Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    L2TP/IPSEC setup

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tripaicr
      last edited by

      Since I could not get the IKEv2 setup running as desired, I'd like to try with IPSEC/L2TP following this guide: https://doc.pfsense.org/index.php/L2TP/IPsec. See my config in the attached screenshots.

      The Windows 7 client tries to establish an IPSEC connection which seems to fail, therefore no L2TP login is done.

      In the IPSEC log I find the message "no matching CHILD_SA config found" which means an Phase 2 Network Mismatch according to https://doc.pfsense.org/index.php/IPsec_Troubleshooting, but I can not find what I am doing wrong. What am I missing?

      Here is the IPSEC log:

      
May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DESTROYING
May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DESTROYING
May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DELETING
May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DELETING
May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: ESTABLISHED => DELETING
May 13 11:33:09 	charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: ESTABLISHED => DELETING
May 13 11:33:09 	charon: 11[IKE] <con1|17>deleting IKE_SA con1[17] between ccc.ccc.ccc.ccc[aaa.aaa.aaa.aaa]...bbb.bbb.bbb.bbb[ddd.ddd.ddd.ddd]
May 13 11:33:09 	charon: 11[IKE] <con1|17>deleting IKE_SA con1[17] between ccc.ccc.ccc.ccc[aaa.aaa.aaa.aaa]...bbb.bbb.bbb.bbb[ddd.ddd.ddd.ddd]
May 13 11:33:09 	charon: 11[IKE] <con1|17>received DELETE for IKE_SA con1[17]
May 13 11:33:09 	charon: 11[IKE] <con1|17>received DELETE for IKE_SA con1[17]
May 13 11:33:09 	charon: 11[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1548271541 [ HASH D ]
May 13 11:33:09 	charon: 11[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1548271541 [ HASH D ]
May 13 11:33:09 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (92 bytes)
May 13 11:33:09 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (92 bytes)
May 13 11:33:06 	charon: 11[IKE] <con1|17>received retransmit of request with ID 1, but no response to retransmit
May 13 11:33:06 	charon: 11[IKE] <con1|17>received retransmit of request with ID 1, but no response to retransmit
May 13 11:33:06 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)
May 13 11:33:06 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)
May 13 11:33:04 	charon: 11[IKE] <con1|17>nothing to initiate
May 13 11:33:04 	charon: 11[IKE] <con1|17>nothing to initiate
May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
May 13 11:33:04 	charon: 11[NET] <con1|17>sending packet: from ccc.ccc.ccc.ccc[4500] to bbb.bbb.bbb.bbb[62080] (76 bytes)
May 13 11:33:04 	charon: 11[NET] <con1|17>sending packet: from ccc.ccc.ccc.ccc[4500] to bbb.bbb.bbb.bbb[62080] (76 bytes)
May 13 11:33:04 	charon: 11[ENC] <con1|17>generating INFORMATIONAL_V1 request 411116320 [ HASH N(INVAL_ID) ]
May 13 11:33:04 	charon: 11[ENC] <con1|17>generating INFORMATIONAL_V1 request 411116320 [ HASH N(INVAL_ID) ]
May 13 11:33:04 	charon: 11[IKE] <con1|17>activating INFORMATIONAL task
May 13 11:33:04 	charon: 11[IKE] <con1|17>activating INFORMATIONAL task
May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
May 13 11:33:04 	charon: 11[IKE] <con1|17>activating new tasks
May 13 11:33:04 	charon: 11[IKE] <con1|17>queueing INFORMATIONAL task
May 13 11:33:04 	charon: 11[IKE] <con1|17>queueing INFORMATIONAL task
May 13 11:33:04 	charon: 11[IKE] <con1|17>no matching CHILD_SA config found
May 13 11:33:04 	charon: 11[IKE] <con1|17>no matching CHILD_SA config found
May 13 11:33:04 	charon: 11[CFG] <con1|17>dynamic
May 13 11:33:04 	charon: 11[CFG] <con1|17>dynamic
May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for other:
May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for other:
May 13 11:33:04 	charon: 11[CFG] <con1|17>ccc.ccc.ccc.ccc/32|/0
May 13 11:33:04 	charon: 11[CFG] <con1|17>ccc.ccc.ccc.ccc/32|/0
May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for us:
May 13 11:33:04 	charon: 11[CFG] <con1|17>proposing traffic selectors for us:
May 13 11:33:04 	charon: 11[CFG] <con1|17>looking for a child config for ccc.ccc.ccc.ccc/32|/0[udp/l2f] === bbb.bbb.bbb.bbb/32|/0[udp/l2f]
May 13 11:33:04 	charon: 11[CFG] <con1|17>looking for a child config for ccc.ccc.ccc.ccc/32|/0[udp/l2f] === bbb.bbb.bbb.bbb/32|/0[udp/l2f]
May 13 11:33:04 	charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT
May 13 11:33:04 	charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT
May 13 11:33:04 	charon: 11[ENC] <con1|17>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
May 13 11:33:04 	charon: 11[ENC] <con1|17>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
May 13 11:33:04 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)
May 13 11:33:04 	charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17>

      l2tp1.png
      l2tp1.png_thumb
      l2tp2.png
      l2tp2.png_thumb

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        May 13 11:33:04 charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT</con1|17>

        You notice that right?

        1 Reply Last reply Reply Quote 0
        • T
          tripaicr
          last edited by

          You mean aaa.aaa.aaa.aaa and so on?
          These are only for anonymizing, the log contains correct ip's.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.