Solved FreeBSD 12.1-RELEASE - L2TP/IPSEC VPN Client with MPD5/Racoon

[Guitardood]

Hello,
I have two servers at two different locations running FreeBSD-12.1-RELEASE, L2TP/IPSEC VPN servers with Racoon & MPD5. They both work great and allow MAC/Windows/iPhones to connect.

I'm also trying to set up Server A to do a connect to Server B as an L2TP/IPSEC Client and not having any luck.

The server side always fails with:

2020-05-11 00:07:36: INFO: IPsec-SA request for CLIENT_IP queued due to no phase1 found.
2020-05-11 00:07:36: INFO: initiate new phase 1 negotiation: SERVER_IP[1701]<=>CLIENT_IP[500]
2020-05-11 00:07:36: INFO: begin Identity Protection mode.
2020-05-11 00:07:36: ERROR: phase1 negotiation failed due to send error. 925f85091ae7bf65:0000000000000000
2020-05-11 00:07:36: ERROR: failed to begin ipsec sa negotication.

in the server side's racoon.log file, nothing in the client's racoon.log file and:

May 11 00:07:11 SERVER 1 2020-05-11T00:07:11.528698-05:00 SERVER_IP mpd 23002 - - Incoming L2TP packet f
rom CLIENT_IP 20503
May 11 00:07:18 SERVER 1 2020-05-11T00:07:18.575075-05:00 SERVER_IP mpd 23002 - - L2TP: Control connecti
on 0x800ce9610 destroyed
May 11 00:08:11 SERVER 1 2020-05-11T00:08:11.530067-05:00 SERVER_IP mpd 23002 - - L2TP: Control connecti
on 0x800ce9310 terminated: 6 (expecting reply; none received)

in the server's MPD log file and:

May 11 00:10:17 CLIENT 1 2020-05-11T00:10:17.950213-05:00 CLIENT_IP mpd 31589 - - L2TP: Initiating co
ntrol connection 0x800ce0910 CLIENT_IP 0 <-> SERVER_IP 1701
May 11 00:10:26 CLIENT 1 2020-05-11T00:10:26.927657-05:00 CLIENT_IP mpd 31589 - - L2TP: Control conne
ction 0x800ce0610 destroyed
May 11 00:11:17 CLIENT 1 2020-05-11T00:11:17.955815-05:00 CLIENT_IP mpd 31589 - - L2TP: Control conne
ction 0x800ce0910 terminated: 6 (expecting reply; none received)

in the client's MPD log file.


The MPD.CONF entry for the client is:

l2tp_client:
    create bundle static B_CLIENT
    set iface up-script /usr/local/etc/mpd5/mpd.ifup
    set iface down-script /usr/local/etc/mpd5/mpd.ifdown
    set iface enable netflow-in
    set iface enable netflow-out
    set iface enable ipacct
    set iface enable proxyarp
    set iface enable tcpmssfix
    set ipcp yes vjcomp
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless
    create link static L_CLIENT l2tp
    set link action bundle B_CLIENT
    set link max-redial 0
    set link mtu 1400
    set link keep-alive 20 75
    set link enable acfcomp protocomp
    set link accept acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2
    set link enable chap
    set link accept chap-msv2
    set link accept chap
    set auth authname "USERID"
    set auth password "PASSWORD"
    set l2tp self CLIENT_IP
    set l2tp peer SERVER_IP
    open

