L2TP/IPSEC setup
-
Since I could not get the IKEv2 setup running as desired, I'd like to try with IPSEC/L2TP following this guide: https://doc.pfsense.org/index.php/L2TP/IPsec. See my config in the attached screenshots.
The Windows 7 client tries to establish an IPSEC connection which seems to fail, therefore no L2TP login is done.
In the IPSEC log I find the message "no matching CHILD_SA config found" which means an Phase 2 Network Mismatch according to https://doc.pfsense.org/index.php/IPsec_Troubleshooting, but I can not find what I am doing wrong. What am I missing?
Here is the IPSEC log:
May 13 11:33:09 charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DESTROYING May 13 11:33:09 charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DESTROYING May 13 11:33:09 charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DELETING May 13 11:33:09 charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: DELETING => DELETING May 13 11:33:09 charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: ESTABLISHED => DELETING May 13 11:33:09 charon: 11[IKE] <con1|17>IKE_SA con1[17] state change: ESTABLISHED => DELETING May 13 11:33:09 charon: 11[IKE] <con1|17>deleting IKE_SA con1[17] between ccc.ccc.ccc.ccc[aaa.aaa.aaa.aaa]...bbb.bbb.bbb.bbb[ddd.ddd.ddd.ddd] May 13 11:33:09 charon: 11[IKE] <con1|17>deleting IKE_SA con1[17] between ccc.ccc.ccc.ccc[aaa.aaa.aaa.aaa]...bbb.bbb.bbb.bbb[ddd.ddd.ddd.ddd] May 13 11:33:09 charon: 11[IKE] <con1|17>received DELETE for IKE_SA con1[17] May 13 11:33:09 charon: 11[IKE] <con1|17>received DELETE for IKE_SA con1[17] May 13 11:33:09 charon: 11[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1548271541 [ HASH D ] May 13 11:33:09 charon: 11[ENC] <con1|17>parsed INFORMATIONAL_V1 request 1548271541 [ HASH D ] May 13 11:33:09 charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (92 bytes) May 13 11:33:09 charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (92 bytes) May 13 11:33:06 charon: 11[IKE] <con1|17>received retransmit of request with ID 1, but no response to retransmit May 13 11:33:06 charon: 11[IKE] <con1|17>received retransmit of request with ID 1, but no response to retransmit May 13 11:33:06 charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes) May 13 11:33:06 charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes) May 13 11:33:04 charon: 11[IKE] <con1|17>nothing to initiate May 13 11:33:04 charon: 11[IKE] <con1|17>nothing to initiate May 13 11:33:04 charon: 11[IKE] <con1|17>activating new tasks May 13 11:33:04 charon: 11[IKE] <con1|17>activating new tasks May 13 11:33:04 charon: 11[NET] <con1|17>sending packet: from ccc.ccc.ccc.ccc[4500] to bbb.bbb.bbb.bbb[62080] (76 bytes) May 13 11:33:04 charon: 11[NET] <con1|17>sending packet: from ccc.ccc.ccc.ccc[4500] to bbb.bbb.bbb.bbb[62080] (76 bytes) May 13 11:33:04 charon: 11[ENC] <con1|17>generating INFORMATIONAL_V1 request 411116320 [ HASH N(INVAL_ID) ] May 13 11:33:04 charon: 11[ENC] <con1|17>generating INFORMATIONAL_V1 request 411116320 [ HASH N(INVAL_ID) ] May 13 11:33:04 charon: 11[IKE] <con1|17>activating INFORMATIONAL task May 13 11:33:04 charon: 11[IKE] <con1|17>activating INFORMATIONAL task May 13 11:33:04 charon: 11[IKE] <con1|17>activating new tasks May 13 11:33:04 charon: 11[IKE] <con1|17>activating new tasks May 13 11:33:04 charon: 11[IKE] <con1|17>queueing INFORMATIONAL task May 13 11:33:04 charon: 11[IKE] <con1|17>queueing INFORMATIONAL task May 13 11:33:04 charon: 11[IKE] <con1|17>no matching CHILD_SA config found May 13 11:33:04 charon: 11[IKE] <con1|17>no matching CHILD_SA config found May 13 11:33:04 charon: 11[CFG] <con1|17>dynamic May 13 11:33:04 charon: 11[CFG] <con1|17>dynamic May 13 11:33:04 charon: 11[CFG] <con1|17>proposing traffic selectors for other: May 13 11:33:04 charon: 11[CFG] <con1|17>proposing traffic selectors for other: May 13 11:33:04 charon: 11[CFG] <con1|17>ccc.ccc.ccc.ccc/32|/0 May 13 11:33:04 charon: 11[CFG] <con1|17>ccc.ccc.ccc.ccc/32|/0 May 13 11:33:04 charon: 11[CFG] <con1|17>proposing traffic selectors for us: May 13 11:33:04 charon: 11[CFG] <con1|17>proposing traffic selectors for us: May 13 11:33:04 charon: 11[CFG] <con1|17>looking for a child config for ccc.ccc.ccc.ccc/32|/0[udp/l2f] === bbb.bbb.bbb.bbb/32|/0[udp/l2f] May 13 11:33:04 charon: 11[CFG] <con1|17>looking for a child config for ccc.ccc.ccc.ccc/32|/0[udp/l2f] === bbb.bbb.bbb.bbb/32|/0[udp/l2f] May 13 11:33:04 charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT May 13 11:33:04 charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT May 13 11:33:04 charon: 11[ENC] <con1|17>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ] May 13 11:33:04 charon: 11[ENC] <con1|17>parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ] May 13 11:33:04 charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes) May 13 11:33:04 charon: 11[NET] <con1|17>received packet: from bbb.bbb.bbb.bbb[62080] to ccc.ccc.ccc.ccc[4500] (332 bytes)</con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17></con1|17>
-
May 13 11:33:04 charon: 11[IKE] <con1|17>changing received traffic selectors ddd.ddd.ddd.ddd/32|/0[udp/l2f]=== aaa.aaa.aaa.aaa/32|/0[udp/l2f] due to NAT</con1|17>
You notice that right?
-
You mean aaa.aaa.aaa.aaa and so on?
These are only for anonymizing, the log contains correct ip's.