Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)

fuhdan

Member


Messages: 39

Host A has the IP 192.168.10.50
Host B has the IP 10.253.24.150

/usr/local/etc/mpd5/mpd.conf
Code:
startup:
        # configure mpd users
        set user super superpw admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.10.50 192.168.10.100

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.10.0/24 ippool pool_l2tp
        set ipcp dns 10.253.24.150


/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

/var/log/racoon.log (xxx.xxx.xxx.xxx is the IP of the VPN server; yyy.yyy.yyy.yyy is the NAT'ed IP of the client)
Code:
2012-06-25 10:01:31: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>yyy.yyy.yyy.yyy[500]
2012-06-25 10:01:31: INFO: begin Identity Protection mode.
2012-06-25 10:01:31: INFO: received Vendor ID: RFC 3947
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
*beep*
2012-06-25 10:01:31: INFO: received Vendor ID: DPD
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
2012-06-25 10:01:31: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
2012-06-25 10:01:31: INFO: NAT-D payload #0 verified
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2
2012-06-25 10:01:31: INFO: NAT-D payload #1 doesn't match
2012-06-25 10:01:31: INFO: NAT detected: PEER
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2
2012-06-25 10:01:31: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
2012-06-25 10:01:31: INFO: Adding remote and local NAT-D payloads.
2012-06-25 10:01:31: INFO: NAT-T: ports changed to: yyy.yyy.yyy.yyy[4500]<->xxx.xxx.xxx.xxx[4500]
2012-06-25 10:01:31: INFO: KA list add: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: received INITIAL-CONTACT
2012-06-25 10:01:31: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:6a18e0234313c7d4:dbbad31af7a253a3
2012-06-25 10:01:32: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>yyy.yyy.yyy.yyy[4500]
2012-06-25 10:01:32: INFO: Adjusting my encmode UDP-Transport->Transport
2012-06-25 10:01:32: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2012-06-25 10:01:32: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[500]->yyy.yyy.yyy.yyy[500] spi=135798551(0x8181f17)
2012-06-25 10:01:32: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[500]->yyy.yyy.yyy.yyy[500] spi=195887997(0xbad037d)
*beep*
*beep*
*beep*
2012-06-25 10:02:47: INFO: purged IPsec-SA proto_id=ESP spi=195887997.
2012-06-25 10:02:47: INFO: purging ISAKMP-SA spi=6a18e0234313c7d4:dbbad31af7a253a3.
2012-06-25 10:02:47: INFO: purged IPsec-SA spi=135798551.
2012-06-25 10:02:47: INFO: purged ISAKMP-SA spi=6a18e0234313c7d4:dbbad31af7a253a3.
2012-06-25 10:02:47: INFO: ISAKMP-SA deleted xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:6a18e0234313c7d4:dbbad31af7a253a3
2012-06-25 10:02:47: INFO: KA remove: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]
2012-06-25 10:02:47: ERROR: no configuration found for yyy.yyy.yyy.yyy.
2012-06-25 10:02:47: ERROR: failed to begin ipsec sa negotiation.

I solved it. It was a firewall problem. I found it, while I enabled all loggings on the firewall. The guy who is responsible for the firewall didn't see it. Sorry.
Thanks for your help. Have a nice day.

Cheers Daniel
 

mix_room

Aspiring Daemon

Reaction score: 47
Messages: 598

Has anyone had any luck connecting with Windows 7 or Android?

