Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.2 L2TP/IPsec stopped working

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      basse
      last edited by

      Hello!

      After upgrading to 2.2.2 from 2.2, my L2TP/IPSec setup stopped working.
      The connecting device only says "The L2TP-server did not respond".

      Looking in the IPSec-logs in pfsense, this is the only line that seems odd to me:

      charon: 16[KNL] can't install route for 79.138.*.*/32|/0[udp/65198] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
      

      Whats wrong? This is driving me crazy!

      Edit: Full log:

      May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      May 9 11:49:59	charon: 03[IKE] received FRAGMENTATION vendor ID
      May 9 11:49:59	charon: 03[IKE] received DPD vendor ID
      May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
      May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
      May 9 11:49:59	charon: 03[ENC] generating ID_PROT response 0 [ SA V V V V ]
      May 9 11:49:59	charon: 03[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (160 bytes)
      May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22902] to 83.250.*.*[500] (228 bytes)
      May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      May 9 11:50:00	charon: 09[IKE] remote host is behind NAT
      May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (244 bytes)
      May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (108 bytes)
      May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      May 9 11:50:00	charon: 09[CFG] looking for pre-shared key peer configs matching 83.250.*.*...79.138.*.*[10.133.177.21]
      May 9 11:50:00	charon: 09[CFG] selected peer config "con2"
      May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
      May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
      May 9 11:50:00	charon: 09[IKE] scheduling reauthentication in 27982s
      May 9 11:50:00	charon: 09[IKE] maximum IKE_SA lifetime 28522s
      May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
      May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (76 bytes)
      May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (316 bytes)
      May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
      May 9 11:50:01	charon: 11[IKE] expected IPComp proposal but peer did not send one, IPComp disabled
      May 9 11:50:01	charon: 11[ENC] generating QUICK_MODE response 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
      May 9 11:50:01	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (204 bytes)
      May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (60 bytes)
      May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH ]
      May 9 11:50:01	charon: 11[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
      May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
      May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
      May 9 11:50:11	charon: 11[IKE] sending DPD request
      May 9 11:50:11	charon: 11[ENC] generating INFORMATIONAL_V1 request 151035731 [ HASH N(DPD) ]
      May 9 11:50:11	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (92 bytes)
      May 9 11:50:11	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
      May 9 11:50:11	charon: 09[ENC] parsed INFORMATIONAL_V1 request 97930351 [ HASH N(DPD_ACK) ]
      May 9 11:50:21	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (76 bytes)
      May 9 11:50:21	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2150739719 [ HASH D ]
      May 9 11:50:21	charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 0701fd27
      May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
      May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
      May 9 11:50:21	charon: 09[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
      May 9 11:50:22	charon: 06[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
      May 9 11:50:22	charon: 06[ENC] parsed INFORMATIONAL_V1 request 1029381452 [ HASH D ]
      May 9 11:50:22	charon: 06[IKE] received DELETE for IKE_SA con2[21]
      May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
      May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
      
      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Can you show your configuration?

        1 Reply Last reply Reply Quote 0
        • B
          basse
          last edited by

          Sorry.
          I'm using this exact(!) config:

          https://doc.pfsense.org/index.php/L2TP/IPsec

          Edit:
          I did revert to my 2.2.1 snapshot, that one still works, but the "conflicts with IKE traffic" is also there, but the log after is different:

          May 12 12:39:23	charon: 05[KNL] can't install route for 79.138.*.*/32|/0[udp/57280] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
          May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
          May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
          May 12 12:39:26	charon: 05[KNL] interface l2tp0 activated
          May 12 12:39:26	charon: 09[KNL] 192.168.42.142 appeared on l2tp0
          May 12 12:39:44	charon: 09[IKE] sending DPD request
          May 12 12:39:44	charon: 09[ENC] generating INFORMATIONAL_V1 request 286907280 [ HASH N(DPD) ]
          May 12 12:39:44	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[55263] (92 bytes)
          May 12 12:39:45	charon: 09[NET] received packet: from 79.138.*.*[55263] to 83.250.*.*[4500] (92 bytes)
          May 12 12:39:45	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2737098688 [ HASH N(DPD_ACK) ]
          

          Edit 2:
          Ok so I reproduced the error:

          1. Im on 2.2.1 - vpn ok
          2. Use built in ugprader to 2.2.2 + Reboot
          3. VPN does not work anymore

          https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes
          I see 6 points of IPSec fixes in the patch notes, one is strongSwan upgrade.

          Strange I'm the first one with this problem…

          I did revert to 2.2.1 for the time beeing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.