Cannot connect to Internet as a vpn client

CanvisMe

New Member

Reaction score: 1
Messages: 14

Hello, I'm studying in a university and using FreeBSD as my daily computer operate system for months. However, I cannot connect to outside Internet via wired ethernet until now. There are two steps to set up a connection in my laboratory.
  • First, provide the information of static ipv4 address, netmask, defaultrouter and DNS server.
  • Second, set up a l2tp vpn client to the remote server. Every users should provide their own username and password.
The first step works fine, and I can browse school's forum and other local website, the trouble comes in the second step. According to some threads in FreeBSD forum, I tried to use net/mpd5 and security/strongswan to configure a vpn client but it failed at last. The messages from mpd5 suggested that the connection was established for seconds and disconnected immediately. Maybe my configuration files were wrong, or the remote server does not support FreeBSD's connection? The same connection steps works fine in Windows and Ubuntu.

Here are some configuration files and other information about my network.

/etc/rc.conf:
Code:
ifconfig_re0_ipv6="inet6 accept_rtad"
ifconfig_re0="inet *.*.*.76 netmask *.*.*.*"
defaultrouter="*.*.*.169"

/etc/resolv.conf
Code:
nameserver *.*.*.*

/usr/local/etc/ipsec.conf
Code:
config setup
    strictcrlpolicy=no

conn l2tp_client
    keyexchange=ikev2
    type=transport
    leftfirewall=yes

    leftauth=eap-mschapv2
    left=%defaultroute
    leftprotoport=17/%any

    right=lns.*.*.*
    rightauth=pubkey
    rightsubnet=*.*.*.169
    rightprotoport=17/1701

    auto=route

/usr/local/etc/ipsec.secret
Code:
lns.*.*.* 21***@* : XAUTH "Jw***"
21***@* : XAUTH "Jw***"
21***@* : EAP "Jw***"
21***@* : NTLM "Jw***"
For my username and password, I used multi-entry for an account. Probably one entry is enough.

/usr/local/etc/mpd5/mpd.conf
Code:
startup:

default:
    load l2tp_client

l2tp_client:
    create bundle static B_l2tp
    set bundle enable compression
    set iface enable tcpmssfix
    set iface route default
    set iface mtu 1428

    create link static L_l2tp l2tp

    set link action bundle B_l2tp
    set link max-redial 5
    set link keep-alive 0 0
    set link yes acfcomp protocomp
    set link accept pap
    set link accept chap-msv2
    set link accept chap
    set link accept eap
    set auth authname "21***@*"
    set auth password "Jw***"
    set l2tp peer lns.*.*.*
    set l2tp disable dataseq
    set l2tp enable outcall

    open
/usr/local/etc/mpd5/mpd.secret
Code:
21***@*    "Jw***"

And here are some message from command mpd5 l2tp_client:
Code:
Multi-link PPP daemon for FreeBSD

process 4825 started, version 5.9
[B_l2tp] Bundle: Interface ng0 created
[L_l2tp] [L_l2tp] Link: OPEN event
[L_l2tp] LCP: Open event
[L_l2tp] LCP: state change Initial --> Starting
[L_l2tp] LCP: LayerStart
L2TP: Initiating control connection 0x80183f310 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f310 *.*.*.76 26062 <-> 10.0.2.3 1701 connected
ppp_l2tp_initiate: Operation not supported
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 1 in 3 seconds
L2TP: Control connection 0x80183f310 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 1
L2TP: Initiating control connection 0x80183f610 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f610 *.*.*.76 22782 <-> 10.0.2.3 1701 connected
ppp_l2tp_initiate: Operation not supported
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 2 in 2 seconds
L2TP: Control connection 0x80183f610 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 2

Following some info about Ubuntu and Windows vpn config.

Ubuntu l2tp vpn setup. I need to install network-manager-l2tp first to enable gui setting.
ubun_static_ipv4.png

Ubun_vpn_info.png

ubun_l2tp.png


Windows l2tp vpn setup.
win10_vpn_in.png

win10_vpn_pro.png
 

obsigna

Daemon

Reaction score: 859
Messages: 1,253

IKEv2 does not work in transport mode. L2TP/IPsec works in transport mode only, and you must use IKEv1. There might be other errors in your setup, however with the wrong IKE version in place, for now, troubleshooting does take you to the middle of nowhere.

Here comes a description of a working client/server setup using net/mpd5 in combination with security/strongswan.
https://forums.freebsd.org/threads/...vpn-client-with-mpd5-racoon.75359/post-462689

Also note, that the most recent strongSwan by default utilizes no more the simple configuration files for setting up the connections, although, the simple ones do continue to work. For this you need to add the following line to /etc/rc.conf: strongswan_interface="stroke"
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

IKEv2 does not work in transport mode. L2TP/IPsec works in transport mode only, and you must use IKEv1. There might be other errors in your setup, however with the wrong IKE version in place, for now, troubleshooting does take you to the middle of nowhere.

Here comes a description of a working client/server setup using net/mpd5 in combination with security/strongswan.
https://forums.freebsd.org/threads/...vpn-client-with-mpd5-racoon.75359/post-462689

Also note, that the most recent strongSwan by default utilizes no more the simple configuration files for setting up the connections, although, the simple ones do continue to work. For this you need to add the following line to /etc/rc.conf: strongswan_interface="stroke"
Thanks for your reply, obsigna. I have read about threads you post before, so the conf files were kind of like your style. Now, I use IKEv1 and add strongswan_interface="stroke" to /etc/rc.conf, the result was the same. The output messages don't change.
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

try to remove
set l2tp enable outcall and see what happens
Something changed. Here are some messages after running mpd5 l2tp_client:
Code:
Multi-link PPP daemon for FreeBSD

process 98443 started, version 5.9
[B_l2tp] Bundle: Interface ng0 created
[L_l2tp] [L_l2tp] Link: OPEN event
[L_l2tp] LCP: Open event
[L_l2tp] LCP: state change Initial --> Starting
[L_l2tp] LCP: LayerStart
L2TP: Initiating control connection 0x80183f310 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f310 *.*.*.76 47098 <-> 10.0.2.3 1701 connected
[L_l2tp] L2TP: Incoming call #250000 via control connection 0x80183f310 initiated
[L_l2tp] L2TP: call #250000 terminated: result=2 error=6 errmsg="control connection closing"
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 1 in 1 seconds
L2TP: Control connection 0x80183f310 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 1
L2TP: Initiating control connection 0x80183f610 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f610 *.*.*.76 37978 <-> 10.0.2.3 1701 connected
[L_l2tp] L2TP: Incoming call #250001 via control connection 0x80183f610 initiated
[L_l2tp] L2TP: call #250001 terminated: result=2 error=6 errmsg="control connection closing"
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 2 in 2 seconds
L2TP: Control connection 0x80183f610 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 2
 

covacat

Well-Known Member

Reaction score: 171
Messages: 369

l2tp config seems ok
if you have any firewall disable it
try to build mpd5 from ports (i had some problems when kernel and userland ng went a bit out if sync) (minor binary release upgrade)
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

l2tp config seems ok
if you have any firewall disable it
try to build mpd5 from ports (i had some problems when kernel and userland ng went a bit out if sync) (minor binary release upgrade)
Thanks, I didn't enable firewall in /etc/rc.conf. Here is my firewall status:
Code:
~ service pf onestatus
pf.ko is not loaded
~ service ipfw onestatus
ipfw is not enabled
~ service ipfilter onestatus
~
Then I rebuilt net/mpd5 via ports-mgmt/portmaster, and enabled NG_IPACCT, which was OFF before, results were the same.
 

covacat

Well-Known Member

Reaction score: 171
Messages: 369

tested the exact l2tp client config with mpd5 and it works (LNS same mpd5)
try to tcpdump -vvv udp 1701 from lac to lns and see if you can get some more info
and maximize mpd5 debug level

other then that have no idea
 

keilecpod

New Member

Reaction score: 1
Messages: 2

Hi, I also recently entered the university and am studying working with networks. And I had a similar problem when I tried to set up proxy servers for a project at the university myself. I have been looking for a solution to this problem for a long time. I thought that I wrote something wrong in the server config. And it turns out that I used low-quality proxy servers. After I was prompted to use paid proxies and showed a detailed guide on setting up servers, everything began to work out. Well, as for the VPN setup, I can't say for sure. I hope you can solve this problem.

____________________________________________

https://help.proxies.com/hc/en-us/articles/1500001146241-Chrome
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

tested the exact l2tp client config with mpd5 and it works (LNS same mpd5)
try to tcpdump -vvv udp 1701 from lac to lns and see if you can get some more info
and maximize mpd5 debug level

other then that have no idea
Some config files changed in my latest test.

/usr/local/etc/ipsec.conf
Code:
config setup
    uniqueids = yes
    charondebug="ike 1, knl 1, cfg 4"

conn l2tp_client
    keyexchange=ikev1
    type=transport
    leftauth=psk
    leftauth2=xauth
    leftid="21***@a"
    left=*.*.*.76
    leftsubnet=*.*.*.169/24
    leftprotoport=17/%any
    rightauth=psk
    rightid=%any
    right=lns.*.*.*
    rightprotoport=17/1701
    auto=start

/usr/local/etc/ipsec.secret was empty now, cos I don't have a real PSK for authentication. Previous ipsec conf was wrong, when I ran ipsec start or something related to ipsec, it resulted in unsupported operation. And refered to config on MacOS from school BBS, GUI settings of L2TP remained PSK empty for machine identification, user's info were still needed.

/usr/local/etc/mpd5/mpd.conf
Code:
startup:
    log +ALL +EVENTS -FRAME -ECHO
default:
    load l2tp_client l2tp_client:
    create bundle static B_l2tp
    set bundle enable compression
    set iface enable tcpmssfix
    set iface route *.*.*.169
    set iface mtu 1500

    set ipcp yes vjcomp
    set ccp yes mppc
    set mppc yes e128
    set mppc yes stateless

    create link static L_l2tp l2tp
    set link action bundle B_l2tp
    set link max-redial 5
    set link keep-alive 0 0
    set link yes acfcomp protocomp
    set link accept pap
    set link accept chap-msv2
    set link accept chap
    set link accept eap

    set auth authname "21***@a"
    set auth password "Jw***"
   set l2tp peer lns.*.*.* 
    set l2tp disable dataseq
    open

Running mpd5 l2tp_client:
Code:
Multi-link PPP daemon for FreeBSD

process 77828 started, version 5.9
EVENT: Registering event EVENT_READ MsgEvent() at msg.c:77
EVENT: Registering event EVENT_READ MsgEvent() done at msg.c:77
[B_l2tp] Bundle: Interface ng0 created
EVENT: Message 1 to LinkMsg() sent
[L_l2tp] EVENT: Processing event EVENT_TIMEOUT ConfigRead() done
EVENT: Processing event EVENT_READ MsgEvent()
EVENT: Message 1 to LinkMsg() received
[L_l2tp] Link: OPEN event
[L_l2tp] LCP: Open event
[L_l2tp] LCP: state change Initial --> Starting
[L_l2tp] LCP: LayerStart
EVENT: Message 1 to PhysMsg() sent
EVENT: Message 1 to LinkMsg() processed
EVENT: Message 1 to PhysMsg() received
[L_l2tp] device: OPEN event
L2TP: ppp_l2tp_ctrl_create invoked
L2TP: Initiating control connection 0x80183f310 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f310 *.*.*.76 31199 <-> 10.0.2.3 1701 initiated
L2TP: ppp_l2tp_ctrl_initiate invoked
L2TP: XMIT [MESSAGE_TYPE SCCRQ] [HOST_NAME "******"] [VENDOR_NAME "FreeBSD MPD"] [BEARER_CAPABILITIES digital=1 analog=1] [RECEIVE_WINDOW_SIZE 8] [PROTOCOL_VERSION 1.0] [FRAMING_CAPABILITIES sync=1 async=1] [ASSIGNED_TUNNEL_ID 0xe777]
EVENT: Message 1 to PhysMsg() processed
EVENT: Processing event EVENT_READ MsgEvent() done
EVENT: Processing event EVENT_READ MsgEvent()
EVENT: Processing event EVENT_READ MsgEvent() done
L2TP: RECV [MESSAGE_TYPE SCCRP] [PROTOCOL_VERSION 1.0] [HOST_NAME "***"] [FRAMING_CAPABILITIES sync=1 async=0] [ASSIGNED_TUNNEL_ID 0xc2e6] [FIRMWARE_REVISION 0x0001] [VENDOR_NAME "***"]
L2TP: rec'd SCCRP in state wait-ctl-reply
L2TP: connected to "***", version=1.0
L2TP: XMIT [MESSAGE_TYPE SCCCN] [HOST_NAME "******"] [VENDOR_NAME "FreeBSD MPD"] [BEARER_CAPABILITIES digital=1 analog=1] [RECEIVE_WINDOW_SIZE 8] [PROTOCOL_VERSION 1.0] [FRAMING_CAPABILITIES sync=1 async=1] [ASSIGNED_TUNNEL_ID 0xe777]
L2TP: Control connection 0x80183f310 *.*.*.76 31199 <-> 10.0.2.3 1701 connected
L2TP: ppp_l2tp_initiate invoked, ctrl=0x80183f310 out=0
L2TP: created new session #6800000 id 0xe569 orig=local side=LAC state=wait-cs-reply
L2TP: XMIT [MESSAGE_TYPE ICRQ] [ASSIGNED_SESSION_ID 0xe569] [CALL_SERIAL_NUMBER 6800000] [L_l2tp] L2TP: Incoming call #6800000 via control connection 0x80183f310 initiated
L2TP: ppp_l2tp_connected invoked, sess=0x801868010
L2TP: RECV [MESSAGE_TYPE StopCCN] [ASSIGNED_TUNNEL_ID 0xc2e6] [RESULT_CODE result=2 error=8 errmsg=""]
L2TP: rec'd StopCCN in state established
[L_l2tp] L2TP: call #6800000 terminated: result=2 error=6 errmsg="control connection closing"
[L_l2tp] device: DOWN event
[L_l2tp] Link: DOWN event EVENT: Starting timer "PhysOpen" LinkReopenTimeout() for 3000 ms at link.c:278
EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50
EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 1 in 3 seconds
 

covacat

Well-Known Member

Reaction score: 171
Messages: 369

is ipsec working ?
setkey -D and setkey -DP output
Code:
#setkey -DP
XX.97.169.105[63379] 10.1.1.1[1701] udp
    in ipsec
    esp/transport//unique:11
    created: Jun  3 11:06:24 2021  lastused: Jun  3 11:06:24 2021
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=523 seq=1 pid=15282 scope=global
    refcnt=1
10.1.1.1[1701] XX.97.169.105[63379] udp
    out ipsec
    esp/transport//unique:11
    created: Jun  3 11:06:24 2021  lastused: Jun  3 11:06:24 2021
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=524 seq=0 pid=15282 scope=global
    refcnt=2
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

is ipsec working ?
setkey -D and setkey -DP output
Code:
#setkey -DP
XX.97.169.105[63379] 10.1.1.1[1701] udp
    in ipsec
    esp/transport//unique:11
    created: Jun  3 11:06:24 2021  lastused: Jun  3 11:06:24 2021
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=523 seq=1 pid=15282 scope=global
    refcnt=1
10.1.1.1[1701] XX.97.169.105[63379] udp
    out ipsec
    esp/transport//unique:11
    created: Jun  3 11:06:24 2021  lastused: Jun  3 11:06:24 2021
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=524 seq=0 pid=15282 scope=global
    refcnt=2
When I ran ipsec restart:
Code:
Stopping strongSwan IPsec...
Starting strongSwan 5.9.2 IPsec [starter]...

ipsec status:
Code:
Security Associations (0 up, 1 connecting):
 l2tp_client[1]: CONNECTING, *.*.*.76[%any]...10.0.2.3[%any]
But it will not connect successfully via ipsec, cos I don't fill in the user's info.

For setkey -D:
No SAD entries.

setkey -DP:
No SAD entries.
 

covacat

Well-Known Member

Reaction score: 171
Messages: 369

l2tp might not progress / work any further without ipsec (server might block unencrypted packets)
you can add your creds in ipsec.secrets
dave : XAUTH "ryftzG4A"
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

Added user info to /usr/local/etc/ipsec.secrets, ran ipsec reload.

For ipsec statusall:
Code:
Status of IKE charon daemon (strongSwan 5.9.2, FreeBSD 13.0-STABLE, amd64):
  uptime: 38 minutes, since Jun 03 16:31:08 2021
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon ldap aes des blowfish rc2 sha2 sha1 md4 md5 ...
Listening IP addresses:
Connections:
 l2tp_client:  *.*.*.76...lns.*.*.*  IKEv1
 l2tp_client:   local:  [21***@a] uses pre-shared key authentication
 l2tp_client:   local:  [21***@a] uses XAuth authentication: any
 l2tp_client:   remote: uses pre-shared key authentication
 l2tp_client:   child:  *.*.*.0/24[udp] === dynamic[udp/l2f] TRANSPORT
Security Associations (0 up, 1 connecting):
 l2tp_client[2]: CONNECTING, *.*.*.76[%any]...10.0.2.3[%any]
 l2tp_client[2]: IKEv1 SPIs: 41b72cbabd5de722_i* 0000000000000000_r
 l2tp_client[2]: Tasks queued: QUICK_MODE
 l2tp_client[2]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD

Then ipsec status:
Code:
Security Associations (0 up, 0 connecting):
  none

And running mpd5 l2tp_client resulted the same.
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

Even though I added rightauth2=xauth in /usr/local/etc/ipsec.conf, it didn't work.
 

covacat

Well-Known Member

Reaction score: 171
Messages: 369

are you sure you need xauth ?
try with an empty shared key and remove xauth
: PSK ""
and post ipsec logs
 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

No, I'm not sure, I just tried. Running ipsec reload, the /var/log/daemon.log outputs:
11[IKE] establishing IKE_SA failed, peer not responding.
 

VladiBG

Daemon

Reaction score: 510
Messages: 1,112

 
OP
CanvisMe

CanvisMe

New Member

Reaction score: 1
Messages: 14

Ok, I found out that the connection should use l2tp without ipsec. So is there any way to accomplish it? Using net/mpd5 still generated the same error messages.
 
Top