IPSec/L2TP for Mac OS X
-
Hello folks,
here my first message, please don't be too rude with me! :)
I'm trying to get IPSec/L2TP VPN working with as a Mac OS X as client.
Here a part an overview of my setup:
Here what happens:
- Phase 1, 2 are ok
Feb 24 14:51:10 racoon: [Self]: INFO: respond new phase 1 negotiation: pf_WAN[500]<=>client_pubIP[23109] Feb 24 14:51:10 racoon: INFO: begin Identity Protection mode. Feb 24 14:51:10 racoon: INFO: received Vendor ID: RFC 3947 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 24 14:51:10 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 24 14:51:10 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Feb 24 14:51:10 racoon: INFO: received Vendor ID: DPD Feb 24 14:51:10 racoon: [client_pubIP] INFO: Selected NAT-T version: RFC 3947 Feb 24 14:51:11 racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2 Feb 24 14:51:11 racoon: INFO: NAT-D payload #0 verified Feb 24 14:51:11 racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2 Feb 24 14:51:11 racoon: INFO: NAT-D payload #1 doesn't match Feb 24 14:51:11 racoon: INFO: NAT detected: PEER Feb 24 14:51:11 racoon: [client_pubIP] INFO: Hashing client_pubIP[23109] with algo #2 Feb 24 14:51:11 racoon: [Self]: [pf_WAN] INFO: Hashing pf_WAN[500] with algo #2 Feb 24 14:51:11 racoon: INFO: Adding remote and local NAT-D payloads. Feb 24 14:51:12 racoon: [Self]: INFO: NAT-T: ports changed to: client_pubIP[20432]<->pf_WAN[4500] Feb 24 14:51:12 racoon: [Self]: INFO: KA list add: pf_WAN[4500]->client_pubIP[20432] Feb 24 14:51:12 racoon: [client_pubIP] INFO: received INITIAL-CONTACT Feb 24 14:51:12 racoon: [Self]: INFO: ISAKMP-SA established pf_WAN[4500]-client_pubIP[20432] spi:bcbef85b3a0a0887:a4e06de5868a4028 Feb 24 14:51:12 racoon: [Self]: INFO: respond new phase 2 negotiation: pf_WAN[4500]<=>client_pubIP[20432] Feb 24 14:51:12 racoon: INFO: no policy found, try to generate the policy : client_intIP/32[54093] pf_WAN/32[1701] proto=udp dir=in Feb 24 14:51:12 racoon: INFO: Adjusting my encmode UDP-Transport->Transport Feb 24 14:51:12 racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) Feb 24 14:51:12 racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=45029298(0x2af17b2) Feb 24 14:51:12 racoon: [Self]: INFO: IPsec-SA established: ESP pf_WAN[500]->client_pubIP[500] spi=118646864(0x7126850)
- Mac OS try to reach the L2TP (mpd4) server using the pf_WAN IP address, through the IPSec tunnel
- L2TP server respond to Mac using public_IP, but no through the IPSec tunnel
Indeed, when I run tcpdump in pfSense on em0 (WAN interface) and port 1701, all I can see is:
14:56:30.996706 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |... 14:56:31.956424 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB 14:56:31.992758 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |... 14:56:33.916780 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB 14:56:33.992780 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |... 14:56:37.992833 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |... 14:56:38.016666 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB 14:56:41.942886 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB 14:56:45.992894 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=0,Nr=0 *MSGTYPE(SCCRP) *HOST_NAME(pfsense.opencsi.com) |... 14:56:46.645184 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB 14:56:49.892173 IP pf_WAN.1701 > client_pubIP.50075: l2tp:[TLS](81/0)Ns=1,Nr=1 ZLB
So, I guess there is an issue with my IPSec configuration, probably about the policy. But after made a lots of test, I'm not able to find the good configuration.
Any help will be appreciated.
IPSec/L2TP Configuration:
<pfsense><ipsec><enable><client><enable><user_source>Local Database</user_source> <group_source>system</group_source></enable></client> <mobilekey><ident>client_PubIP</ident> <pre-shared-key>xxxxx</pre-shared-key></mobilekey> <phase1><ikeid>1</ikeid> <interface>wan</interface> <mobile><mode>main</mode> <protocol>inet</protocol> <myid_type>myaddress</myid_type> <myid_data><encryption-algorithm><name>aes</name> <keylen>256</keylen></encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>86400</lifetime> <pre-shared-key>xxxxxx</pre-shared-key> <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method> <generate_policy>unique</generate_policy> <proposal_check>strict</proposal_check> <nat_traversal>force</nat_traversal> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></myid_data></mobile></phase1> <phase2><ikeid>1</ikeid> <mode>tunnel</mode> <localid><type>wan</type></localid> <remoteid><type>mobile</type></remoteid> <protocol>esp</protocol> <encryption-algorithm-option><name>aes</name> <keylen>auto</keylen></encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>3600</lifetime></phase2></enable></ipsec> <l2tp><radius></radius> <remoteip>172.16.2.128</remoteip> <localip>172.16.2.1</localip> <l2tp_subnet>28</l2tp_subnet> <mode>server</mode> <interface>lan</interface> <n_l2tp_units>1</n_l2tp_units> <secret><paporchap>chap</paporchap> <user><name>asyd</name> <ip><password>xxxxxxx</password></ip></user></secret></l2tp></pfsense>
-
I reply to myself.
The issue with pfSense is the lack of control on how the SPD are generated. I succeeded to get my initial setup with a standard FreeBSD using ipsec-tools (aka Racoon 1) and MPD5.
Just in case, don't loose your time trying to use raccoon 2, almost required options are not yet implemented.