2.2.2 L2TP/IPsec stopped working



  • Hello!

    After upgrading to 2.2.2 from 2.2, my L2TP/IPSec setup stopped working.
    The connecting device only says "The L2TP-server did not respond".

    Looking in the IPSec-logs in pfsense, this is the only line that seems odd to me:

    charon: 16[KNL] can't install route for 79.138.*.*/32|/0[udp/65198] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
    

    Whats wrong? This is driving me crazy!

    Edit: Full log:

    May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 9 11:49:59	charon: 03[IKE] received FRAGMENTATION vendor ID
    May 9 11:49:59	charon: 03[IKE] received DPD vendor ID
    May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
    May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
    May 9 11:49:59	charon: 03[ENC] generating ID_PROT response 0 [ SA V V V V ]
    May 9 11:49:59	charon: 03[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (160 bytes)
    May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22902] to 83.250.*.*[500] (228 bytes)
    May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    May 9 11:50:00	charon: 09[IKE] remote host is behind NAT
    May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (244 bytes)
    May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (108 bytes)
    May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    May 9 11:50:00	charon: 09[CFG] looking for pre-shared key peer configs matching 83.250.*.*...79.138.*.*[10.133.177.21]
    May 9 11:50:00	charon: 09[CFG] selected peer config "con2"
    May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
    May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
    May 9 11:50:00	charon: 09[IKE] scheduling reauthentication in 27982s
    May 9 11:50:00	charon: 09[IKE] maximum IKE_SA lifetime 28522s
    May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
    May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (76 bytes)
    May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (316 bytes)
    May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 9 11:50:01	charon: 11[IKE] expected IPComp proposal but peer did not send one, IPComp disabled
    May 9 11:50:01	charon: 11[ENC] generating QUICK_MODE response 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 9 11:50:01	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (204 bytes)
    May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (60 bytes)
    May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH ]
    May 9 11:50:01	charon: 11[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
    May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
    May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
    May 9 11:50:11	charon: 11[IKE] sending DPD request
    May 9 11:50:11	charon: 11[ENC] generating INFORMATIONAL_V1 request 151035731 [ HASH N(DPD) ]
    May 9 11:50:11	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (92 bytes)
    May 9 11:50:11	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
    May 9 11:50:11	charon: 09[ENC] parsed INFORMATIONAL_V1 request 97930351 [ HASH N(DPD_ACK) ]
    May 9 11:50:21	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (76 bytes)
    May 9 11:50:21	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2150739719 [ HASH D ]
    May 9 11:50:21	charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 0701fd27
    May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
    May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
    May 9 11:50:21	charon: 09[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
    May 9 11:50:22	charon: 06[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
    May 9 11:50:22	charon: 06[ENC] parsed INFORMATIONAL_V1 request 1029381452 [ HASH D ]
    May 9 11:50:22	charon: 06[IKE] received DELETE for IKE_SA con2[21]
    May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
    May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
    


  • Can you show your configuration?



  • Sorry.
    I'm using this exact(!) config:

    https://doc.pfsense.org/index.php/L2TP/IPsec

    Edit:
    I did revert to my 2.2.1 snapshot, that one still works, but the "conflicts with IKE traffic" is also there, but the log after is different:

    May 12 12:39:23	charon: 05[KNL] can't install route for 79.138.*.*/32|/0[udp/57280] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
    May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
    May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
    May 12 12:39:26	charon: 05[KNL] interface l2tp0 activated
    May 12 12:39:26	charon: 09[KNL] 192.168.42.142 appeared on l2tp0
    May 12 12:39:44	charon: 09[IKE] sending DPD request
    May 12 12:39:44	charon: 09[ENC] generating INFORMATIONAL_V1 request 286907280 [ HASH N(DPD) ]
    May 12 12:39:44	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[55263] (92 bytes)
    May 12 12:39:45	charon: 09[NET] received packet: from 79.138.*.*[55263] to 83.250.*.*[4500] (92 bytes)
    May 12 12:39:45	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2737098688 [ HASH N(DPD_ACK) ]
    

    Edit 2:
    Ok so I reproduced the error:

    1. Im on 2.2.1 - vpn ok
    2. Use built in ugprader to 2.2.2 + Reboot
    3. VPN does not work anymore

    https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes
    I see 6 points of IPSec fixes in the patch notes, one is strongSwan upgrade.

    Strange I'm the first one with this problem…

    I did revert to 2.2.1 for the time beeing.