The racoon.conf file on both sides are almost identical, except SERVER_IP corresponds to the correct IP on each side, and contain:

path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
    # REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)
    isakmp     SERVER_IP [500];
    isakmp     SERVER_IP [7001];
    isakmp_natt      SERVER_IP [4500];
    # NOTE, you can specify multiple IPs to listen on
    #isakmp    p.q.r.s [500];
    #isakmp_natt      p.q.r.s [4500];
    #strict_address;
}
timer
{
    natt_keepalive  0 secs;
}
remote anonymous
{
    exchange_mode    main;
    passive   off;
    proposal_check   obey;
    support_proxy    off;
    nat_traversal    force;
    ike_frag     off;
    dpd_delay   20;

    proposal
    {
        encryption_algorithm  aes;
        hash_algorithm  sha1;
        authentication_method pre_shared_key;
        dh_group          modp2048;
    }

    proposal
    {
        encryption_algorithm  3des;
        hash_algorithm  sha1;
        authentication_method pre_shared_key;
        dh_group          modp2048;
    }
}
sainfo anonymous
{
    encryption_algorithm     aes,3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm    deflate;
    pfs_group       modp2048;
}

and finally the setkey.conf file on each side is:

flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;

Can anyone help or point to a sample L2TP/IPSEC Client configuration using MPD5/Racoon?

Any help greatly appreciated.

Best,
Guitardood

 

[obsigna]

I utilize net/mpd5 together with security/strongswan for setting up L2TP/IPsec connections. I abandoned racoon some years ago in favor of strongSwan because the latter is very well maintained and came with less obstacles and flaws. That said, I cannot suggest very much about your IPsec configuration. Here comes only my working MPD5/strongSwan setup:

Server side:
/usr/local/etc/ipsec.conf

conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   ike = aes256-sha1-modp1024

   leftauth = psk
   left = %defaultroute
   leftprotoport=17/1701

   rightauth = psk
   right = %any
   rightprotoport=17/%any

   auto = add

/usr/local/etc/mpd5/mpd.conf

startup:
# configure mpd users
    set user admin <PASSWORD> admin
# configure the console
    set console self 127.0.0.1 5005
    set console open
# configure the web server
    set web self 10.0.1.1 5006
    set web open

default:
    load l2tp_server

l2tp_server:
# Define dynamic IP address pool -- 10.0.1.160/28
    set ippool add pool_l2tp 10.0.1.161 10.0.1.174

# Create clonable bundle template named B_l2tp
    create bundle template B_l2tp
    set bundle enable compression
    set iface enable proxy-arp
    set iface enable tcpmssfix
    set iface mtu 1280

# Specify IP address pool for dynamic assigment
    set ipcp yes vjcomp
    set ipcp dns 10.0.1.1
    set ipcp ranges 10.0.1.1/32 ippool pool_l2tp

# Create clonable link template named L_l2tp
    create link template L_l2tp l2tp
    set link action bundle B_l2tp
    set link keep-alive 0 0
    set link yes acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2

# Configure L2TP
    set l2tp self 0.0.0.0
    set l2tp disable dataseq

# Allow to accept calls
    set link enable incoming

Client side:
/usr/local/etc/ipsec.conf

conn L2TP/IPsec-Client
   keyexchange = ikev1
   type = transport

   leftauth = psk
   left = %defaultroute
   leftprotoport=17/%any

   rightauth = psk
   rightid = %any
   right = example.com
   rightprotoport=17/1701

   auto = start

/usr/local/etc/mpd5/mpd.conf

startup:

default:
    load l2tp_client

l2tp_client:
# Create a static bundle named B_l2tp
    create bundle static B_l2tp
    set bundle enable compression
    set iface enable tcpmssfix
    set iface mtu 1280
    set iface route 10.0.0.0/8

    set ipcp yes vjcomp
    set ipcp ranges 0.0.0.0/0 10.0.0.0/8

# Create a static link named L_l2tp
    create link static L_l2tp l2tp
    set link action bundle B_l2tp

    set auth authname <USERNAME>
    set auth password <PASSWORD>

    set link max-redial 0
    set link keep-alive 0 0
    set link yes acfcomp protocomp

    set l2tp peer example.com
    set l2tp disable dataseq
    set l2tp enable outcall

