PFSense 2.2.2 L2TP/IPSec Setup Issues
-
Hey everyone! Long lime lurker first time poster, because honestly, this if the firs time I have ever come across an issue with PFSense that I couldn't find the answer in either the help docs or the forums. Hopefully someone can point out what I am doing wrong. Ok, I have spent about 2 days trying to get VPN capability on my phone and laptop to work with PFSense but so far I have had 0 luck.
PFSense Version 2.2.2-RELEASE (amd64)
Routing Configurations
#VPN > L2TP
Enable L2TP Server - Checked
Interface - WAN
Server Address - 192.168.3.1
Remote Address Range - 192.168.3.128
Subnet Mask - 25
Number of L2TP Users - 10
Secret - Empty
Authentication - CHAP
L2TP DNS Servers - 192.168.2.1,8.8.8.8
*EVERYTHING ELSE BLANK/UNCHECKED#VPN > IPSEC
Enable IPSec#VPN > IPSec > Mobile Clients
Enable IPSec Mobile Client Support - Checked
User Authentiation - Local Database
*EVERYTHING ELSE BLANK/UNCHECKED#VPN > IPSec > Phase 1: Mobile Client
Disabled - Unchecked
Key Exchange Version - Auto
Internet protocol - IPv4
Interface - WAN
Description - EMPTY
Authentication Method - Mutual PSK
Negotiation Mode - Main
My Identifier - My IP address
Encryption Algorithm - 3DES
Hash Algorithm - SHA1
DH Key Group - 14 (2048 bit)
Lifetime - lifetime 28800
Disable Rekey - unchecked
Responder Only - unchecked
Nat Transfersal - Auto
Dead Peer Detection - Enable DPD (10 seconds, 5 retries)#VPN > IPSec > Phase 2: Mobile Client
Disabled - unchecked
Mode - transport
Description - EMPTY
Protocol - ESP
Encryption Algorithims - AES-auto,Blowfish-auto,3DES,CAST128
Hash Algorithims - MD5,SHA1
PFS key group - off
Lifetime - 36000
Automatically ping host - EMPTY#VPN > IPSec > Pre-Shared Keys
Identifier - allusers
type - psk#Firewall > NAT > Outbound > Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)
Disabled - unchecked
Do Not NAT - unchecked
Interface - WAN
Protocol - ANY
Source - ANY
Destination - ANY
Translation Address - Interface Address
Translation Port - EMPTY
Translation Static-port - unchecked
No XMLRPC Sync - unchecked
Description - EMPTY#Firewall > Rules > Floating
Action: Pass
Disabled - Unchecked
Quick - Checked
interface - L2TP VPN
Direction - Any
TCP/IP Version - IPv4+IPv6
Protocol - TCP
Source - ANY
Destination ANY
Log - Unchecked
Description - EMPTY
State Type > NO pfsync - unchecked
state type - sloppy state
TCP Flags - ANY#Firewall > Rules > L2TP VPN
Action: Pass
Disabled - Unchecked
interface - L2TP VPN
TCP/IP Version - IPv4+IPv6
Protocol - ANY
Source - ANY
Destination ANY
Log - Unchecked
Description - EMPTY#Firewall > Rules > IPSec
Action: Pass
Disabled - Unchecked
interface - IPSec
TCP/IP Version - IPv4+IPv6
Protocol - ANY
Source - ANY
Destination ANY
Log - Unchecked
Description - EMPTY#Services > DNS Resolver > Access Lists
Access List name - VPN Users
Action - Allow
Networks - 192.168.3.128
CIRD - 25IPSec Traffic when trying to connect with Android Phone
=========================================================================
Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (156 bytes)
Jun 27 17:28:01 charon: 11[NET] <2> received packet: from 70.197.129.210[8917] to 173.50.125.121[500] (252 bytes)
Jun 27 17:28:01 charon: 11[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (268 bytes)
Jun 27 17:28:02 charon: 11[NET] <2> received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (108 bytes)
Jun 27 17:28:02 charon: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
Jun 27 17:28:02 charon: 11[CFG] <2> looking for pre-shared key peer configs matching 173.50.125.121…70.197.129.210[100.95.109.69]
Jun 27 17:28:02 charon: 11[CFG] <2> selected peer config "con1"
Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
Jun 27 17:28:02 charon: 11[ENC] <con1|2>generating ID_PROT response 0 [ ID HASH ]
Jun 27 17:28:02 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (92 bytes)
Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3373731101 [ HASH N(INITIAL_CONTACT) ]
Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (556 bytes)
Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH SA No ID ID ]
Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
Jun 27 17:28:02 charon: 13[ENC] <con1|2>generating QUICK_MODE response 2298111843 [ HASH SA No ID ID NAT-OA NAT-OA ]
Jun 27 17:28:02 charon: 13[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (204 bytes)
Jun 27 17:28:02 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (92 bytes)
Jun 27 17:28:02 charon: 11[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH ]
Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
Jun 27 17:28:12 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1896293710 [ HASH N(DPD) ]
Jun 27 17:28:12 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
Jun 27 17:28:12 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
Jun 27 17:28:12 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 2737998598 [ HASH N(DPD_ACK) ]
Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
Jun 27 17:28:22 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1024477368 [ HASH N(DPD) ]
Jun 27 17:28:22 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
Jun 27 17:28:22 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
Jun 27 17:28:22 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3544190626 [ HASH N(DPD_ACK) ]
Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
Jun 27 17:28:32 charon: 12[ENC] <con1|2>generating INFORMATIONAL_V1 request 4129323374 [ HASH N(DPD) ]
Jun 27 17:28:32 charon: 12[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
Jun 27 17:28:32 charon: 12[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
Jun 27 17:28:32 charon: 12[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3898626004 [ HASH N(DPD_ACK) ]========================================================================= ##</con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2>