm><name>aes</name>
				<keylen>256</keylen></encryption-algorithm> 
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			<lifetime>86400</lifetime>
			<pre-shared-key>xxxxxx</pre-shared-key>
			 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
			<generate_policy>unique</generate_policy>
			<proposal_check>strict</proposal_check>

			<nat_traversal>force</nat_traversal>
			<dpd_delay>10</dpd_delay>
			<dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></myid_data></mobile></phase1> 
		 <phase2><ikeid>1</ikeid>
			<mode>tunnel</mode>
			 <localid><type>wan</type></localid> 
			 <remoteid><type>mobile</type></remoteid> 
			<protocol>esp</protocol>
			 <encryption-algorithm-option><name>aes</name>
				<keylen>auto</keylen></encryption-algorithm-option> 
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
			<pfsgroup>0</pfsgroup>
			<lifetime>3600</lifetime></phase2></enable></ipsec> 
	 <l2tp><radius></radius> 
		<remoteip>172.16.2.128</remoteip>
		<localip>172.16.2.1</localip>
		<l2tp_subnet>28</l2tp_subnet>
		<mode>server</mode>
		<interface>lan</interface>
		<n_l2tp_units>1</n_l2tp_units>
		 <secret><paporchap>chap</paporchap>
		 <user><name>asyd</name>
			 <ip><password>xxxxxxx</password></ip></user></secret></l2tp></pfsense>
      1 Reply Last reply Reply Quote 0
      • A
        asyd
        last edited by

        I reply to myself.

        The issue with pfSense is the lack of control on how the SPD are generated. I succeeded to get my initial setup with a standard FreeBSD using ipsec-tools (aka Racoon 1) and MPD5.

        Just in case, don't loose your time trying to use raccoon 2, almost required options are not yet implemented.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.