I keep getting the following in my log files

Code:
 *** IP1: External IP 1
 *** IP2: External IP 2
2012-07-18 17:06:05: INFO: respond new phase 1 negotiation: IP1[500]<=> IP2[500]
2012-07-18 17:06:05: INFO: begin Identity Protection mode.
2012-07-18 17:06:05: INFO: received Vendor ID: RFC 3947
2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2012-07-18 17:06:05: INFO: received broken Microsoft ID: FRAGMENTATION
2012-07-18 17:06:05: [IP2] INFO: Selected NAT-T version: RFC 3947
2012-07-18 17:06:05: [IP1] INFO: Hashing IP1[500] with algo #2
2012-07-18 17:06:05: INFO: NAT-D payload #0 verified
2012-07-18 17:06:05: [IP2] INFO: Hashing IP2[500] with algo #2
2012-07-18 17:06:05: INFO: NAT-D payload #1 verified
2012-07-18 17:06:05: INFO: NAT not detected
2012-07-18 17:06:05: [IP2] INFO: Hashing IP2[500] with algo #2
2012-07-18 17:06:05: [IP1] INFO: Hashing IP1[500] with algo #2
2012-07-18 17:06:05: INFO: Adding remote and local NAT-D payloads.
2012-07-18 17:06:05: INFO: ISAKMP-SA established IP1[500]-IP2[500] spi:66eebb5ffd4c7792:4d0fe1bb470a9d52
2012-07-18 17:06:05: [IP2] INFO: received INITIAL-CONTACT
2012-07-18 17:06:06: INFO: respond new phase 2 negotiation: IP1[500]<=>IP2[500]
2012-07-18 17:06:06: INFO: IPsec-SA established: ESP/Transport IP1[500]->IP2[500] spi=201111091(0xbfcb633)
2012-07-18 17:06:06: INFO: IPsec-SA established: ESP/Transport IP1[500]->IP2[500] spi=233175(0x38ed7)
 *** NOTHING MORE HAPPENS HERE ***

It seems as though I am getting the mentioned problem that Android and Windows seem to speak directly with mpd instead of going via racoon.
 

iamalittlepepper

New Member


Messages: 2

Alternate way of patching racoon?

Hi Rolf

I used your patch.zip is there any surefire way to see if the patches are applied correctly? Because I only the follow message:

Code:
===>  Vulnerability check disabled, database not found
===>  License check disabled, port has not defined LICENSE
===>  Found saved configuration for ipsec-tools-0.8.0_2
=> ipsec-tools-0.8.0.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://heanet.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/ipsec-tools-0.8.0.tar.bz2
ipsec-tools-0.8.0.tar.bz2                     100% of  790 kB  188 kBps
===>  Extracting for ipsec-tools-0.8.0_2
=> SHA256 Checksum OK for ipsec-tools-0.8.0.tar.bz2.
===>  Patching for ipsec-tools-0.8.0_2
===>  Applying FreeBSD patches for ipsec-tools-0.8.0_2
===>   ipsec-tools-0.8.0_2 depends on package: libtool>=2.4 - not found
===>    Verifying install for libtool>=2.4 in /usr/ports/devel/libtool
===>  Vulnerability check disabled, database not found
===>  License GPLv2 accepted by the user
=> libtool-2.4.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://ftp.gnu.org/gnu/libtool/libtool-2.4.tar.gz
libtool-2.4.tar.gz                            100% of 2519 kB  423 kBps
===>  Extracting for libtool-2.4_1
=> SHA256 Checksum OK for libtool-2.4.tar.gz.
===>  Patching for libtool-2.4_1
===>  Applying FreeBSD patches for libtool-2.4_1
===>  Configuring for libtool-2.4_1
## ----------------------- ##
## Configuring libtool 2.4 ##
## ----------------------- ##

The patch files are:

Code:
-rw-r--r--  1 root  wheel   618 Jan 10  2012 files/patch-zz-local-0.diff
-rw-r--r--  1 root  wheel   507 Jan 10  2012 files/patch-zz-local-1.diff
-rw-r--r--  1 root  wheel  1713 Mar 23  2011 files/patch8-utmp.diff
 

iamalittlepepper

New Member


Messages: 2

Never mind.. I've found that the source files in the directory work/ipsec-tools-0.8.0/src/racoon have been changed as per the diff files. So a footnote for those who are wondering that's where the source files reside in the port system.
 

dkorzhevin

New Member


Messages: 2

Hello, i configured FreeBSD 9.0 release using this tutorial. I am able to connect to server from mac os x, but i have 2 problems:

1. Internet is not working
2. I am not able to make more than 1 connection from one IP, even with separate usernames.

Here is my information:

sysctl.conf

Code:
dkorzhevin# cat /etc/sysctl.conf
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about
processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.fw.one_pass=1
net.key.prefered_oldsa=0
net.key.blockacq_count=0
dkorzhevin#

kernel compiled with options:

