Glorious Error 789 or 13801 for IKEv2



  • Hello folks,

    I have a huge problem with vpn using l2tp and ipsec with pfsense. Up to this point I used pptp but since it is unsecure and I have more time I wanted to switch to l2tp over ipsec but the error Code 789 is killing me for more than one week now.

    So here is what I did:

    I installed and configured pfsense in the version: 2.2.4
    I configured pptp and I have a windows 8 client, everything works fine, so the client can connect to it and use the vpn, but I want to switch to l2tp now. So I did everything the official how to told me to do, but no success. It gives me the error 789 all the time.

    My L2tp Configuration looks like this:

    Enabled L2TP Server
    Server Address = New Unused Adress ((192.168.60.254)
    Remote Address Range = New Unused Adress Range (192.168.60.0/24)
    Subnet Mask = 24
    No Secret
    Authentication Type = Chap
    Two legit DNS servers

    I also created a test user with dynamic IP address

    IPsec Looks like this:

    Phase 1:

    Key: V1
    IP: IPv4
    Interface: WAN

    Phase 1 Authentication
    Method: Mutual PSK
    Negotiation: Main
    Identifier: My Ip address

    Phase 1 Algorithms
    Encryption: 3DES
    Hash: SHA1
    DH key Group: 2 (1024)
    Lifetime 28800
    Nat Traversel = auto

    Mobile clients
    Enabled ipsec Mobile Client Support
    Virtual Adress Pool: 192.168.60.0/24

    Pre-Shared-Key
    allusers PSK 123
    any PSK 123

    The system log repeats itself with the following errors:

    Sep 22 11:37:44 charon: 12[ENC] <2> generating INFORMATIONAL_V1 request 3035542370 [ HASH N(PLD_MAL) ]
    Sep 22 11:37:44	charon: 12[NET] <2> sending packet: from 212.90.100.194[500] to 176.4.74.75[500] (68 bytes)
    Sep 22 11:37:44	charon: 12[IKE] <2> ID_PROT request with message ID 0 processing failed
    Sep 22 11:37:44	charon: 12[IKE] <2> ID_PROT request with message ID 0 processing failed
    Sep 22 11:37:45	charon: 11[NET] <2> received packet: from 176.4.74.75[4500] to 212.90.100.194[4500] (68 bytes)
    Sep 22 11:37:45	charon: 11[ENC] <2> invalid ID_V1 payload length, decryption failed?
    Sep 22 11:37:45	charon: 11[ENC] <2> could not decrypt payloads
    Sep 22 11:37:45	charon: 11[IKE] <2> message parsing failed
    Sep 22 11:37:45	charon: 11[IKE] <2> message parsing failed
    

    I allowed any traffic in the Firewall-> Rules tab for IPsec and L2tp and on the wan interface allowed ports UDP(500), UDP(4500), TCP/UDP(1701), and ESP.

    On Windows VPN looks like this:

    VPN-TYPE: Layer-2-Tunneling-Protocoll with Ipsec
    Advanced settings has the PSK(123) installed

    Dataencyption is set to optional
    the following protocols are allowed:
    PAP, CHAP, MS-CHAP v2

    Any help would be appreciated



  • As jimp has stated in the forums several times recently, IPsec using IKEv2 is probably a better option than L2TP/IPsec at this point.

    I have no problems using Windows 7 Professional clients with pfSense's IKEv2 support.



  • @David_W:

    As jimp has stated in the forums several times recently, IPsec using IKEv2 is probably a better option than L2TP/IPsec at this point.

    I have no problems using Windows 7 Professional clients with pfSense's IKEv2 support.

    Ok did that, and it worked ^^


Log in to reply