Solved IPsec/L2tp VPN cannot connect to Mikrotik

Hi, I'm trying to connect my FreeBsd 12.2 workstation to an IPSec/L2tp VPN serverd by a Mikrotik router, the IPsec part apparently is working, but I cannot make mpd5 to assign an IP to the generated ng0 interface.

ipsec status all

Code:
Status of IKE charon daemon (strongSwan 5.9.1, FreeBSD 12.2-RELEASE-p1, amd64):
  uptime: 67 minutes, since Feb 02 06:54:01 2021
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
  192.168.100.111
  192.168.1.101
  192.168.100.203
  192.168.100.200
Connections:
       cemet:  %any...<EXTERNAL IP>  IKEv1
       cemet:   local:  uses pre-shared key authentication
       cemet:   remote: [192.168.10.2] uses pre-shared key authentication
       cemet:   child:  dynamic[udp/l2f] === dynamic[udp/l2f] TRANSPORT
Security Associations (1 up, 0 connecting):
       cemet[4]: ESTABLISHED 34 minutes ago, 192.168.100.111[192.168.100.111]...<EXTERNAL IP>[192.168.10.2]
       cemet[4]: IKEv1 SPIs: 0626d29e027d79f6_i* 951abc3e26950480_r, pre-shared key reauthentication in 22 minutes
       cemet[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
       cemet{7}:  REKEYED, TRANSPORT, reqid 1, expires in 20 seconds
       cemet{7}:   192.168.100.111/32[udp/l2f] === <EXTERNAL IP>/32[udp/l2f]
       cemet{8}:  INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c68f402f_i 0e5a2f8a_o
       cemet{8}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o (0 pkts, 2081s ago), rekeying in 9 minutes
       cemet{8}:   192.168.100.111/32[udp/l2f] === <EXTERNAL IP>/32[udp/l2f]

Note: I replaced the real external IP with <EXTERNAL IP>.

That looks good to me.

Now let's see the /usr/local/etc/mpd5/mpd.conf file:

Code:
startup:
    log +ALL +EVENTS -FRAME -ECHO

default:
    load vpnconn

vpnconn:
    create bundle static B1
    create link static L1 l2tp
    set link action bundle B1
    set auth authname "<USER>"
    set auth password "<PASSWORD>"
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set l2tp peer <EXTERNAL IP>
    open

Now, when I run sudo mpd5 vpnconn y get this:

