L2TP/IPSEC setup



  • Since I could not get the IKEv2 setup running as desired, I'd like to try with IPSEC/L2TP following this guide: https://doc.pfsense.org/index.php/L2TP/IPsec. See my config in the attached screenshots.

    The Windows 7 client tries to establish an IPSEC connection which seems to fail, therefore no L2TP login is done.

    In the IPSEC log I find the message "no matching CHILD_SA config found" which means an Phase 2 Network Mismatch according to https://doc.pfsense.org/index.php/IPsec_Troubleshooting, but I can not find what I am doing wrong. What am I missing?

    Here is the IPSEC log:

    
    May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DESTROYING
    May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DESTROYING
    May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DELETING
    May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DELETING
    May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: ESTABLISHED => DELETING
    May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: ESTABLISHED => DELETING
    May 13 11:33:09 	charon: 11[IKE] <con1|17>deleting IKE_SA con1[17] between ccc.ccc.ccc.ccc[aaa.aaa.aaa.aaa]...bbb.bbb.bbb.bbb[ddd.ddd.ddd.ddd]
    May 13 11:33:09 	charon: 11[IKE] <con1|17>deleting IKE_SA con1[17] between ccc.ccc.ccc.ccc[aaa.aaa.aaa.aaa]...bbb.bbb.bbb.bbb[ddd.ddd.ddd.ddd]
    May 13 11:33:09 	charon: 11[IKE] <con1|17>received DELETE for IKE_SA con1[17]
    May 13 11:33:09 	charon: 11[IKE] <con1|17>received DELETE for IKE_SA con1[17]
    May 13 11:33:09 	charon: 11[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1548271541 [ HASH D ]
    May 13 11:33:09 	charon: 11[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1548271541 [ HASH D ]
    May 13 11:33:09 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (92 bytes)
    May 13 11:33:09 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (92 bytes)
    May 13 11:33:06 	charon: 11[IKE] <con1|17>received retransmit of request with ID 1, but no response to retransmit
    May 13 11:33:06 	charon: 11[IKE] <con1|17>received retransmit of request with ID 1, but no response to retransmit
    May 13 11:33:06 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)
    May 13 11:33:06 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)
    May 13 11:33:04 	charon: 11[IKE] <con1|17>nothing to initiate
    May 13 11:33:04 	charon: 11[IKE] <con1|17>nothing to initiate
    May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
    May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
    May 13 11:33:04 	charon: 11[NET] <con1|17>sending packet: from ccc.ccc.ccc.ccc[4500] to bbb.bbb.bbb.bbb[62080] (76 bytes)
    May 13 11:33:04 	charon: 11[NET] <con1|17>sending packet: from ccc.ccc.ccc.ccc[4500] to bbb.bbb.bbb.bbb[62080] (76 bytes)
    May 13 11:33:04 	charon: 11[ENC] <con1|17>generating INFORMATIONAL_V1 request 411116320 [ HASH N(INVAL_ID) ]
    May 13 11:33:04 	charon: 11[ENC] <con1|17>generating INFORMATIONAL_V1 request 411116320 [ HASH N(INVAL_ID) ]
    May 13 11:33:04 	charon: 11[IKE] <con1|17>activating INFORMATIONAL task
    May 13 11:33:04 	charon: 11[IKE] <con1|17>activating INFORMATIONAL task
    May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
    May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
    May 13 11:33:04 	charon: 11[IKE] <con1|17>queueing INFORMATIONAL task
    May 13 11:33:04 	charon: 11[IKE] <con1|17>queueing INFORMATIONAL task
    May 13 11:33:04 	charon: 11[IKE] <con1|17>no matching CHILD_SA config found
    May 13 11:33:04 	charon: 11[IKE] <con1|17>no matching CHILD_SA config found
    May 13 11:33:04 	charon: 11[CFG] <con1|17>dynamic
    May 13 11:33:04 	charon: 11[CFG] <con1|17>dynamic
    May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for other:
    May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for other:
    May 13 11:33:04 	charon: 11[CFG] <con1|17>ccc.ccc.ccc.ccc/32|/0
    May 13 11:33:04 	charon: 11[CFG] <con1|17>ccc.ccc.ccc.ccc/32|/0
    May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for us:
    May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for us:
    May 13 11:33:04 	charon: 11[CFG] <con1|17>looking for a child config for ccc.ccc.ccc.ccc/32|/0[udp/l2f] === bbb.bbb.bbb.bbb/32|/0[udp/l2f]
    May 13 11:33:04 	charon: 11[CFG] <con1|17>looking for a child config for ccc.ccc.ccc.ccc/32|/0[udp/l2f] === bbb.bbb.bbb.bbb/32|/0[udp/l2f]
    May 13 11:33:04 	charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT
    May 13 11:33:04 	charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT
    May 13 11:33:04 	charon: 11[ENC] <con1|17>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 13 11:33:04 	charon: 11[ENC] <con1|17>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    May 13 11:33:04 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)
    May 13 11:33:04 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17> 
    






  • May 13 11:33:04 charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT</con1|17>

    You notice that right?



  • You mean aaa.aaa.aaa.aaa and so on?
    These are only for anonymizing, the log contains correct ip's.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy