IPSec/L2TP with pfSense 2.2
-
I hope this doesn't get too messy, as there are people here who get a L2TP connection but can't communicate with local clients while others (like me) get an IPSec connection but no L2TP connection.
On that Note, I noticed something "weird looking" in the L2TP Raw Logs:
Feb 22 17:22:11 l2tps: process 34657 started, version 4.4.1 (root@pfsense-22-amd64-builder 12:58 18-Nov-2014) Feb 22 17:22:11 l2tps: Label 'startup' not found Feb 22 17:22:11 l2tps: [l2tp0] using interface l2tp0 Feb 22 17:22:11 l2tps: L2TP: waiting for connection on 0.0.0.0 1701
Is this "correct" behavior?
-
I am having the same issue across the board with getting ipsec going. I followed this to the letter:
https://doc.pfsense.org/index.php/L2TP/IPsecbut still cant get a tunnel established. The closest i get is possibly the ipsec tunnel being established but no l2tp.
machines tested:
windows 2008 server, android 5.0.1, android 4.4.4
any help would be appreciated as i have been trying to get this going for about a week now.
-
Any updates on this? did anyone find a solution or will this issue be addressed in a future update?
EDIT: More weird stuff.. after experimenting with IKEv2 n other VPN settings, AES doesn't work as encryption method for Phase 1 IPsec anymore, only 3DES does, and I'm very confident that it did beforehand…
-
https://doc.pfsense.org/index.php/L2TP/IPsec
I just fallowed this and did a little different configuration. Now it works on my iPhone/iPad and my MacbookAir(Yosemite 10.10.1).
In Phase 1, iOS only support DH group 2, not 14.
If i change the DH group to 14 (MODP_2048), I'll receive a mismatch error in logs.Mar 3 09:49:39 charon: 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Mar 3 09:49:39 charon: 10[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
So it shows the iOS/OSX supports AES(128/256) or 3DES with DH group 2 in Phase 1.
If a Windows 2008 R2 client connects , the log shows this:
Mar 3 10:17:54 charon: 13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
It shows the Windows client support AES256 with DH group 14 or 3DES with DH group 2/14. The hash algorithmnly only support SHA1.
An Android 4.1.1 client connects the log is like this:
Mar 3 10:23:47 charon: 08[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
The Android client supports AES(128/256)/3DES/DES , with DH group 2.
At last I configured the Phase 1 use 3DES, SHA1, DH group 2, it works for iOS/Android/MacOS X/Windows. It's less security but that's enough for me.
If your iPhone can connect but you can't access any website, just fallow that guide add a floating firewall rule. It'll works.
But now if the Android and Windows connects, in Status>IPsec it shows a client connected and established a IPsec tunnel, but about half minute the client shows connect failed. And there's no L2TP logs.
Then I tried a Windows client with public IPv4 address, it connected successful.
It seems Android and Windows can't dial L2TP behind NAT now.
Hope someone will find a fix for this. -
Hi
I found a potential fix for the Windows clients here: http://support.microsoft.com/kb/926179 I used the number "2" setting, and rebooted my Win 8.1 client, the reg hack changes the NAT-T behavior.
However, I can't test it because like many others here in this post, I cannot get any activity on the L2TP server. IPsec connects fine but then nothing. I am following the guide and have quintuple checked the settings. There must be a rule (NAT-T?) that needs to go somewhere to allow UDP 1701 traffic to go some where. Is there an architecture diagram somewhere so I can understand the rule set flow from WAN to IPsec to L2TP VPN when NAT-T is invoked? I feel very close to a solution for Windows behind NAT. TIA.
If you want to you can cut and paste this into a .reg file and then import (Win7-8.1 only):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
-
Having not being able to get what I need from a VPN using the instructions for MSCHAPv2, I decided to go back to attempting a L2TP/IPsec VPN.
Using various suggestions found in this thread, I am able to successfully establish a connection using iOS 8x.
I have 2 problems now
Problem #1
I am unable to access anything both inside my network or out outside (internet). Attempting communications to any network device via IP or DNS fails. And, simply attempting to browse to something like google.com, also fails.
I have checked and rechecked my floating FW rules they're all good.
I have checked and rechecked my FW rules for IPsec & L2TP interfaces, also, all good.Packet capture reveals nothing (admittedly, I may not be doing this part correctly)
Problem #2
The settings I had to use to get the iOS devices connected do not allow Windows 7/8.1 devices to connect at all. Which doesn't mean much since I can't get them to connect no matter what the Phase 1&2 settings are.