Code:
Multi-link PPP daemon for FreeBSD

process 47365 started, version 5.9
EVENT: Registering event EVENT_READ MsgEvent() at msg.c:77
EVENT: Registering event EVENT_READ MsgEvent() done at msg.c:77
[B1] Bundle: Interface ng0 created
EVENT: Message 1 to LinkMsg() sent
[L1] EVENT: Processing event EVENT_TIMEOUT ConfigRead() done
EVENT: Processing event EVENT_READ MsgEvent()
EVENT: Message 1 to LinkMsg() received
[L1] Link: OPEN event
[L1] LCP: Open event
[L1] LCP: state change Initial --> Starting
[L1] LCP: LayerStart
EVENT: Message 1 to PhysMsg() sent
EVENT: Message 1 to LinkMsg() processed
EVENT: Message 1 to PhysMsg() received
[L1] device: OPEN event
L2TP: ppp_l2tp_ctrl_create invoked
L2TP: Initiating control connection 0x800cea310 0.0.0.0 0 <-> <EXTERNAL IP> 1701
L2TP: Control connection 0x800cea310 192.168.100.111 43847 <-> <EXTERNAL IP> 1701 initiated
L2TP: ppp_l2tp_ctrl_initiate invoked
L2TP: XMIT [MESSAGE_TYPE SCCRQ] [HOST_NAME "ws1.local.domain"] [VENDOR_NAME "FreeBSD MPD"] [BEARER_CAPABILITIES digital=1 analog=1] [RECEIVE_WINDOW_SIZE 8] [PROTOCOL_VERSION 1.0] [FRAMING_CAPABILITIES sync=1 async=1] [ASSIGNED_TUNNEL_ID 0x6156]
EVENT: Message 1 to PhysMsg() processed
EVENT: Processing event EVENT_READ MsgEvent() done
EVENT: Processing event EVENT_READ MsgEvent()
EVENT: Processing event EVENT_READ MsgEvent() done
L2TP: RECV [MESSAGE_TYPE SCCRP] [PROTOCOL_VERSION 1.0] [FRAMING_CAPABILITIES sync=1 async=0] [BEARER_CAPABILITIES digital=0 analog=0] [FIRMWARE_REVISION 0x0001] [HOST_NAME "CT-RTH-MTK-01"] [VENDOR_NAME "MikroTik"] [ASSIGNED_TUNNEL_ID 0x0040] [RECEIVE_WINDOW_SIZE 4]
L2TP: rec'd SCCRP in state wait-ctl-reply
L2TP: connected to "CT-RTH-MTK-01", version=1.0
L2TP: XMIT [MESSAGE_TYPE SCCCN] [HOST_NAME "ws1.local.domain"] [VENDOR_NAME "FreeBSD MPD"] [BEARER_CAPABILITIES digital=1 analog=1] [RECEIVE_WINDOW_SIZE 8] [PROTOCOL_VERSION 1.0] [FRAMING_CAPABILITIES sync=1 async=1] [ASSIGNED_TUNNEL_ID 0x6156]
L2TP: Control connection 0x800cea310 192.168.100.111 43847 <-> <EXTERNAL IP> 1701 connected
L2TP: ppp_l2tp_initiate invoked, ctrl=0x800cea310 out=0
L2TP: created new session #1030000 id 0x2616 orig=local side=LAC state=wait-cs-reply
L2TP: XMIT [MESSAGE_TYPE ICRQ] [ASSIGNED_SESSION_ID 0x2616] [CALL_SERIAL_NUMBER 1030000]
[L1] L2TP: Incoming call #1030000 via control connection 0x800cea310 initiated
L2TP: ppp_l2tp_connected invoked, sess=0x800d040d0
L2TP: RECV(0x1626) [MESSAGE_TYPE ICRP] [ASSIGNED_SESSION_ID 0x0001]
L2TP: rec'd ICRP in state wait-cs-reply
L2TP: XMIT(0x0001) [MESSAGE_TYPE ICCN] [TX_CONNECT_SPEED 10000000] [FRAMING_TYPE sync=1 async=0]
[L1] L2TP: Call #1030000 connected
[L1] device: UP event
[L1] Link: UP event
[L1] Link: origination is local
[L1] LCP: Up event
[L1] LCP: state change Starting --> Req-Sent
[L1] LCP: phase shift DEAD --> ESTABLISH
[L1] LCP: SendConfigReq #1
[L1]   ACFCOMP
[L1]   PROTOCOMP
[L1]   MRU 1500
[L1]   MAGICNUM 0x147df29d
EVENT: Starting timer "LCP" FsmTimeout() for 2000 ms at fsm.c:426
EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50
EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50
L2TP: RECV(0x1626) [MESSAGE_TYPE CDN] [RESULT_CODE result=1 error=0 errmsg=""] [ASSIGNED_SESSION_ID 0x0001]
L2TP: rec'd CDN in state established
[L1] L2TP: call #1030000 terminated: result=1 error=0 errmsg=""
[L1] device: DOWN event
[L1] Link: DOWN event
...

If instead of running mpd5 directly I call with service mpd5 onestart and do an ifconfig I can see the ng0 interface without an assigned IP:

Code:
ng0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Please help me!
 
Hi VladiBG, here is the mpd.conf (the same I already provided in the main question):

Code:
startup:
    log +ALL +EVENTS -FRAME -ECHO

default:
    load vpnconn

vpnconn:
    create bundle static B1
    create link static L1 l2tp
    set link action bundle B1
    set auth authname "<USER>"
    set auth password "<PASSWORD>"
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set l2tp peer <EXTERNAL IP>
    open
 
You have several ip addresses in the same subnet
192.168.100.111
192.168.100.203
192.168.100.200

Most likely you are missing your local ip address in ipsec.conf (left=192.168.100.111) under "conn cemet" and your IPsec is not established.


Is this edited ?
cemet: local: uses pre-shared key authentication

I think it should look like
cemet: local: [192.168.100.111] uses pre-shared key authentication

Do you see ant packets in/out in ESP? netstat -s -p esp

Here is the example of the IPsec in Tunnel mode (Net-to-Net) with static address and routing: https://forums.freebsd.org/threads/...th-tp-link-tl-r600vpn-using-strongswan.75204/


Note: After IPsec is fully established (Phase 2) you will receive the IP address from the server. Your MPD looks good. Unfortunately i don't have Mikrotik to play and test your config at the moment.
You can enable log file in strongSwan (charon-logging) to check the IPsec.
 
Thanks, I added the left=... part to my ipsec.conf but I'm getting the same result, no ng0 interface created.

One thing that confuses me is in your example you don't use mpd5, is it really needed?. In my case the interface ng0 is created after executing mpd5, but without an IP assigned.
 
In my example i'm using routing between two separate networks. Check if your IPsec complete the Phase2 negotiation.

Here is another example for MPD + strongSwan

Verify which trafic is protected by IPsec using setkey -DP
 
Sorry, I don't see anything related to Phase nor Phase2, when I call sudo ipsec up cemet I get this:

Code:
initiating Main Mode IKE_SA cemet[2] to <EXTERNAL IP>
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.100.111[500] to <EXTERNAL IP>[500] (212 bytes)
received packet: from <EXTERNAL IP>[500] to 192.168.100.111[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.100.111[500] to <EXTERNAL IP>[500] (244 bytes)
received packet: from <EXTERNAL IP>[500] to 192.168.100.111[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.100.111[4500] to <EXTERNAL IP>[4500] (108 bytes)
received packet: from <EXTERNAL IP>[4500] to 192.168.100.111[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA cemet[2] established between 192.168.100.111[192.168.100.111]...<EXTERNAL IP>[192.168.10.2]
scheduling reauthentication in 3393s
maximum IKE_SA lifetime 3573s
generating QUICK_MODE request 3676791366 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.100.111[4500] to <EXTERNAL IP>[4500] (364 bytes)
received packet: from <EXTERNAL IP>[4500] to 192.168.100.111[4500] (332 bytes)
parsed QUICK_MODE response 3676791366 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
CHILD_SA cemet{4} established with SPIs c60ecb82_i 06cbb81b_o and TS 192.168.100.111/32[udp/l2f] === <EXTERNAL IP>/32[udp/l2f]
updown: /usr/local/libexec/ipsec/_updown: iptables: not found
updown: /usr/local/libexec/ipsec/_updown: iptables: not found
connection 'cemet' established successfully
 
Main Mode is Phase 1 authentication and encryption
Quick Mode is Phase 2 negotiating which traffic will be send across the vpn

It look Ok.

Try to add "set iface enable tcpmssfix" and "set ipcp ranges 0.0.0.0/0 0.0.0.0/0" after "create link static L1 l2tp" or reduce your MTU
 
Added those two configs to /usr/local/etc/mpd5/mpd.conf:

Code:
startup:
    log +ALL +EVENTS -FRAME -ECHO

default:
    load cemet

cemet:
    create bundle static B1

    set bundle enable crypt-reqd
    set bundle enable compression
    set bundle enable ipv6cp
    set ccp yes mppc
    set mppc no e40 e56
    set mppc yes e128 stateless
    set ipcp enable req-pri-dns
    set ipcp enable req-sec-dns

    create link static L1 l2tp
    set iface enable tcpmssfix
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set link action bundle B1
    set auth authname "<USERNAME>"
    set auth password "<PASSWORD>"
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set link accept chap-msv2
    set link no pap eap
    set l2tp peer <EXTERNAL IP>
    open

But the result is the same, ng0 without assigned IP.
 
Are you participating in a competition for the most number of directives in a least working mpd.conf?

No, of course, so strip it down to the bare minimum and then add new directives as needed.

Start with this one:
Code:
startup:

default:
    load l2tp_client

l2tp_client:
    create bundle static B
    set iface mtu 1280
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0

    create link static L l2tp
    set link action bundle B
    set auth authname USERNAME
    set auth password PASSWORD
    set l2tp peer REMOTE_ADDRESS
    open
 
Are you participating in a competition for the most number of directives in a least working mpd.conf?
🤣🤣🤣🤣

Code:
startup:

default:
    load cemet

cemet:
    create bundle static B_l2tp
    set iface mtu 1280
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    create link static L_l2tp l2tp
    set link action bundle B_l2tp
    set auth authname "<USERNAME>"
    set auth password "<PASSWORD>"
    set l2tp peer <EXTERNAL IP>
    open

This is the mpd5 output:

Code:
Multi-link PPP daemon for FreeBSD
 
process 18844 started, version 5.9
[B_l2tp] Bundle: Interface ng0 created
[L_l2tp] [L_l2tp] Link: OPEN event
[L_l2tp] LCP: Open event
[L_l2tp] LCP: state change Initial --> Starting
[L_l2tp] LCP: LayerStart
L2TP: Initiating control connection 0x800cea310 0.0.0.0 0 <-> <EXTERNAL IP> 1701
L2TP: Control connection 0x800cea310 192.168.100.111 24995 <-> <EXTERNAL IP> 1701 connected
[L_l2tp] L2TP: Incoming call #820000 via control connection 0x800cea310 initiated
[L_l2tp] L2TP: Call #820000 connected
[L_l2tp] Link: UP event
[L_l2tp] LCP: Up event
[L_l2tp] LCP: state change Starting --> Req-Sent
[L_l2tp] LCP: SendConfigReq #1
[L_l2tp]   ACFCOMP
[L_l2tp]   PROTOCOMP
[L_l2tp]   MRU 1500
[L_l2tp]   MAGICNUM 0xf91e86f0
[L_l2tp] L2TP: call #820000 terminated: result=1 error=0 errmsg=""
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Close event
[L_l2tp] LCP: state change Req-Sent --> Closing
[L_l2tp] LCP: SendTerminateReq #2
[L_l2tp] LCP: Down event
[L_l2tp] LCP: LayerFinish
[L_l2tp] LCP: state change Closing --> Initial
L2TP: Control connection 0x800cea310 terminated: 0 (no more sessions exist in this tunnel)

The interface ng0 is created but no ip assigned.

I've tried that with pf running and stopped.
 
Ok, now now ACFCOMP and PROTOCOMP doesn't shows anymore. The relevant part is this:

Code:
...
[L_l2tp] L2TP: Incoming call #5690000 via control connection 0x800cea310 initiated
[L_l2tp] L2TP: Call #5690000 connected
[L_l2tp] Link: UP event
[L_l2tp] LCP: Up event
[L_l2tp] LCP: state change Starting --> Req-Sent
[L_l2tp] LCP: SendConfigReq #1
[L_l2tp]   MRU 1500
[L_l2tp]   MAGICNUM 0xcb311a20
[L_l2tp] L2TP: call #5690000 terminated: result=1 error=0 errmsg=""
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Close event
[L_l2tp] LCP: state change Req-Sent --> Closing
[L_l2tp] LCP: SendTerminateReq #2
[L_l2tp] LCP: Down event
[L_l2tp] LCP: LayerFinish
[L_l2tp] LCP: state change Closing --> Initial

But the problem still persists.
 
The issue is not in your mpd configuration. You first need IPSec policy to define which traffic will be protected and when the IPSec encryption should be used. You are bringing the IPSec tunnel up without creating security policy database. Also in your ipsec.conf your leftprotoport and rightprotoport are wrong
child: dynamic[udp/l2f] === dynamic[udp/l2f] TRANSPORT
on the left side is your local (dynamic configurate ip address) and traffic that must be protected is UDP from upper random port to the Server IP (Mikrotik) UDP at port 1701 (l2f) aka L2TP in your case you are encrypting traffic from yourip:1701->server:1701 and there's no such traffic.

you need to change how IPsec is started. Instead of bringing up IPSec manualy you need to use auto=route option in order to install a kernel trap which will initilize the IPSec tunnel when a traffic of interest is detected (dynamic[udp] -> serverip[udp/l2f])

Here is working example for LAN(subnet) <--> L2TP/IPSEC <--> roadwarrior client

1612474716651.png


Example RouterOS configuration (this is only for demonstration it's more like ppp over ipsec instead of l2tp as it's not include the local bridge)

[admin@MikroTik] > expo
# feb/04/2021 21:39:07 by RouterOS 6.46.8
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface l2tp-server
add name=l2tp-in1 user=l2tp-user
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp384 enc-algorithm=aes-256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h
/ip pool
add name=ppp-client-pool ranges=192.168.10.100-192.168.10.110
/ppp profile
set *0 local-address=192.168.1.1 remote-address=ppp-client-pool
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=secret use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
add disabled=no interface=ether2
/ip firewall filter
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ppp secret
add name=l2tp-user password=l2tp-pass
[admin@MikroTik] >

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
strictcrlpolicy=no
#uniqueids = no

conn l2tp
keyexchange=ikev1
ikelifetime=28800
lifetime=3600
authby=psk
keyingtries=1
ike=aes256-sha1-ecp384!
esp=aes256-sha1!
type=transport
auto=route