Code:
options         IPSEC
options         IPSEC_NAT_T
device          crypto
options         IPSEC_FILTERTUNNEL
device          enc
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         LIBALIAS
options         IPDIVERT

patch /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff
applied to ipsec-tools

racoon.conf

dkorzhevin# cat /usr/local/etc/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

Code:
listen
{
# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT
translated, this is the INSIDE IP)
        isakmp           MYIP [500];
        isakmp_natt      MYIP [4500];
# NOTE, you can specify multiple IPs to listen on
#       isakmp           p.q.r.s [500];
#       isakmp_natt      p.q.r.s [4500];
#       strict_address;
}

remote anonymous
{
        exchange_mode    main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        20;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}
dkorzhevin#

setkey.conf

Code:
dkorzhevin# cat setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
dkorzhevin#

psk.txt

Code:
dkorzhevin# cat psk.txt
* MYPASS
MYIP MYPASS
dkorzhevin#

Code:
dkorzhevin# ls -la
total 20
drwxr-xr-x  2 root  wheel   512 Aug 10 15:02 .
drwxr-xr-x  8 root  wheel   512 Aug 10 09:16 ..
-rw-------  1 root  wheel    30 Aug 10 11:34 psk.txt
-rw-r--r--  1 root  wheel  1308 Aug 10 14:42 racoon.conf
-rw-r--r--  1 root  wheel   171 Aug 10 14:18 setkey.conf
dkorzhevin#

mpd.conf

Code:
dkorzhevin# cat /usr/local/etc/mpd5/mpd.conf
startup:
        # configure mpd users
        set user super pwSuper admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
        set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
        set l2tp self MYIP
        set l2tp enable length
# Allow to accept calls
        set link enable incoming
dkorzhevin#

/etc/rc.conf

Code:
dkorzhevin# cat /etc/rc.conf
hostname="dkorzhevin.mirohost.net"
ifconfig_nfe0=" inet MYIP netmask 255.255.254.0"
defaultrouter="GATEWAYIP"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"

firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="/etc/firewall"
gateway_enable="YES"

natd_enable="YES"
natd_interface="nfe0"
natd_flags=""
dkorzhevin#

Please, help investigate this problem
 

martinsm

New Member


Messages: 1

I am also not able to connect more than one client to the server; even after disconnecting the first client, other clients are unable to connect. Connecting with the first client again will still work.

Flushing the SAD entries with 'setkey -F' will allow a different client to connect, but then the previous one won't be able to. I've been searching for hours for a solution to this, but without luck. My configuration is almost identical to the above. I would appreciate if anyone could point me in the right direction.
 
OP
A

Anonymous

Guest


dkorzhevin said:
Hello, i configured FreeBSD 9.0 release using this tutorial. I am able to connect to server from mac os x, but i have 2 problems:

1. Internet is not working
2. I am not able to make more than 1 connection from one IP, even with separate usernames.

1. Examine your firewall rules, perhaps by comparing it with my rules.

2. Some time ago, I spent almost one week for resolving this issue to no avail. The issue is, that for two connections from the same public IP even having two different public port numbers - let's say port1 and port2 - the system somehow mixes up the respective SAs whereby SA[in] becomes combined with SA[out] and vice versa.

I no more remember all the bloody details, but for me it seemed that SA management within racoon was correct, and the confusion happened in the kernel. I spent another day exploring key handling in the kernel, and then I gave up.

A work around may be, to let one client do the VPN connection, and let it do "Internet Sharing" for the others.

Best regards

Rolf

attachment.php
 

Attachments

  • InternetSharing.jpg
    InternetSharing.jpg
    95.7 KB · Views: 3,851

xtaz

Well-Known Member

Reaction score: 145
Messages: 476

I have read through this tutorial and it has been very useful for getting this working on my server to my iphone, however I'm having to keep PPTP support in MPD as well because it doesn't work with Windows 7. This is clearly a known issue as it's mentioned in several places where it doesn't appear that Windows tries to talk to MPD. Has anybody ever got this working since the tutorial was written?

