Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense 2.2.2 L2TP/IPSec Setup Issues

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hell bomb
      last edited by

      Hey everyone! Long lime lurker first time poster, because honestly, this if the firs time I have ever come across an issue with PFSense that I couldn't find the answer in either the help docs or the forums. Hopefully someone can point out what I am doing wrong. Ok, I have spent about 2 days trying to get VPN capability on my phone and laptop to work with PFSense but so far I have had 0 luck.

      PFSense Version 2.2.2-RELEASE (amd64)

      Routing Configurations
      #VPN > L2TP
      Enable L2TP Server - Checked
      Interface - WAN
      Server Address - 192.168.3.1
      Remote Address Range - 192.168.3.128
      Subnet Mask - 25
      Number of L2TP Users - 10
      Secret - Empty
      Authentication - CHAP
      L2TP DNS Servers - 192.168.2.1,8.8.8.8
      *EVERYTHING ELSE BLANK/UNCHECKED

      #VPN > IPSEC
      Enable IPSec

      #VPN > IPSec > Mobile Clients
      Enable IPSec Mobile Client Support - Checked
      User Authentiation - Local Database
      *EVERYTHING ELSE BLANK/UNCHECKED

      #VPN > IPSec > Phase 1: Mobile Client
      Disabled - Unchecked
      Key Exchange Version - Auto
      Internet protocol - IPv4
      Interface - WAN
      Description - EMPTY
      Authentication Method - Mutual PSK
      Negotiation Mode - Main
      My Identifier - My IP address
      Encryption Algorithm - 3DES
      Hash Algorithm - SHA1
      DH Key Group - 14 (2048 bit)
      Lifetime - lifetime 28800
      Disable Rekey - unchecked
      Responder Only - unchecked
      Nat Transfersal - Auto
      Dead Peer Detection - Enable DPD (10 seconds, 5 retries)

      #VPN > IPSec > Phase 2: Mobile Client
      Disabled - unchecked
      Mode - transport
      Description - EMPTY
      Protocol - ESP
      Encryption Algorithims - AES-auto,Blowfish-auto,3DES,CAST128
      Hash Algorithims - MD5,SHA1
      PFS key group - off
      Lifetime - 36000
      Automatically ping host - EMPTY

      #VPN > IPSec > Pre-Shared Keys
      Identifier - allusers
      type - psk

      #Firewall > NAT > Outbound > Hybrid Outbound NAT rule generation  (Automatic Outbound NAT + rules below)
      Disabled - unchecked
      Do Not NAT - unchecked
      Interface - WAN
      Protocol - ANY
      Source - ANY
      Destination - ANY
      Translation Address - Interface Address
      Translation Port - EMPTY
      Translation Static-port - unchecked
      No XMLRPC Sync - unchecked
      Description - EMPTY

      #Firewall > Rules > Floating
      Action: Pass
      Disabled - Unchecked
      Quick - Checked
      interface - L2TP VPN
      Direction - Any
      TCP/IP Version - IPv4+IPv6
      Protocol - TCP
      Source - ANY
      Destination ANY
      Log - Unchecked
      Description - EMPTY
      State Type > NO pfsync - unchecked
      state type - sloppy state
      TCP Flags - ANY

      #Firewall > Rules > L2TP VPN
      Action: Pass
      Disabled - Unchecked
      interface - L2TP VPN
      TCP/IP Version - IPv4+IPv6
      Protocol - ANY
      Source - ANY
      Destination ANY
      Log - Unchecked
      Description - EMPTY

      #Firewall > Rules > IPSec
      Action: Pass
      Disabled - Unchecked
      interface - IPSec
      TCP/IP Version - IPv4+IPv6
      Protocol - ANY
      Source - ANY
      Destination ANY
      Log - Unchecked
      Description - EMPTY

      #Services > DNS Resolver > Access Lists
      Access List name - VPN Users
      Action - Allow
      Networks - 192.168.3.128
      CIRD - 25

      IPSec Traffic when trying to connect with Android Phone

      =========================================================================

      Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
      Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (156 bytes)
      Jun 27 17:28:01 charon: 11[NET] <2> received packet: from 70.197.129.210[8917] to 173.50.125.121[500] (252 bytes)
      Jun 27 17:28:01 charon: 11[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
      Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
      Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (268 bytes)
      Jun 27 17:28:02 charon: 11[NET] <2> received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (108 bytes)
      Jun 27 17:28:02 charon: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
      Jun 27 17:28:02 charon: 11[CFG] <2> looking for pre-shared key peer configs matching 173.50.125.121…70.197.129.210[100.95.109.69]
      Jun 27 17:28:02 charon: 11[CFG] <2> selected peer config "con1"
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
      Jun 27 17:28:02 charon: 11[ENC] <con1|2>generating ID_PROT response 0 [ ID HASH ]
      Jun 27 17:28:02 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (92 bytes)
      Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
      Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3373731101 [ HASH N(INITIAL_CONTACT) ]
      Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (556 bytes)
      Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH SA No ID ID ]
      Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
      Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
      Jun 27 17:28:02 charon: 13[ENC] <con1|2>generating QUICK_MODE response 2298111843 [ HASH SA No ID ID NAT-OA NAT-OA ]
      Jun 27 17:28:02 charon: 13[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (204 bytes)
      Jun 27 17:28:02 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (92 bytes)
      Jun 27 17:28:02 charon: 11[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH ]
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
      Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
      Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
      Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
      Jun 27 17:28:12 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1896293710 [ HASH N(DPD) ]
      Jun 27 17:28:12 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
      Jun 27 17:28:12 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
      Jun 27 17:28:12 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 2737998598 [ HASH N(DPD_ACK) ]
      Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
      Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
      Jun 27 17:28:22 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1024477368 [ HASH N(DPD) ]
      Jun 27 17:28:22 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
      Jun 27 17:28:22 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
      Jun 27 17:28:22 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3544190626 [ HASH N(DPD_ACK) ]
      Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
      Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
      Jun 27 17:28:32 charon: 12[ENC] <con1|2>generating INFORMATIONAL_V1 request 4129323374 [ HASH N(DPD) ]
      Jun 27 17:28:32 charon: 12[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
      Jun 27 17:28:32 charon: 12[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
      Jun 27 17:28:32 charon: 12[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3898626004 [ HASH N(DPD_ACK) ]

      ========================================================================= ##</con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.