Layer 2 Tunneling Protocol with IPsec



  • Hello

    Currently we are using PPTP for offsite employees.
    We would like to use L2TP/IPsec with our RADIS server.

    Firstly I would like to setup L2TP not using the RADIS server just for testing.

    I have L2TP/IPsec working fine internally (LAN) but when I test one of our laptops using a mobile network (EE) it does not work.

    Here is the IPsec log:

    Jun 9 11:32:44 charon: 16[IKE] deleting IKE_SA con1[278] between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
    Jun 9 11:32:44 charon: 16[IKE] <con1|278>deleting IKE_SA con1[278] between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
    Jun 9 11:32:44 charon: 16[IKE] received DELETE for IKE_SA con1[278]
    Jun 9 11:32:44 charon: 16[IKE] <con1|278>received DELETE for IKE_SA con1[278]
    Jun 9 11:32:44 charon: 16[ENC] parsed INFORMATIONAL_V1 request 4157059169 [ HASH D ]
    Jun 9 11:32:44 charon: 16[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (92 bytes)
    Jun 9 11:32:44 charon: 12[IKE] closing CHILD_SA con1{28} with SPIs ccdb2d32_i (864 bytes) 825a46b7_o (0 bytes) and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
    Jun 9 11:32:44 charon: 12[IKE] <con1|278>closing CHILD_SA con1{28} with SPIs ccdb2d32_i (864 bytes) 825a46b7_o (0 bytes) and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
    Jun 9 11:32:44 charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 825a46b7
    Jun 9 11:32:44 charon: 12[IKE] <con1|278>received DELETE for ESP CHILD_SA with SPI 825a46b7
    Jun 9 11:32:44 charon: 12[ENC] parsed INFORMATIONAL_V1 request 1103228700 [ HASH D ]
    Jun 9 11:32:44 charon: 12[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (76 bytes)
    Jun 9 11:32:09 charon: 07[IKE] CHILD_SA con1{28} established with SPIs ccdb2d32_i 825a46b7_o and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
    Jun 9 11:32:09 charon: 07[IKE] <con1|278>CHILD_SA con1{28} established with SPIs ccdb2d32_i 825a46b7_o and TS xxx.xxx.xxx.xx3/32|/0[udp/l2f] === yyy.yyy.yyy.yy2/32|/0[udp/l2f]
    Jun 9 11:32:09 charon: 07[ENC] parsed QUICK_MODE request 1 [ HASH ]
    Jun 9 11:32:09 charon: 07[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (60 bytes)
    Jun 9 11:32:09 charon: 07[NET] sending packet: from xxx.xxx.xxx.xx3[4500] to yyy.yyy.yyy.yy2[4500] (204 bytes)
    Jun 9 11:32:09 charon: 07[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Jun 9 11:32:09 charon: 07[IKE] received 250000000 lifebytes, configured 0
    Jun 9 11:32:09 charon: 07[IKE] <con1|278>received 250000000 lifebytes, configured 0
    Jun 9 11:32:09 charon: 07[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Jun 9 11:32:09 charon: 07[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (332 bytes)
    Jun 9 11:32:09 charon: 12[NET] sending packet: from xxx.xxx.xxx.xx3[4500] to yyy.yyy.yyy.yy2[4500] (76 bytes)
    Jun 9 11:32:09 charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
    Jun 9 11:32:09 charon: 12[IKE] DPD not supported by peer, disabled
    Jun 9 11:32:09 charon: 12[IKE] <con1|278>DPD not supported by peer, disabled
    Jun 9 11:32:09 charon: 12[IKE] maximum IKE_SA lifetime 28775s
    Jun 9 11:32:09 charon: 12[IKE] <con1|278>maximum IKE_SA lifetime 28775s
    Jun 9 11:32:09 charon: 12[IKE] scheduling reauthentication in 28235s
    Jun 9 11:32:09 charon: 12[IKE] <con1|278>scheduling reauthentication in 28235s
    Jun 9 11:32:09 charon: 12[IKE] IKE_SA con1[278] established between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
    Jun 9 11:32:09 charon: 12[IKE] <con1|278>IKE_SA con1[278] established between xxx.xxx.xxx.xx3[xxx.xxx.xxx.xx5]…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
    Jun 9 11:32:09 charon: 12[CFG] selected peer config "con1"
    Jun 9 11:32:09 charon: 12[CFG] looking for pre-shared key peer configs matching xxx.xxx.xxx.xx3…yyy.yyy.yyy.yy2[zzz.zzz.zzz.84]
    Jun 9 11:32:09 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
    Jun 9 11:32:09 charon: 12[NET] received packet: from yyy.yyy.yyy.yy2[4500] to xxx.xxx.xxx.xx3[4500] (76 bytes)
    Jun 9 11:32:08 charon: 12[NET] sending packet: from xxx.xxx.xxx.xx3[500] to yyy.yyy.yyy.yy2[500] (372 bytes)
    Jun 9 11:32:08 charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jun 9 11:32:08 charon: 12[IKE] remote host is behind NAT
    Jun 9 11:32:08 charon: 12[IKE] <278> remote host is behind NAT
    Jun 9 11:32:08 charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jun 9 11:32:08 charon: 12[NET] received packet: from yyy.yyy.yyy.yy2[500] to xxx.xxx.xxx.xx3[500] (388 bytes)
    Jun 9 11:32:08 charon: 12[NET] sending packet: from xxx.xxx.xxx.xx3[500] to yyy.yyy.yyy.yy2[500] (180 bytes)
    Jun 9 11:32:08 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V V V ]
    Jun 9 11:32:08 charon: 12[IKE] yyy.yyy.yyy.yy2 is initiating a Main Mode IKE_SA
    Jun 9 11:32:08 charon: 12[IKE] <278> yyy.yyy.yyy.yy2 is initiating a Main Mode IKE_SA
    Jun 9 11:32:08 charon: 12[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    Jun 9 11:32:08 charon: 12[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Jun 9 11:32:08 charon: 12[ENC] received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Jun 9 11:32:08 charon: 12[IKE] received FRAGMENTATION vendor ID
    Jun 9 11:32:08 charon: 12[IKE] <278> received FRAGMENTATION vendor ID
    Jun 9 11:32:08 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 9 11:32:08 charon: 12[IKE] <278> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 9 11:32:08 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
    Jun 9 11:32:08 charon: 12[IKE] <278> received NAT-T (RFC 3947) vendor ID
    Jun 9 11:32:08 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
    Jun 9 11:32:08 charon: 12[IKE] <278> received MS NT5 ISAKMPOAKLEY vendor ID
    Jun 9 11:32:08 charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]</con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278></con1|278>



  • Something that I have not tried, as I don't no if it can be done. Change or set IPsec to "IPSEC over UDP".
    Can this be done?


  • Banned

    Try with IKEv2 instead.



  • @doktornotor:

    Try with IKEv2 instead.

    Hello

    Ok I will see if I can set this up today.
    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    Thnaks



  • UPDATE

    Ok, I have followed this doc step by step https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
    I am now getting a windows VPN error 809 (LAN)



  • Anyone?


Log in to reply