Somebody says on this thread that apparently Windows "directly connects to Racoon and bypasses MPD". Reading up on how L2TP works seems to suggest that this is actually how it's meant to work. This is quite interesting: http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol#L2TP.2FIPsec and suggests that connecting directly to Racoon is the correct way of doing it, but then Windows is just failing to set up a ppp connection over that secure channel.

Doing a bit of research shows that it seems to work on Linux though via Racoon: http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server. They speak about PSK and certificates and show config for either. The only real difference I can see between that and the config that is on this forum is the FQDN address. But I don't quite understand what they are saying underneath the example config for PSK.

Basically wondering if they can apparently get it to work, then it's got to be possible on FreeBSD surely!
 
OP
A

Anonymous

Guest


xtaz said:
I have read through this tutorial and it has been very useful for getting this working on my server to my iphone, however I'm having to keep PPTP support in MPD as well because it doesn't work with Windows 7. This is clearly a known issue as it's mentioned in several places where it doesn't appear that Windows tries to talk to MPD. Has anybody ever got this working since the tutorial was written?

People (including me) are able to make connections if neither the server nor the client are behind NAT - perhaps you saw already this thread: ipsec + mpd5 with windows 7/8 clients behind nat. Using the registry patch mentioned in said thread, apparently it is possible to connect to a server behind NAT, but this still does not work with server and client behind NAT.

Somebody says on this thread that apparently Windows "directly connects to Racoon and bypasses MPD". Reading up on how L2TP works seems to suggest that this is actually how it's meant to work.

This was me, and you're right this was a mis-conception at my side at that time.

Doing a bit of research shows that it seems to work on Linux though via Racoon: http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server. They speak about PSK and certificates and show config for either. The only real difference I can see between that and the config that is on this forum is the FQDN address. But I don't quite understand what they are saying underneath the example config for PSK.

I guess this is about the "Main mode FQDN identity" issue of Windows XP. There has been a patch around for quite some time, and without the patch you would see in the racoon log an error message something like:
Code:
<timestamp> racoon: ERROR: Expecting IP address type in main mode, but FQDN.

I never saw this error message with Windows 7, and if behind NAT, Windows 7 does not connect, neither with nor without the patch. On the other hand, if there is no NAT involved, Windows 7 can connect without the patch, so I would rule this out for further trouble shooting.

Windows 7 connects smoothly to a L2TP/IPSec server setup with net/mpd5+security/ipsec-tools if there is no NAT involved. Windows 7 clearly has issues when there is NAT involved. I read several problem reports on the internet about similar Windows-NAT-[NAT]-L2TP/IPSec connection issues with many different server side setups. So, I tend to assume that there is not so much we can do at the server side. Perhaps somebody knows a third-party L2TP/IPSec client for Windows that would work.
 

gkontos

Daemon

Reaction score: 488
Messages: 2,160

@rolfheinrich,

I have used your guide and tried to improvise in order to make Windows clients and Android phones to connect. Unfortunately this was impossible.

An installation in Ubuntu 12.04 using openswan & xl2tpd works fine with all clients behind NAT. It has been tested with Lion, Windows7, Windows8 & Android2.3
The only problem is that sometimes after a user disconnects he can not connect back without restarting xl2tpd.

So, I think this is a raccoon issue in regards to FreeBSD. I have yet to test it with strongswan which I believe that it also has some limitations in FreeBSD.
 

xtaz

Well-Known Member

Reaction score: 145
Messages: 476

Interesting. Yes unfortunately both my server and clients will be behind NAT. For now I'll keep PPTP for my windows clients and use L2TP for my iphone. MPD happily supports running both simultaneously so this is OK for now but hopefully someone with more knowledge than me can figure this one out in the future!
 
