PFSense 2.2.2 L2TP/IPSec Setup Issues



  • Hey everyone! Long lime lurker first time poster, because honestly, this if the firs time I have ever come across an issue with PFSense that I couldn't find the answer in either the help docs or the forums. Hopefully someone can point out what I am doing wrong. Ok, I have spent about 2 days trying to get VPN capability on my phone and laptop to work with PFSense but so far I have had 0 luck.

    PFSense Version 2.2.2-RELEASE (amd64)

    Routing Configurations
    #VPN > L2TP
    Enable L2TP Server - Checked
    Interface - WAN
    Server Address - 192.168.3.1
    Remote Address Range - 192.168.3.128
    Subnet Mask - 25
    Number of L2TP Users - 10
    Secret - Empty
    Authentication - CHAP
    L2TP DNS Servers - 192.168.2.1,8.8.8.8
    *EVERYTHING ELSE BLANK/UNCHECKED

    #VPN > IPSEC
    Enable IPSec

    #VPN > IPSec > Mobile Clients
    Enable IPSec Mobile Client Support - Checked
    User Authentiation - Local Database
    *EVERYTHING ELSE BLANK/UNCHECKED

    #VPN > IPSec > Phase 1: Mobile Client
    Disabled - Unchecked
    Key Exchange Version - Auto
    Internet protocol - IPv4
    Interface - WAN
    Description - EMPTY
    Authentication Method - Mutual PSK
    Negotiation Mode - Main
    My Identifier - My IP address
    Encryption Algorithm - 3DES
    Hash Algorithm - SHA1
    DH Key Group - 14 (2048 bit)
    Lifetime - lifetime 28800
    Disable Rekey - unchecked
    Responder Only - unchecked
    Nat Transfersal - Auto
    Dead Peer Detection - Enable DPD (10 seconds, 5 retries)

    #VPN > IPSec > Phase 2: Mobile Client
    Disabled - unchecked
    Mode - transport
    Description - EMPTY
    Protocol - ESP
    Encryption Algorithims - AES-auto,Blowfish-auto,3DES,CAST128
    Hash Algorithims - MD5,SHA1
    PFS key group - off
    Lifetime - 36000
    Automatically ping host - EMPTY

    #VPN > IPSec > Pre-Shared Keys
    Identifier - allusers
    type - psk

    #Firewall > NAT > Outbound > Hybrid Outbound NAT rule generation  (Automatic Outbound NAT + rules below)
    Disabled - unchecked
    Do Not NAT - unchecked
    Interface - WAN
    Protocol - ANY
    Source - ANY
    Destination - ANY
    Translation Address - Interface Address
    Translation Port - EMPTY
    Translation Static-port - unchecked
    No XMLRPC Sync - unchecked
    Description - EMPTY

    #Firewall > Rules > Floating
    Action: Pass
    Disabled - Unchecked
    Quick - Checked
    interface - L2TP VPN
    Direction - Any
    TCP/IP Version - IPv4+IPv6
    Protocol - TCP
    Source - ANY
    Destination ANY
    Log - Unchecked
    Description - EMPTY
    State Type > NO pfsync - unchecked
    state type - sloppy state
    TCP Flags - ANY

    #Firewall > Rules > L2TP VPN
    Action: Pass
    Disabled - Unchecked
    interface - L2TP VPN
    TCP/IP Version - IPv4+IPv6
    Protocol - ANY
    Source - ANY
    Destination ANY
    Log - Unchecked
    Description - EMPTY

    #Firewall > Rules > IPSec
    Action: Pass
    Disabled - Unchecked
    interface - IPSec
    TCP/IP Version - IPv4+IPv6
    Protocol - ANY
    Source - ANY
    Destination ANY
    Log - Unchecked
    Description - EMPTY

    #Services > DNS Resolver > Access Lists
    Access List name - VPN Users
    Action - Allow
    Networks - 192.168.3.128
    CIRD - 25

