4. PFSense 2.2.2 L2TP/IPSec Setup Issues

PFSense 2.2.2 L2TP/IPSec Setup Issues

  • H

    Hey everyone! Long lime lurker first time poster, because honestly, this if the firs time I have ever come across an issue with PFSense that I couldn't find the answer in either the help docs or the forums. Hopefully someone can point out what I am doing wrong. Ok, I have spent about 2 days trying to get VPN capability on my phone and laptop to work with PFSense but so far I have had 0 luck.

    PFSense Version 2.2.2-RELEASE (amd64)

    Routing Configurations
    #VPN > L2TP
    Enable L2TP Server - Checked
    Interface - WAN
    Server Address - 192.168.3.1
    Remote Address Range - 192.168.3.128
    Subnet Mask - 25
    Number of L2TP Users - 10
    Secret - Empty
    Authentication - CHAP
    L2TP DNS Servers - 192.168.2.1,8.8.8.8
    *EVERYTHING ELSE BLANK/UNCHECKED

    #VPN > IPSEC
    Enable IPSec

    #VPN > IPSec > Mobile Clients
    Enable IPSec Mobile Client Support - Checked
    User Authentiation - Local Database
    *EVERYTHING ELSE BLANK/UNCHECKED

    #VPN > IPSec > Phase 1: Mobile Client
    Disabled - Unchecked
    Key Exchange Version - Auto
    Internet protocol - IPv4
    Interface - WAN
    Description - EMPTY
    Authentication Method - Mutual PSK
    Negotiation Mode - Main
    My Identifier - My IP address
    Encryption Algorithm - 3DES
    Hash Algorithm - SHA1
    DH Key Group - 14 (2048 bit)
    Lifetime - lifetime 28800
    Disable Rekey - unchecked
    Responder Only - unchecked
    Nat Transfersal - Auto
    Dead Peer Detection - Enable DPD (10 seconds, 5 retries)

    #VPN > IPSec > Phase 2: Mobile Client
    Disabled - unchecked
    Mode - transport
    Description - EMPTY
    Protocol - ESP
    Encryption Algorithims - AES-auto,Blowfish-auto,3DES,CAST128
    Hash Algorithims - MD5,SHA1
    PFS key group - off
    Lifetime - 36000
    Automatically ping host - EMPTY

    #VPN > IPSec > Pre-Shared Keys
    Identifier - allusers
    type - psk

    #Firewall > NAT > Outbound > Hybrid Outbound NAT rule generation  (Automatic Outbound NAT + rules below)
    Disabled - unchecked
    Do Not NAT - unchecked
    Interface - WAN
    Protocol - ANY
    Source - ANY
    Destination - ANY
    Translation Address - Interface Address
    Translation Port - EMPTY
    Translation Static-port - unchecked
    No XMLRPC Sync - unchecked
    Description - EMPTY

    #Firewall > Rules > Floating
    Action: Pass
    Disabled - Unchecked
    Quick - Checked
    interface - L2TP VPN
    Direction - Any
    TCP/IP Version - IPv4+IPv6
    Protocol - TCP
    Source - ANY
    Destination ANY
    Log - Unchecked
    Description - EMPTY
    State Type > NO pfsync - unchecked
    state type - sloppy state
    TCP Flags - ANY

    #Firewall > Rules > L2TP VPN
    Action: Pass
    Disabled - Unchecked
    interface - L2TP VPN
    TCP/IP Version - IPv4+IPv6
    Protocol - ANY
    Source - ANY
    Destination ANY
    Log - Unchecked
    Description - EMPTY

    #Firewall > Rules > IPSec
    Action: Pass
    Disabled - Unchecked
    interface - IPSec
    TCP/IP Version - IPv4+IPv6
    Protocol - ANY
    Source - ANY
    Destination ANY
    Log - Unchecked
    Description - EMPTY

    #Services > DNS Resolver > Access Lists
    Access List name - VPN Users
    Action - Allow
    Networks - 192.168.3.128
    CIRD - 25

    IPSec Traffic when trying to connect with Android Phone

    =========================================================================

    Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
    Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (156 bytes)
    Jun 27 17:28:01 charon: 11[NET] <2> received packet: from 70.197.129.210[8917] to 173.50.125.121[500] (252 bytes)
    Jun 27 17:28:01 charon: 11[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
    Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
    Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (268 bytes)
    Jun 27 17:28:02 charon: 11[NET] <2> received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (108 bytes)
    Jun 27 17:28:02 charon: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
    Jun 27 17:28:02 charon: 11[CFG] <2> looking for pre-shared key peer configs matching 173.50.125.121…70.197.129.210[100.95.109.69]
    Jun 27 17:28:02 charon: 11[CFG] <2> selected peer config "con1"
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
    Jun 27 17:28:02 charon: 11[ENC] <con1|2>generating ID_PROT response 0 [ ID HASH ]
    Jun 27 17:28:02 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (92 bytes)
    Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3373731101 [ HASH N(INITIAL_CONTACT) ]
    Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (556 bytes)
    Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH SA No ID ID ]
    Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
    Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
    Jun 27 17:28:02 charon: 13[ENC] <con1|2>generating QUICK_MODE response 2298111843 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Jun 27 17:28:02 charon: 13[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (204 bytes)
    Jun 27 17:28:02 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (92 bytes)
    Jun 27 17:28:02 charon: 11[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH ]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
    Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:12 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1896293710 [ HASH N(DPD) ]
    Jun 27 17:28:12 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
    Jun 27 17:28:12 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:12 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 2737998598 [ HASH N(DPD_ACK) ]
    Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:22 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1024477368 [ HASH N(DPD) ]
    Jun 27 17:28:22 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
    Jun 27 17:28:22 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:22 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3544190626 [ HASH N(DPD_ACK) ]
    Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
    Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
    Jun 27 17:28:32 charon: 12[ENC] <con1|2>generating INFORMATIONAL_V1 request 4129323374 [ HASH N(DPD) ]
    Jun 27 17:28:32 charon: 12[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
    Jun 27 17:28:32 charon: 12[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:32 charon: 12[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3898626004 [ HASH N(DPD_ACK) ]

    ========================================================================= ##</con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2>

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy