OSX 10.10 cannot connect to pfSense IPSec/L2TP. Multiple server setup possible?


  • pfSense is set up as described here, except that some of the options are not shown in pfSense 2.2 any more.

    I can connect from Linux (Ubuntu) & Mikrotik successfully.

    However, OSX just plays dumb.  Using OSX 10.10.2 with the native client as described here, I get the following in the /var/log/system.log regardless of what changes I try on the server.  There's pretty much nothing to change on the client.  It has so few options to set.

    
    Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: pppd 2.4.2 (Apple version 786.10.1) started by carelvandermerwe, uid 501
    Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: l2tp_get_router_address
    Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: l2tp_get_router_address 192.168.88.1 from dict 1
    Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: L2TP connecting to server '41.yy.xx.130' (41.71.68.130)...
    Mar 16 23:23:12 Carel-Macbook-Pro.local pppd[6789]: IPSec connection started
    Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: plogsetfile: about to add racoon log file: /var/log/racoon.log
    Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: accepted connection on vpn control socket.
    Mar 16 23:23:12 --- last message repeated 1 time ---
    Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: Connecting.
    Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: IPSec Phase 1 started (Initiated by me).
    Mar 16 23:23:12 --- last message repeated 1 time ---
    Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
    Mar 16 23:23:12 Carel-Macbook-Pro.local racoon[6790]: >>>>> phase change status = Phase 1 started by us
    Mar 16 23:23:13 --- last message repeated 1 time ---
    Mar 16 23:23:13 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
    Mar 16 23:23:16 --- last message repeated 1 time ---
    Mar 16 23:23:16 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
    Mar 16 23:23:16 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
    Mar 16 23:23:19 --- last message repeated 1 time ---
    Mar 16 23:23:19 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
    Mar 16 23:23:19 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
    Mar 16 23:23:22 --- last message repeated 1 time ---
    Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: IKE Packet: transmit success. (Phase 1 Retransmit).
    Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: none message must be encrypted
    Mar 16 23:23:22 --- last message repeated 1 time ---
    Mar 16 23:23:22 Carel-Macbook-Pro.local pppd[6789]: IPSec connection failed
    Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: IPSec disconnecting from server 41.yy.xx.130
    Mar 16 23:23:22 --- last message repeated 1 time ---
    Mar 16 23:23:22 Carel-Macbook-Pro.local racoon[6790]: glob found no matches for path "/var/run/racoon/*.conf"
    
    

    I have unloaded (stopped) and loaded (started) racoon on the Mac, it makes no difference.

    I'm at a loss for other options.

    Does this work on a Mac?  I have even installed IPSecuritas, but it also gives a very similar error so I unstalled it again.

    (Update: Also test on OSX 10.6, same problem)


  • I've actually tested this on older versions of OSX.  10.6 doens't work either and gives the same result.

    Is it possible to set up different phase1/2 setups for different clients?  I have permanent connections via VPN that work well and I don't want to break them, so if I could set up a different set of server settings, maybe that would allow me to connect?  I don't know how this would work though…



  • I have vanilla IPsec from OS X and iOS working to StrongSWAN but fails when using IPsec + L2TP.  Using another StrongSWAN client, ChromeOS, works fine so something special with Apple I would think.


  • Forgive me for what may be a stupid question, but why do you want to use L2TP?

    @MrMoo:

    I have vanilla IPsec from OS X and iOS working to StrongSWAN but fails when using IPsec + L2TP.


  • @dennypage:

    Forgive me for what may be a stupid question, but why do you want to use L2TP?

    iOS only has limited IKEv2 support through its enterprise deployment tools.


  • Perhaps another stupid question…

    Why is L2TP related to IKEv2?

    IKEv2 is certainly desirable for IPSEC. However, L2TP doesn't come into play until after the IPSEC tunnel has been established, and doesn't offer any security of it's own...

    @MrMoo:

    iOS only has limited IKEv2 support through its enterprise deployment tools.


  • @dennypage:

    Why is L2TP related to IKEv2?

    L2TP is used to pass multiple VLANs over a single IPsec connection but often in implementation requires two additional daemons - xl2tpd and pppd, IKEv2 allows you to specify multiple subnets for leftsubnet= and rightsubnet=.


  • I wasn't aware of that. Thanks.

    @MrMoo:

    IKEv2 allows you to specify multiple subnets for leftsubnet= and rightsubnet=.