Hello,
I have two servers at two different locations running FreeBSD-12.1-RELEASE, L2TP/IPSEC VPN servers with Racoon & MPD5. They both work great and allow MAC/Windows/iPhones to connect.
I'm also trying to set up Server A to do a connect to Server B as an L2TP/IPSEC Client and not having any luck.
The server side always fails with:
in the server side's racoon.log file, nothing in the client's racoon.log file and:
in the server's MPD log file and:
in the client's MPD log file.
The MPD.CONF entry for the client is:
The racoon.conf file on both sides are almost identical, except SERVER_IP corresponds to the correct IP on each side, and contain:
and finally the setkey.conf file on each side is:
Can anyone help or point to a sample L2TP/IPSEC Client configuration using MPD5/Racoon?
Any help greatly appreciated.
Best,
Guitardood
I have two servers at two different locations running FreeBSD-12.1-RELEASE, L2TP/IPSEC VPN servers with Racoon & MPD5. They both work great and allow MAC/Windows/iPhones to connect.
I'm also trying to set up Server A to do a connect to Server B as an L2TP/IPSEC Client and not having any luck.
The server side always fails with:
Code:
2020-05-11 00:07:36: INFO: IPsec-SA request for CLIENT_IP queued due to no phase1 found.
2020-05-11 00:07:36: INFO: initiate new phase 1 negotiation: SERVER_IP[1701]<=>CLIENT_IP[500]
2020-05-11 00:07:36: INFO: begin Identity Protection mode.
2020-05-11 00:07:36: ERROR: phase1 negotiation failed due to send error. 925f85091ae7bf65:0000000000000000
2020-05-11 00:07:36: ERROR: failed to begin ipsec sa negotication.
in the server side's racoon.log file, nothing in the client's racoon.log file and:
Code:
May 11 00:07:11 SERVER 1 2020-05-11T00:07:11.528698-05:00 SERVER_IP mpd 23002 - - Incoming L2TP packet f
rom CLIENT_IP 20503
May 11 00:07:18 SERVER 1 2020-05-11T00:07:18.575075-05:00 SERVER_IP mpd 23002 - - L2TP: Control connecti
on 0x800ce9610 destroyed
May 11 00:08:11 SERVER 1 2020-05-11T00:08:11.530067-05:00 SERVER_IP mpd 23002 - - L2TP: Control connecti
on 0x800ce9310 terminated: 6 (expecting reply; none received)
Code:
May 11 00:10:17 CLIENT 1 2020-05-11T00:10:17.950213-05:00 CLIENT_IP mpd 31589 - - L2TP: Initiating co
ntrol connection 0x800ce0910 CLIENT_IP 0 <-> SERVER_IP 1701
May 11 00:10:26 CLIENT 1 2020-05-11T00:10:26.927657-05:00 CLIENT_IP mpd 31589 - - L2TP: Control conne
ction 0x800ce0610 destroyed
May 11 00:11:17 CLIENT 1 2020-05-11T00:11:17.955815-05:00 CLIENT_IP mpd 31589 - - L2TP: Control conne
ction 0x800ce0910 terminated: 6 (expecting reply; none received)
The MPD.CONF entry for the client is:
Code:
l2tp_client:
create bundle static B_CLIENT
set iface up-script /usr/local/etc/mpd5/mpd.ifup
set iface down-script /usr/local/etc/mpd5/mpd.ifdown
set iface enable netflow-in
set iface enable netflow-out
set iface enable ipacct
set iface enable proxyarp
set iface enable tcpmssfix
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
create link static L_CLIENT l2tp
set link action bundle B_CLIENT
set link max-redial 0
set link mtu 1400
set link keep-alive 20 75
set link enable acfcomp protocomp
set link accept acfcomp protocomp
set link no pap chap eap
set link enable chap-msv2
set link enable chap
set link accept chap-msv2
set link accept chap
set auth authname "USERID"
set auth password "PASSWORD"
set l2tp self CLIENT_IP
set l2tp peer SERVER_IP
open
The racoon.conf file on both sides are almost identical, except SERVER_IP corresponds to the correct IP on each side, and contain:
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT translated, this is the INSIDE IP)
isakmp SERVER_IP [500];
isakmp SERVER_IP [7001];
isakmp_natt SERVER_IP [4500];
# NOTE, you can specify multiple IPs to listen on
#isakmp p.q.r.s [500];
#isakmp_natt p.q.r.s [4500];
#strict_address;
}
timer
{
natt_keepalive 0 secs;
}
remote anonymous
{
exchange_mode main;
passive off;
proposal_check obey;
support_proxy off;
nat_traversal force;
ike_frag off;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp2048;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp2048;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp2048;
}
and finally the setkey.conf file on each side is:
Code:
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
Can anyone help or point to a sample L2TP/IPSEC Client configuration using MPD5/Racoon?
Any help greatly appreciated.
Best,
Guitardood