1. Home
  2. pfSense® Software
  3. IPsec
  4. 2.2.2 L2TP/IPsec stopped working

2.2.2 L2TP/IPsec stopped working

  • B

    Hello!

    After upgrading to 2.2.2 from 2.2, my L2TP/IPSec setup stopped working.
    The connecting device only says "The L2TP-server did not respond".

    Looking in the IPSec-logs in pfsense, this is the only line that seems odd to me:

    charon: 16[KNL] can't install route for 79.138.*.*/32|/0[udp/65198] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic

    Whats wrong? This is driving me crazy!

    Edit: Full log:

    May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 9 11:49:59	charon: 03[IKE] received FRAGMENTATION vendor ID
May 9 11:49:59	charon: 03[IKE] received DPD vendor ID
May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
May 9 11:49:59	charon: 03[ENC] generating ID_PROT response 0 [ SA V V V V ]
May 9 11:49:59	charon: 03[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (160 bytes)
May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22902] to 83.250.*.*[500] (228 bytes)
May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
May 9 11:50:00	charon: 09[IKE] remote host is behind NAT
May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (244 bytes)
May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (108 bytes)
May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May 9 11:50:00	charon: 09[CFG] looking for pre-shared key peer configs matching 83.250.*.*...79.138.*.*[10.133.177.21]
May 9 11:50:00	charon: 09[CFG] selected peer config "con2"
May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
May 9 11:50:00	charon: 09[IKE] scheduling reauthentication in 27982s
May 9 11:50:00	charon: 09[IKE] maximum IKE_SA lifetime 28522s
May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (76 bytes)
May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (316 bytes)
May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
May 9 11:50:01	charon: 11[IKE] expected IPComp proposal but peer did not send one, IPComp disabled
May 9 11:50:01	charon: 11[ENC] generating QUICK_MODE response 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
May 9 11:50:01	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (204 bytes)
May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (60 bytes)
May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH ]
May 9 11:50:01	charon: 11[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:11	charon: 11[IKE] sending DPD request
May 9 11:50:11	charon: 11[ENC] generating INFORMATIONAL_V1 request 151035731 [ HASH N(DPD) ]
May 9 11:50:11	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (92 bytes)
May 9 11:50:11	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
May 9 11:50:11	charon: 09[ENC] parsed INFORMATIONAL_V1 request 97930351 [ HASH N(DPD_ACK) ]
May 9 11:50:21	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (76 bytes)
May 9 11:50:21	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2150739719 [ HASH D ]
May 9 11:50:21	charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 0701fd27
May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:21	charon: 09[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
May 9 11:50:22	charon: 06[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
May 9 11:50:22	charon: 06[ENC] parsed INFORMATIONAL_V1 request 1029381452 [ HASH D ]
May 9 11:50:22	charon: 06[IKE] received DELETE for IKE_SA con2[21]
May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
    0
  • E

    Can you show your configuration?

    0
  • B

    Sorry.
    I'm using this exact(!) config:

    https://doc.pfsense.org/index.php/L2TP/IPsec

    Edit:
    I did revert to my 2.2.1 snapshot, that one still works, but the "conflicts with IKE traffic" is also there, but the log after is different:

    May 12 12:39:23	charon: 05[KNL] can't install route for 79.138.*.*/32|/0[udp/57280] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
May 12 12:39:26	charon: 05[KNL] interface l2tp0 activated
May 12 12:39:26	charon: 09[KNL] 192.168.42.142 appeared on l2tp0
May 12 12:39:44	charon: 09[IKE] sending DPD request
May 12 12:39:44	charon: 09[ENC] generating INFORMATIONAL_V1 request 286907280 [ HASH N(DPD) ]
May 12 12:39:44	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[55263] (92 bytes)
May 12 12:39:45	charon: 09[NET] received packet: from 79.138.*.*[55263] to 83.250.*.*[4500] (92 bytes)
May 12 12:39:45	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2737098688 [ HASH N(DPD_ACK) ]

    Edit 2:
    Ok so I reproduced the error:

    1. Im on 2.2.1 - vpn ok
    2. Use built in ugprader to 2.2.2 + Reboot
    3. VPN does not work anymore

    https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes
    I see 6 points of IPSec fixes in the patch notes, one is strongSwan upgrade.

    Strange I'm the first one with this problem…

    I did revert to 2.2.1 for the time beeing.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy