Solved FreeBSD 12.1-RELEASE - L2TP/IPSEC VPN Client with MPD5/Racoon

Guitardood

New Member


Messages: 2

Hello,
I have two servers at two different locations running FreeBSD-12.1-RELEASE, L2TP/IPSEC VPN servers with Racoon & MPD5. They both work great and allow MAC/Windows/iPhones to connect.

I'm also trying to set up Server A to do a connect to Server B as an L2TP/IPSEC Client and not having any luck.

The server side always fails with:
Code:
2020-05-11 00:07:36: INFO: IPsec-SA request for CLIENT_IP queued due to no phase1 found.
2020-05-11 00:07:36: INFO: initiate new phase 1 negotiation: SERVER_IP[1701]<=>CLIENT_IP[500]
2020-05-11 00:07:36: INFO: begin Identity Protection mode.
2020-05-11 00:07:36: ERROR: phase1 negotiation failed due to send error. 925f85091ae7bf65:0000000000000000
2020-05-11 00:07:36: ERROR: failed to begin ipsec sa negotication.

in the server side's racoon.log file, nothing in the client's racoon.log file and:
Code:
May 11 00:07:11 SERVER 1 2020-05-11T00:07:11.528698-05:00 SERVER_IP mpd 23002 - - Incoming L2TP packet f
rom CLIENT_IP 20503
May 11 00:07:18 SERVER 1 2020-05-11T00:07:18.575075-05:00 SERVER_IP mpd 23002 - - L2TP: Control connecti
on 0x800ce9610 destroyed
May 11 00:08:11 SERVER 1 2020-05-11T00:08:11.530067-05:00 SERVER_IP mpd 23002 - - L2TP: Control connecti
on 0x800ce9310 terminated: 6 (expecting reply; none received)
in the server's MPD log file and:
Code:
May 11 00:10:17 CLIENT 1 2020-05-11T00:10:17.950213-05:00 CLIENT_IP mpd 31589 - - L2TP: Initiating co
ntrol connection 0x800ce0910 CLIENT_IP 0 <-> SERVER_IP 1701
May 11 00:10:26 CLIENT 1 2020-05-11T00:10:26.927657-05:00 CLIENT_IP mpd 31589 - - L2TP: Control conne
ction 0x800ce0610 destroyed
May 11 00:11:17 CLIENT 1 2020-05-11T00:11:17.955815-05:00 CLIENT_IP mpd 31589 - - L2TP: Control conne
ction 0x800ce0910 terminated: 6 (expecting reply; none received)
in the client's MPD log file.


The MPD.CONF entry for the client is:
Code:
l2tp_client:
    create bundle static B_CLIENT
    set iface up-script /usr/local/etc/mpd5/mpd.ifup
    set iface down-script /usr/local/etc/mpd5/mpd.ifdown
    set iface enable netflow-in
    set iface enable netflow-out
    set iface enable ipacct
    set iface enable proxyarp
    set iface enable tcpmssfix
    set ipcp yes vjcomp
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless
    create link static L_CLIENT l2tp
    set link action bundle B_CLIENT
    set link max-redial 0
    set link mtu 1400
    set link keep-alive 20 75
    set link enable acfcomp protocomp
    set link accept acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2
    set link enable chap
    set link accept chap-msv2
    set link accept chap
    set auth authname "USERID"
    set auth password "PASSWORD"
    set l2tp self CLIENT_IP
    set l2tp peer SERVER_IP
    open

The racoon.conf file on both sides are almost identical, except SERVER_IP corresponds to the correct IP on each side, and contain:
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
    # REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)
    isakmp     SERVER_IP [500];
    isakmp     SERVER_IP [7001];
    isakmp_natt      SERVER_IP [4500];
    # NOTE, you can specify multiple IPs to listen on
    #isakmp    p.q.r.s [500];
    #isakmp_natt      p.q.r.s [4500];
    #strict_address;
}
timer
{
    natt_keepalive  0 secs;
}
remote anonymous
{
    exchange_mode    main;
    passive   off;
    proposal_check   obey;
    support_proxy    off;
    nat_traversal    force;
    ike_frag     off;
    dpd_delay   20;

    proposal
    {
        encryption_algorithm  aes;
        hash_algorithm  sha1;
        authentication_method pre_shared_key;
        dh_group          modp2048;
    }

    proposal
    {
        encryption_algorithm  3des;
        hash_algorithm  sha1;
        authentication_method pre_shared_key;
        dh_group          modp2048;
    }
}
sainfo anonymous
{
    encryption_algorithm     aes,3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm    deflate;
    pfs_group       modp2048;
}

and finally the setkey.conf file on each side is:
Code:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;

Can anyone help or point to a sample L2TP/IPSEC Client configuration using MPD5/Racoon?