#left side LOCAL

left=%defaultroute
leftprotoport=17/%any

#right side REMOTE

right=192.168.100.107
rightsubnet=192.168.1.0/24
rightprotoport=17/1701

dpdaction=clear
rekey=yes

# ipsec.secrets - strongSwan IPsec secrets file
192.168.100.107 : PSK "secret"

startup:
# configure mpd users
#set user foo bar admin
#set user foo1 bar1
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
#set web self 0.0.0.0 5006
#set web open
log +ALL +EVENTS -FRAME -ECHO

default:
load l2tp

l2tp:
create bundle static B1
set iface route 192.168.1.0/24
set iface enable tcpmssfix
set ipcp yes

set ipcp dns 8.8.8.8

set ccp yes mppc
set mppc yes e128
set mppc yes stateless

create link static L1 l2tp
set link action bundle B1
set link max-redial 0
set link mtu 1460
set link keep-alive 0 0 #20 75
set link accept chap-msv2

set l2tp peer 192.168.100.107

set auth authname "l2tp-user"
set auth password "l2tp-pass"

open

root@bsdtest2:/usr/local/etc/rc.d # ./strongswan statusall
Status of IKE charon daemon (strongSwan 5.9.1, FreeBSD 12.2-RELEASE, amd64):
uptime: 21 minutes, since Feb 04 23:31:09 2021
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
192.168.100.109
Connections:
l2tp: %any...192.168.100.107 IKEv1, dpddelay=30s
l2tp: local: uses pre-shared key authentication
l2tp: remote: [192.168.100.107] uses pre-shared key authentication
l2tp: child: dynamic[udp] === 192.168.1.0/24[udp/l2f] TRANSPORT, dpdaction=clear
Routed Connections:
l2tp{1}: ROUTED, TRANSPORT, reqid 1
l2tp{1}: 192.168.100.109/32[udp] === 192.168.100.107/32[udp/l2f]
Security Associations (1 up, 0 connecting):
l2tp[2]: ESTABLISHED 6 minutes ago, 192.168.100.109[192.168.100.109]...192.168.100.107[192.168.100.107]
l2tp[2]: IKEv1 SPIs: cc0a8fdb503f7926_i* 08b0bb82a331dc47_r, pre-shared key reauthentication in 7 hours
l2tp[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
l2tp{3}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c6df83aa_i 093f34ab_o
l2tp{3}: AES_CBC_256/HMAC_SHA1_96, 4636 bytes_i (76 pkts, 408s ago), 5896 bytes_o (63 pkts, 57s ago), rekeying in 37 minutes
l2tp{3}: 192.168.100.109/32[udp] === 192.168.100.107/32[udp/l2f]

root@bsdtest2:/usr/local/etc/rc.d # setkey -DP
192.168.100.107[1701] 192.168.100.109[any] udp
in ipsec
esp/transport//unique:1
created: Feb 4 23:45:48 2021 lastused: Feb 4 23:45:48 2021
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=65 seq=1 pid=5278 scope=global
refcnt=1
192.168.100.109[any] 192.168.100.107[1701] udp
out ipsec
esp/transport//unique:1
created: Feb 4 23:45:48 2021 lastused: Feb 4 23:51:39 2021
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=66 seq=0 pid=5278 scope=global
refcnt=2
root@bsdtest2:/usr/local/etc/rc.d #

root@bsdtest2:/usr/local/etc/rc.d # netstat -rn4
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default 192.168.100.1 UGS hn0
127.0.0.1 link#1 UH lo0
192.168.1.0/24 192.168.1.1 UGS ng0
192.168.1.1 link#3 UH ng0
192.168.10.110 link#3 UHS lo0
192.168.100.0/24 link#2 U hn0
192.168.100.109 link#2 UHS lo0
root@bsdtest2:/usr/local/etc/rc.d # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
hn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8051b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,LRO,LINKSTATE>
ether 00:15:5d:40:99:1d
inet 192.168.100.109 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1450
inet 192.168.10.110 --> 192.168.1.1 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@bsdtest2:/usr/local/etc/rc.d #
 
Thanks VladiBg for your detailed response, now I'm connected to the VPN!!!.

I still cannot reach the remote internal server, but that's a routing problem I'll try to figure out right now.
 
Nice to hear that.
Why do you need Layer2 tunnel? Do you use some multicast stream or some protocol that is not supported by your router? I would recommend you to switch to IKEv2 VPN and use L3 routing only.
 
Nice to hear that.
Why do you need Layer2 tunnel? Do you use some multicast stream or some protocol that is not supported by your router? I would recommend you to switch to IKEv2 VPN and use L3 routing only.
I don't know, the router's administrator sent me an instructive to connect from Windows using L2TP/IPsec. Is there an easier way?.
 
Sorry i was thinking that you are the administrator of that router. It's not easier way, it's just a different way with improved security. Now everyone is pushing towards migrating from IKEv1 to IKEv2 for IPSec as there's ongoing deprecation of IKEv1 and some security algorithms that was compromitted. Anyway it's up to the network admin to decide what should be used.
 
Back
Top