2.2.2 L2TP/IPsec stopped working

basse

Hello!

After upgrading to 2.2.2 from 2.2, my L2TP/IPSec setup stopped working.
The connecting device only says "The L2TP-server did not respond".

Looking in the IPSec-logs in pfsense, this is the only line that seems odd to me:

charon: 16[KNL] can't install route for 79.138.*.*/32|/0[udp/65198] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic

Whats wrong? This is driving me crazy!

Edit: Full log:

May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May 9 11:49:59	charon: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 9 11:49:59	charon: 03[IKE] received FRAGMENTATION vendor ID
May 9 11:49:59	charon: 03[IKE] received DPD vendor ID
May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
May 9 11:49:59	charon: 03[IKE] 79.138.*.* is initiating a Main Mode IKE_SA
May 9 11:49:59	charon: 03[ENC] generating ID_PROT response 0 [ SA V V V V ]
May 9 11:49:59	charon: 03[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (160 bytes)
May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22902] to 83.250.*.*[500] (228 bytes)
May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
May 9 11:50:00	charon: 09[IKE] remote host is behind NAT
May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[500] to 79.138.*.*[22902] (244 bytes)
May 9 11:50:00	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (108 bytes)
May 9 11:50:00	charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May 9 11:50:00	charon: 09[CFG] looking for pre-shared key peer configs matching 83.250.*.*...79.138.*.*[10.133.177.21]
May 9 11:50:00	charon: 09[CFG] selected peer config "con2"
May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
May 9 11:50:00	charon: 09[IKE] IKE_SA con2[21] established between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
May 9 11:50:00	charon: 09[IKE] scheduling reauthentication in 27982s
May 9 11:50:00	charon: 09[IKE] maximum IKE_SA lifetime 28522s
May 9 11:50:00	charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
May 9 11:50:00	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (76 bytes)
May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (316 bytes)
May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
May 9 11:50:01	charon: 11[IKE] expected IPComp proposal but peer did not send one, IPComp disabled
May 9 11:50:01	charon: 11[ENC] generating QUICK_MODE response 3485755850 [ HASH SA No ID ID NAT-OA NAT-OA ]
May 9 11:50:01	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (204 bytes)
May 9 11:50:01	charon: 11[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (60 bytes)
May 9 11:50:01	charon: 11[ENC] parsed QUICK_MODE request 3485755850 [ HASH ]
May 9 11:50:01	charon: 11[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:01	charon: 11[IKE] CHILD_SA con2{16} established with SPIs cfa6dc0f_i 0701fd27_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:11	charon: 11[IKE] sending DPD request
May 9 11:50:11	charon: 11[ENC] generating INFORMATIONAL_V1 request 151035731 [ HASH N(DPD) ]
May 9 11:50:11	charon: 11[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[22879] (92 bytes)
May 9 11:50:11	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
May 9 11:50:11	charon: 09[ENC] parsed INFORMATIONAL_V1 request 97930351 [ HASH N(DPD_ACK) ]
May 9 11:50:21	charon: 09[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (76 bytes)
May 9 11:50:21	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2150739719 [ HASH D ]
May 9 11:50:21	charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 0701fd27
May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:21	charon: 09[IKE] closing CHILD_SA con2{16} with SPIs cfa6dc0f_i (735 bytes) 0701fd27_o (0 bytes) and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/58918]
May 9 11:50:21	charon: 09[KNL] can't install route for 79.138.*.*/32|/0[udp/58918] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
May 9 11:50:22	charon: 06[NET] received packet: from 79.138.*.*[22879] to 83.250.*.*[4500] (92 bytes)
May 9 11:50:22	charon: 06[ENC] parsed INFORMATIONAL_V1 request 1029381452 [ HASH D ]
May 9 11:50:22	charon: 06[IKE] received DELETE for IKE_SA con2[21]
May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]
May 9 11:50:22	charon: 06[IKE] deleting IKE_SA con2[21] between 83.250.*.*[83.250.*.*]...79.138.*.*[10.133.177.21]

eri--

Can you show your configuration?

basse

Sorry.
I'm using this exact(!) config:

https://doc.pfsense.org/index.php/L2TP/IPsec

Edit:
I did revert to my 2.2.1 snapshot, that one still works, but the "conflicts with IKE traffic" is also there, but the log after is different:

May 12 12:39:23	charon: 05[KNL] can't install route for 79.138.*.*/32|/0[udp/57280] === 83.250.*.*/32|/0[udp/l2f] in, conflicts with IKE traffic
May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
May 12 12:39:23	charon: 05[IKE] CHILD_SA con2{2} established with SPIs ce630aa3_i 03d2ee78_o and TS 83.250.*.*/32|/0[udp/l2f] === 79.138.*.*/32|/0[udp/57280]
May 12 12:39:26	charon: 05[KNL] interface l2tp0 activated
May 12 12:39:26	charon: 09[KNL] 192.168.42.142 appeared on l2tp0
May 12 12:39:44	charon: 09[IKE] sending DPD request
May 12 12:39:44	charon: 09[ENC] generating INFORMATIONAL_V1 request 286907280 [ HASH N(DPD) ]
May 12 12:39:44	charon: 09[NET] sending packet: from 83.250.*.*[4500] to 79.138.*.*[55263] (92 bytes)
May 12 12:39:45	charon: 09[NET] received packet: from 79.138.*.*[55263] to 83.250.*.*[4500] (92 bytes)
May 12 12:39:45	charon: 09[ENC] parsed INFORMATIONAL_V1 request 2737098688 [ HASH N(DPD_ACK) ]

Edit 2:
Ok so I reproduced the error:

Im on 2.2.1 - vpn ok
Use built in ugprader to 2.2.2 + Reboot
VPN does not work anymore

https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes
I see 6 points of IPSec fixes in the patch notes, one is strongSwan upgrade.

Strange I'm the first one with this problem…

I did revert to 2.2.1 for the time beeing.

2.2.2 L2TP/IPsec stopped working

Products

Applications

Support

Services

News

Resources

Company

Our Mission

Subscribe to our Newsletter