I have also checked and rechecked my settings on the Win clients, all are good.
I, as well as many others, I'm sure, were waiting for 2.2 so that we could have L2TP/IPsec VPN. It's a shame so many seem to not be able to get it to work.
Because of some of the VPN clients I need to support, OpenVPN isn't an option.
-
Just to toss the salad some here:
My issues are as follows:
I've set up IPSec With IKE and it Works like a charm on my mobile phone. I can Access internal web-servers and such, when i'm Connected and the internet is provided from 4G.
What I cant get to work is my Laptop With VPN Connect software from Shrew Soft. The Client Connects, I get the welcome Message, but I can't Access local servers. This happens when the Laptop is Connected to my mobile phone on Wi-Fi hotspot With shared internet over 4G.
-
I've set up IPSec With IKE and it Works like a charm on my mobile phone. I can Access internal web-servers and such, when i'm Connected and the internet is provided from 4G
Can you provide your config?
-
Hi ….
I too am struggling with L2TP/IPSEC setup. I have followed this doc https://doc.pfsense.org/index.php/L2TP/IPsec and it appears that IPSEC is negotiating but I am seeing the message "L2TP: connect: Address already in use" in l2tps.log - can anyone help with diagnosing or fixing??
Log extracts here :
IPSEC.LOG
charon: 08[IKE] <2049> received NAT-T (RFC 3947) vendor ID
charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 08[IKE] <2049> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 08[IKE] <2049> received FRAGMENTATION vendor ID
charon: 08[IKE] received FRAGMENTATION vendor ID
charon: 08[IKE] <2049> received DPD vendor ID
charon: 08[IKE] received DPD vendor ID
charon: 08[IKE] <2049> aa.aa.aa.aaa is initiating a Main Mode IKE_SA
charon: 08[IKE] aa.aa.aa.aaa is initiating a Main Mode IKE_SA
charon: 08[IKE] <2049> remote host is behind NAT
charon: 08[IKE] remote host is behind NAT
charon: 08[CFG] <2049> looking for pre-shared key peer configs matching bb.bb.bb.bb…aa.aa.aa.aaa[192.168.44.96]
charon: 08[CFG] looking for pre-shared key peer configs matching bb.bb.bb.bb…aa.aa.aa.aaa[192.168.44.96]
charon: 08[CFG] <2049> selected peer config "con15"
charon: 08[CFG] selected peer config "con15"
charon: 08[IKE] <con15|2049>IKE_SA con15[2049] established between bb.bb.bb.bb[bb.bb.bb.bb]…aa.aa.aa.aaa[192.168.44.96]
charon: 08[IKE] IKE_SA con15[2049] established between bb.bb.bb.bb[bb.bb.bb.bb]…aa.aa.aa.aaa[192.168.44.96]
charon: 08[IKE] <con15|2049>scheduling reauthentication in 28003s
charon: 08[IKE] scheduling reauthentication in 28003s
charon: 08[IKE] <con15|2049>maximum IKE_SA lifetime 28543s
charon: 08[IKE] maximum IKE_SA lifetime 28543s
charon: 16[IKE] <con15|2049>CHILD_SA con15{35} established with SPIs cda22b5e_i 0ae4a0dc_o and TS bb.bb.bb.bb/32|/0[udp/l2f] === aa.aa.aa.aaa/32|/0[udp/56000]
charon: 16[IKE] CHILD_SA con15{35} established with SPIs cda22b5e_i 0ae4a0dc_o and TS bb.bb.bb.bb/32|/0[udp/l2f] === aa.aa.aa.aaa/32|/0[udp/56000]L2TPS.LOG
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: Incoming L2TP packet from aa.aa.aa.aaa 56000
4slgbmernfw01 l2tps: L2TP: connect: Address already in use
4slgbmernfw01 l2tps: L2TP: Control connection 0x803456308 terminated: 6 (expecting reply; none received)
4slgbmernfw01 l2tps: L2TP: Control connection 0x803456308 destroyed</con15|2049></con15|2049></con15|2049></con15|2049> -
I've set up IPSec With IKE and it Works like a charm on my mobile phone. I can Access internal web-servers and such, when i'm Connected and the internet is provided from 4G
Can you provide your config?
Since I posted this, the setup stopped working. Not sure why, but it might have something to do With recent packageinstallations, although it shouldn't.
Below are Attached images of my setup. I set this up after a guide I found on this forum. Mobile Phones tend to use IKEv1, so if you are using mobile Phones and Laptops, use Auto on Version. With this IKEv2 should be available too.
