2.2.2 L2TP/IPsec not working (OS X and iOS clients)



  • Hello,

    I'm attempting to set up an L2TP/IPsec VPN configuration with the intent to use it for OS X and iOS clients.

    I'm following this guide: https://doc.pfsense.org/index.php/L2TP/IPsec

    On my clients, after attempting a connection, I get an error that the server did not respond.

    Logs from the client:

    May 10 17:47:14 Ares.local racoon[2379]: accepted connection on vpn control socket.
    May 10 17:47:14 Ares.local racoon[2379]: Connecting.
    May 10 17:47:14 Ares.local racoon[2379]: IPSec Phase 1 started (Initiated by me).
    May 10 17:47:14 Ares.local racoon[2379]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
    May 10 17:47:14 Ares.local racoon[2379]: >>>>> phase change status = Phase 1 started by us
    May 10 17:47:14 Ares.local racoon[2379]: none message must be encrypted
    May 10 17:47:17 Ares.local racoon[2379]: IKE Packet: transmit success. (Phase 1 Retransmit).
    May 10 17:47:18 Ares.local racoon[2379]: none message must be encrypted
    May 10 17:47:20 Ares.local racoon[2379]: IKE Packet: transmit success. (Phase 1 Retransmit).
    May 10 17:47:20 Ares.local racoon[2379]: none message must be encrypted
    May 10 17:47:24 Ares.local racoon[2379]: IKE Packet: transmit success. (Phase 1 Retransmit).
    May 10 17:47:24 Ares.local racoon[2379]: none message must be encrypted
    May 10 17:47:24 Ares.local racoon[2379]: IPSec disconnecting from server 69.245.176.205

    Logs from the server:

    May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> received DPD vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> received DPD vendor ID
    May 10 17:57:44 charon: 15[IKE] <7> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
    May 10 17:57:44 charon: 15[IKE] <7> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
    May 10 17:57:44 charon: 15[CFG] <7> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    May 10 17:57:44 charon: 15[CFG] <7> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    May 10 17:57:44 charon: 15[IKE] <7> no proposal found
    May 10 17:57:44 charon: 15[IKE] <7> no proposal found
    May 10 17:57:44 charon: 15[ENC] <7> generating INFORMATIONAL_V1 request 3443684692 [ N(NO_PROP) ]
    May 10 17:57:44 charon: 15[NET] <7> sending packet: from 69.245.176.205[500] to 70.194.101.18[8255] (56 bytes)
    May 10 17:57:47 charon: 15[NET] <8> received packet: from 70.194.101.18[8255] to 69.245.176.205[500] (663 bytes)
    May 10 17:57:47 charon: 15[ENC] <8> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V ]
    May 10 17:57:47 charon: 15[IKE] <8> received FRAGMENTATION vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received FRAGMENTATION vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received NAT-T (RFC 3947) vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received NAT-T (RFC 3947) vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received DPD vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> received DPD vendor ID
    May 10 17:57:47 charon: 15[IKE] <8> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
    May 10 17:57:47 charon: 15[IKE] <8> 70.194.101.18 is initiating a Aggressive Mode IKE_SA
    May 10 17:57:47 charon: 15[CFG] <8> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    May 10 17:57:47 charon: 15[CFG] <8> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    May 10 17:57:47 charon: 15[IKE] <8> no proposal found
    May 10 17:57:47 charon: 15[IKE] <8> no proposal found
    May 10 17:57:47 charon: 15[ENC] <8> generating INFORMATIONAL_V1 request 3406957689 [ N(NO_PROP) ]
    May 10 17:57:47 charon: 15[NET] <8> sending packet: from 69.245.176.205[500] to 70.194.101.18[8255] (56 bytes)

    Any ideas what I might be doing wrong?



  • Ok, I think I've got it somewhat sorted. I had a mismatch on proposals.

    May 10 17:57:44  charon: 15[CFG] <7> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    May 10 17:57:44  charon: 15[CFG] <7> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

    I was able to switch my DH key group from 4 (2048 bit) to 2 (1024 bit) and now I'm getting a successful connection.

    It looks like DNS isn't working right, but I think I can get that sorted. Hopefully this helps someone else!

    EDIT: DNS is working just fine (verified via nslookup on OS X client), and I can ping hosts on the network, but I can't access those hosts via a web browser, nor can I access the internet once I'm connected via VPN.

    I don't think it's outbound NAT, as I have that set to automatic generation and I can see the VPN subnet in the rules. What else could it be?