    open

The connection script on the client side:
~/bin/vpn

#!/bin/sh
RIP=`/usr/bin/host $1 | /usr/bin/sed -n "/$1 has address /{s///;p;}"`

if [ "$2" == "stop" ] && [ -e /var/run/charon.pid ]; then
   service mpd5 onestop
   service strongswan onestop
   route delete $RIP
   route delete default
   route add default 192.168.0.1
elif [ "$2" == "start" ] && [ ! -e /var/run/charon.pid ]; then
   service strongswan onestart
   service mpd5 onestart
   sleep 5
   route add $RIP 192.168.0.1
   route delete default
   route add default 10.0.1.1
else
   /usr/local/sbin/ipsec status "L2TP/IPsec-Client"
   netstat -4nr
fi

chmod +x ~/bin/vpn

Usage
vpn example.com (start|stop)

 

[Guitardood]

obsigna,
Not exactly what I asked for, but exactly what I needed. Thanks a million!!!!

Best,
Guitardood

 

[icinemagr]

I follow everything in your article.
i also have fixed my register in my windows 7 client
i get error 789 is not connecting.

using freebsd 12
what could be wrong?

 

[obsigna]

I follow everything in your article.
i also have fixed my register in my windows 7 client
i get error 789 is not connecting.

using freebsd 12
what could be wrong?

Did you restart Windows after adding HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent:(DWORD)AssumeUDPEncapsulationContextOnSendRule = 2? This was recently an issue of a Windows 10 config. I forgot to restart after editing the registry. After restart, it worked.

Did you inform the pre-shared key in the advanced configuration box?

What do the logs on the server tell?

 

[icinemagr]

i have windows 7 i did restart
AssumeUDPEncapsulationContextOnSendRule=2 in my registry

/rc.conf
hostname="vpnproxy.local"
ifconfig_em0="inet 168.119.xxx.xxx netmask 255.255.255.128"
ifconfig_em1="inet 10.18.3.51 netmask 255.255.255.0"
defaultrouter="168.119.xxx.1"
sshd_enable="YES"
dumpdev="AUTO"
strongswan_enable="YES"
mpd_enable="YES"
gateway_enable="YES"

I am sorry I can sent you root/password ip to check if you like i did extactly what you say i am trying 15 hours now ))))))

i have two network interfaces
em0 with Public Ip 168.119.xxx.xxx
em1 with Internal Ip 10.18.3.51

can you tell if my mpd.conf is correct?

default:
load l2tp_server

l2tp_server:
# Define dynamic IP address pool --
set ippool add pool_l2tp 10.18.3.52 10.18.3.60

# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set bundle enable compression
set iface enable proxy-arp
set iface enable tcpmssfix
set iface mtu 1280

# Specify IP address pool for dynamic assigment
set ipcp yes vjcomp
set ipcp dns 8.8.8.8
set ipcp ranges 10.18.3.51/32 ippool pool_l2tp

# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link keep-alive 0 0
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap-msv2

# Configure L2TP
set l2tp self 0.0.0.0
set l2tp disable dataseq

# Allow to accept calls
set link enable incoming

 

[obsigna]

The settings look good so far. Regarding error 789, this may indicate that the IPsec pre-shared keys don't match. Please verify again that the key which you put into the advanced configuration box matches that one on the server in /usr/local/etc/ipsec.secrets.

Another issue which belongs to common VPN understanding, but becomes forgotten quite frequently, is that we cannot establish a connection to a VPN server in the same network. In addition the LAN subnets of the server and the client must be different. That means initially your Windows client must not have an IP address which belongs to 10.18.3.0/24, because it will get assigned an address of that subnet from the L2TP service and routing simply won't work if the subnets are not different.

Verify that the firewalls on both sides allow UDP 500 and 4500. The firewall on the server side must be open for the ngX interfaces.

If nothing helps, then send me a private message via the forums conversation facility with the ssh credentials of your server, and then I may have a look.

 

[icinemagr]

i sent a private message with all details.

thanks again.