Not sure if you need to allow certain ports on the WAN Interface to allow (like port 500 and 4500), but I have added those just to be sure.
I also set a rule that allows all IPSec network Clients to my LAN.
Once Connected I could Reach my local web-servers With the local IPs without any issues.
-
hello,
With the new release 2.2.1 someone could establish one l2tp/ipsec connection with windows 7 / 8 native client?
-
I'm seeing the same behavior on 2.2.1, which is IPSec connecting, but no L2TP activity ie. "l2tps: L2TP: connect: Address already in use" messages in the VPN log.
-
I am seeing the same behavior as well. I am running 2.2.1 on several customer firewalls. I have configured IPSec/L2TP per JimP's instructions. My clients are a Windows 7 box nat'd behind another pfSense 2.2.1 box, and an android device, either connected to 4G (nat'd by VZW) or wifi behind the same pfSense box. The IPSec portion connects and establishes an SA, but I never see anything show up in the L2TP log.
I have added rules on the WAN side to allow traffic from * to UDP 500, 4500 and 1701. I have added a rule to allow traffic from IPSec to any. -
Same issue here with the L2TP / IPsec VPN, sigh. PPTP and OpenVPN both work flawless.
-
Spent the last 3 days trying to get IPSec/L2TP on pfSense get working with no success.
Correctly followed this instructions, and some others, but got the same issue – clean logs on L2TP log tab, but IPsec tunnel seems to be working (no error in IPSec log tab).I hope the community will find a solution to the problem, I REALLY need VPN working without third party apps and I don't want to use OpenVPN for the enterprise right now (not my decision).
Same issue here with the L2TP / IPsec VPN, sigh. PPTP and OpenVPN both work flawless.
PPTP works, but, unfortunately, only for one connection (on pfSense 2.2.1 x64). More than one connection not working.
-
Not to hijack the topic, but PPTP can be made to work for multiple people if you have multiple public IPs (or ISPs).
Back to L2TP/IPSec, I tried by plugging my windows box directly into my cable modem, there by getting a public IP. Still no luck. IPSec SA would come up, but no L2TP traffic.
I enabled logging on my rules that pass traffic on the WAN interface. I saw where the rules would pass traffic on UDP 500, 1500 and 1701.
I'm almost to the point of dropping $400 to have the Electric Sheep Fencers take a look. -
I can't seem to make it work either.
Is there a pointer to an up to date walkthrough about setting up L2TP/IPSEC passthrough to an internal windows server? I have a couple machines that should work fine for this until this is all worked out with pfsense.
-
I don't think IPsec / L2TP is currently working with 2.2.1
-
I don't think L2TP/IPsec is broken under 2.2.1, but things isn't working here too.
I've followed the guides, but when I try to connect it hangs with those messages on IPsec log:
Mar 22 05:26:11 charon: 10[NET] sending packet: from 179.210.144.237[500] to 191.247.226.162[56312] (180 bytes) Mar 22 05:26:12 charon: 10[NET] received packet: from 191.247.226.162[56312] to 179.210.144.237[500] (228 bytes) Mar 22 05:26:12 charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Mar 22 05:26:12 charon: 10[IKE] <12> remote host is behind NAT Mar 22 05:26:12 charon: 10[IKE] remote host is behind NAT Mar 22 05:26:12 charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Mar 22 05:26:12 charon: 10[NET] sending packet: from 179.210.144.237[500] to 191.247.226.162[56312] (244 bytes) Mar 22 05:26:41 charon: 10[JOB] deleting half open IKE_SA after timeout
It's really strange, since I can connect using the local IP address, but when I came from WAN this thing happens.
All the firewall rules are to "allow everything".
-
Hi all,
I'm also experiencing an issue with setting up L2TP/IPsec on pfSense 2.2, I have tried both pfSense 2.2.1 and also downgraded to 2.2 to see if it produced any better result unfortunately nogo.
I followed the guide at https://doc.pfsense.org/index.php/L2TP/IPsec and am finding the same troubles as other people in this forum, L2TP doesn't seem to do anything at all (L2TP Raw doesn't show anything when trying to connect with a client), I do see the IPsec establish fine so I know it's not a problem there.
I've tried Android, Windows 7 and Windows 8.1 from multiple locations.
Is there anyone out there that got this to work?? You would think if there is a howto that exists showing it working that it should work for others as well? :)
Appreciate any help in the matter! I'll provide some logs, etc if requested.