2.2.2 L2TP/IPsec stopped working
-
Hello!
After upgrading to 2.2.2 from 2.2, my L2TP/IPSec setup stopped working.
The connecting device only says "The L2TP-server did not respond".Looking in the IPSec-logs in pfsense, this is the only line that seems odd to me:
charon: 16[KNL] can't install route for 79.138.*.*/32|/0[udp/65198] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
Whats wrong? This is driving me crazy!
Edit: Full log:
May 9 11:49:59 charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID May 9 11:49:59 charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID May 9 11:49:59 charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID May 9 11:49:59 charon: 03[IKE] received FRAGMENTATION vendor ID May 9 11:49:59 charon: 03[IKE] received DPD vendor ID May 9 11:49:59 charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA May 9 11:49:59 charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA May 9 11:49:59 charon: 03[ENC] generating ID_PROT response 0 [ SA V V V V ] May 9 11:49:59 charon: 03[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (160 bytes) May 9 11:50:00 charon: 09[NET] received packet: from 79.138.*.*[22902] to 83.250.*.*[500] (228 bytes) May 9 11:50:00 charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] May 9 11:50:00 charon: 09[IKE] remote host is behind NAT May 9 11:50:00 charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] May 9 11:50:00 charon: 09[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (244 bytes) May 9 11:50:00 charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (108 bytes) May 9 11:50:00 charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] May 9 11:50:00 charon: 09[CFG] looking for pre-shared key peer configs matching 83.250.*.*...79.138.*.*[10.133.177.21] May 9 11:50:00 charon: 09[CFG] selected peer config "con2" May 9 11:50:00 charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21] May 9 11:50:00 charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21] May 9 11:50:00 charon: 09[IKE] scheduling reauthentication in 27982s May 9 11:50:00 charon: 09[IKE] maximum IKE_SA lifetime 28522s May 9 11:50:00 charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ] May 9 11:50:00 charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (76 bytes) May 9 11:50:01 charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (316 bytes) May 9 11:50:01 charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ] May 9 11:50:01 charon: 11[IKE] expected IPComp proposal but peer did not send one, IPComp disabled May 9 11:50:01 charon: 11[ENC] generating QUICK_MODE response 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ] May 9 11:50:01 charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (204 bytes) May 9 11:50:01 charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (60 bytes) May 9 11:50:01 charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH ] May 9 11:50:01 charon: 11[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic May 9 11:50:01 charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918] May 9 11:50:01 charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918] May 9 11:50:11 charon: 11[IKE] sending DPD request May 9 11:50:11 charon: 11[ENC] generating INFORMATIONAL_V1 request 151035731 [ HASH N(DPD) ] May 9 11:50:11 charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (92 bytes) May 9 11:50:11 charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes) May 9 11:50:11 charon: 09[ENC] parsed INFORMATIONAL_V1 request 97930351 [ HASH N(DPD_ACK) ] May 9 11:50:21 charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (76 bytes) May 9 11:50:21 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2150739719 [ HASH D ] May 9 11:50:21 charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 0701fd27 May 9 11:50:21 charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918] May 9 11:50:21 charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918] May 9 11:50:21 charon: 09[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic May 9 11:50:22 charon: 06[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes) May 9 11:50:22 charon: 06[ENC] parsed INFORMATIONAL_V1 request 1029381452 [ HASH D ] May 9 11:50:22 charon: 06[IKE] received DELETE for IKE_SA con2[21] May 9 11:50:22 charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21] May 9 11:50:22 charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
-
Can you show your configuration?
-
Sorry.
I'm using this exact(!) config:https://doc.pfsense.org/index.php/L2TP/IPsec
Edit:
I did revert to my 2.2.1 snapshot, that one still works, but the "conflicts with IKE traffic" is also there, but the log after is different:May 12 12:39:23 charon: 05[KNL] can't install route for 79.138.*.*/32|/0[udp/57280] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic May 12 12:39:23 charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280] May 12 12:39:23 charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280] May 12 12:39:26 charon: 05[KNL] interface l2tp0 activated May 12 12:39:26 charon: 09[KNL] 192.168.42.142 appeared on l2tp0 May 12 12:39:44 charon: 09[IKE] sending DPD request May 12 12:39:44 charon: 09[ENC] generating INFORMATIONAL_V1 request 286907280 [ HASH N(DPD) ] May 12 12:39:44 charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[55263] (92 bytes) May 12 12:39:45 charon: 09[NET] received packet: from 79.138.*.*[55263] to 83.250.*.*[4500] (92 bytes) May 12 12:39:45 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2737098688 [ HASH N(DPD_ACK) ]
Edit 2:
Ok so I reproduced the error:- Im on 2.2.1 - vpn ok
- Use built in ugprader to 2.2.2 + Reboot
- VPN does not work anymore
https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes
I see 6 points of IPSec fixes in the patch notes, one is strongSwan upgrade.Strange I'm the first one with this problem…
I did revert to 2.2.1 for the time beeing.