    IPSec Traffic when trying to connect with Android Phone

    =========================================================================

    Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
    Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (156 bytes)
    Jun 27 17:28:01 charon: 11[NET] <2> received packet: from 70.197.129.210[8917] to 173.50.125.121[500] (252 bytes)
    Jun 27 17:28:01 charon: 11[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
    Jun 27 17:28:01 charon: 11[IKE] <2> remote host is behind NAT
    Jun 27 17:28:01 charon: 11[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jun 27 17:28:01 charon: 11[NET] <2> sending packet: from 173.50.125.121[500] to 70.197.129.210[8917] (268 bytes)
    Jun 27 17:28:02 charon: 11[NET] <2> received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (108 bytes)
    Jun 27 17:28:02 charon: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
    Jun 27 17:28:02 charon: 11[CFG] <2> looking for pre-shared key peer configs matching 173.50.125.121…70.197.129.210[100.95.109.69]
    Jun 27 17:28:02 charon: 11[CFG] <2> selected peer config "con1"
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>IKE_SA con1[2] established between 173.50.125.121[173.50.125.121]…70.197.129.210[100.95.109.69]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>scheduling reauthentication in 27774s
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>maximum IKE_SA lifetime 28314s
    Jun 27 17:28:02 charon: 11[ENC] <con1|2>generating ID_PROT response 0 [ ID HASH ]
    Jun 27 17:28:02 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (92 bytes)
    Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3373731101 [ HASH N(INITIAL_CONTACT) ]
    Jun 27 17:28:02 charon: 13[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (556 bytes)
    Jun 27 17:28:02 charon: 13[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH SA No ID ID ]
    Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
    Jun 27 17:28:02 charon: 13[IKE] <con1|2>received 28800s lifetime, configured 3600s
    Jun 27 17:28:02 charon: 13[ENC] <con1|2>generating QUICK_MODE response 2298111843 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Jun 27 17:28:02 charon: 13[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (204 bytes)
    Jun 27 17:28:02 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (92 bytes)
    Jun 27 17:28:02 charon: 11[ENC] <con1|2>parsed QUICK_MODE request 2298111843 [ HASH ]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
    Jun 27 17:28:02 charon: 11[IKE] <con1|2>CHILD_SA con1{2} established with SPIs c634a554_i 0de31c7e_o and TS 173.50.125.121/32|/0[udp/l2f] === 70.197.129.210/32|/0[udp]
    Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:12 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:12 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1896293710 [ HASH N(DPD) ]
    Jun 27 17:28:12 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
    Jun 27 17:28:12 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:12 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 2737998598 [ HASH N(DPD_ACK) ]
    Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:22 charon: 11[IKE] <con1|2>sending DPD request
    Jun 27 17:28:22 charon: 11[ENC] <con1|2>generating INFORMATIONAL_V1 request 1024477368 [ HASH N(DPD) ]
    Jun 27 17:28:22 charon: 11[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
    Jun 27 17:28:22 charon: 11[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:22 charon: 11[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3544190626 [ HASH N(DPD_ACK) ]
    Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
    Jun 27 17:28:32 charon: 12[IKE] <con1|2>sending DPD request
    Jun 27 17:28:32 charon: 12[ENC] <con1|2>generating INFORMATIONAL_V1 request 4129323374 [ HASH N(DPD) ]
    Jun 27 17:28:32 charon: 12[NET] <con1|2>sending packet: from 173.50.125.121[4500] to 70.197.129.210[8916] (108 bytes)
    Jun 27 17:28:32 charon: 12[NET] <con1|2>received packet: from 70.197.129.210[8916] to 173.50.125.121[4500] (124 bytes)
    Jun 27 17:28:32 charon: 12[ENC] <con1|2>parsed INFORMATIONAL_V1 request 3898626004 [ HASH N(DPD_ACK) ]

    ========================================================================= ##</con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2>


Log in to reply