Any help greatly appreciated.

Best,
Guitardood
 

obsigna

Daemon

Reaction score: 865
Messages: 1,264

I utilize net/mpd5 together with security/strongswan for setting up L2TP/IPsec connections. I abandoned racoon some years ago in favor of strongSwan because the latter is very well maintained and came with less obstacles and flaws. That said, I cannot suggest very much about your IPsec configuration. Here comes only my working MPD5/strongSwan setup:

Server side:
/usr/local/etc/ipsec.conf
Code:
conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   ike = aes256-sha1-modp1024

   leftauth = psk
   left = %defaultroute
   leftprotoport=17/1701

   rightauth = psk
   right = %any
   rightprotoport=17/%any

   auto = add
/usr/local/etc/mpd5/mpd.conf
Code:
startup:
# configure mpd users
    set user admin <PASSWORD> admin
# configure the console
    set console self 127.0.0.1 5005
    set console open
# configure the web server
    set web self 10.0.1.1 5006
    set web open

default:
    load l2tp_server

l2tp_server:
# Define dynamic IP address pool -- 10.0.1.160/28
    set ippool add pool_l2tp 10.0.1.161 10.0.1.174

# Create clonable bundle template named B_l2tp
    create bundle template B_l2tp
    set bundle enable compression
    set iface enable proxy-arp
    set iface enable tcpmssfix
    set iface mtu 1280

# Specify IP address pool for dynamic assigment
    set ipcp yes vjcomp
    set ipcp dns 10.0.1.1
    set ipcp ranges 10.0.1.1/32 ippool pool_l2tp

# Create clonable link template named L_l2tp
    create link template L_l2tp l2tp
    set link action bundle B_l2tp
    set link keep-alive 0 0
    set link yes acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2

# Configure L2TP
    set l2tp self 0.0.0.0
    set l2tp disable dataseq

# Allow to accept calls
    set link enable incoming

Client side:
/usr/local/etc/ipsec.conf
Code:
conn L2TP/IPsec-Client
   keyexchange = ikev1
   type = transport

   leftauth = psk
   left = %defaultroute
   leftprotoport=17/%any

   rightauth = psk
   rightid = %any
   right = example.com
   rightprotoport=17/1701

   auto = start
/usr/local/etc/mpd5/mpd.conf
Code:
startup:

default:
    load l2tp_client

l2tp_client:
# Create a static bundle named B_l2tp
    create bundle static B_l2tp
    set bundle enable compression
    set iface enable tcpmssfix
    set iface mtu 1280
    set iface route 10.0.0.0/8

    set ipcp yes vjcomp
    set ipcp ranges 0.0.0.0/0 10.0.0.0/8

# Create a static link named L_l2tp
    create link static L_l2tp l2tp
    set link action bundle B_l2tp

    set auth authname <USERNAME>
    set auth password <PASSWORD>

    set link max-redial 0
    set link keep-alive 0 0
    set link yes acfcomp protocomp

    set l2tp peer example.com
    set l2tp disable dataseq
    set l2tp enable outcall

    open

The connection script on the client side:
~/bin/vpn
Bash:
#!/bin/sh
RIP=`/usr/bin/host $1 | /usr/bin/sed -n "/$1 has address /{s///;p;}"`

if [ "$2" == "stop" ] && [ -e /var/run/charon.pid ]; then
   service mpd5 onestop
   service strongswan onestop
   route delete $RIP
   route delete default
   route add default 192.168.0.1
elif [ "$2" == "start" ] && [ ! -e /var/run/charon.pid ]; then
   service strongswan onestart
   service mpd5 onestart
   sleep 5
   route add $RIP 192.168.0.1
   route delete default
   route add default 10.0.1.1
else
   /usr/local/sbin/ipsec status "L2TP/IPsec-Client"
   netstat -4nr
fi
chmod +x ~/bin/vpn

Usage
vpn example.com (start|stop)
 
Last edited:
OP
G

Guitardood

New Member


Messages: 2

obsigna,
Not exactly what I asked for, but exactly what I needed. Thanks a million!!!!

Best,
Guitardood
 
Top