OP
A

Anonymous

Guest


After applying kernel and racoon patches from the following two sources ...:
  1. http://www.freebsd.org/cgi/query-pr.cgi?pr=146190
  2. http://lists.freebsd.org/pipermail/freebsd-stable/2012-May/067416.html

..., I was able to resolve the persisting problems:
  • dial-in of more than 1 client behind the same NAT
  • Windows 7 connectivity

This worked out for me for FreeBSD 9.1-RC3 and FreeBSD 8.3-RELEASE.

Important notes:
  • use the latest patches (links at the very end of kern/146190), i.e. ipsec_natt.v4.diff and ipsec_tools.context.v2.diff.
  • for FreeBSD 9.1-RC3 remove the diff entry for sys/netipsec/ipsec.c from ipsec_natt.v4.diff since this has been already addressed.
  • the kernel patch adds the new sysctl net.inet.esp.esp_ignore_natt_cksum, and this MUST be set to one, or any NATT connection will be dropped.
 

carp

New Member


Messages: 3

Connection to mpd with iOS fails while Mac machine works fin

Great article, Rolf, thanks for the good work!

Your write-up got got me a working L2TP+IPsec connection from my Mac but it fails when connecting from my iOS device (tested only with an iPhone 4S running iOS 6.0). You explicitly state that it's working with iOS, so I must be missing something.

I can get through the IKE/SA phase, it just won't connect to mpd5. Apparently there is no authentication protocol the two parties can agree upon:

Code:
L2TP: waiting for connection on 192.168.1.23 1701
[L_l2tp] Incoming L2TP packet from 192.168.1.84 50549
L2TP: Control connection 0x802bf6610 192.168.1.23 1701 <-> 192.168.1.84 50549 connected
L2TP: Incoming call #1 via connection 0x802bf6610 received
[L_l2tp-1] L2TP: Incoming call #1 via control connection 0x802bf6610 accepted
[L_l2tp-1] Link: OPEN event
[L_l2tp-1] LCP: Open event
[L_l2tp-1] LCP: state change Initial --> Starting
[L_l2tp-1] LCP: LayerStart
[L_l2tp-1] L2TP: Call #1 connected
[L_l2tp-1] Link: UP event
[L_l2tp-1] LCP: Up event
[L_l2tp-1] LCP: state change Starting --> Req-Sent
[L_l2tp-1] LCP: SendConfigReq #1
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1]   MP MRRU 2048
[L_l2tp-1]   MP SHORTSEQ
[L_l2tp-1]   ENDPOINTDISC [802.1] 00 1f c6 dc 1f 8c
[L_l2tp-1] LCP: rec'd Configure Request #1 (Req-Sent)
[L_l2tp-1]   ACCMAP 0x00000000
[L_l2tp-1]   MAGICNUM 0e3ec017
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   ACFCOMP
[L_l2tp-1] LCP: SendConfigAck #1
[L_l2tp-1]   ACCMAP 0x00000000
[L_l2tp-1]   MAGICNUM 0e3ec017
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   ACFCOMP
[L_l2tp-1] LCP: state change Req-Sent --> Ack-Sent
[L_l2tp-1] LCP: SendConfigReq #2
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1]   MP MRRU 2048
[L_l2tp-1]   MP SHORTSEQ
[L_l2tp-1]   ENDPOINTDISC [802.1] 00 1f c6 dc 1f 8c
[L_l2tp-1] LCP: rec'd Configure Reject #2 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1]   MP MRRU 2048
[L_l2tp-1]   MP SHORTSEQ
[L_l2tp-1] LCP: SendConfigReq #3
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #3 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #4
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #4 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #5
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #5 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #6
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #6 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #7
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #7 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #8
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #8 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #9
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #9 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #10
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #10 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: not converging
[L_l2tp-1] LCP: parameter negotiation failed
[L_l2tp-1] LCP: state change Ack-Sent --> Stopped
[L_l2tp-1] LCP: LayerFinish
[L_l2tp-1] L2TP: Call #1 terminated locally
[L_l2tp-1] Link: DOWN event
[L_l2tp-1] LCP: Close event
[L_l2tp-1] LCP: state change Stopped --> Closed
[L_l2tp-1] LCP: Down event
[L_l2tp-1] LCP: state change Closed --> Initial
[L_l2tp-1] Link: SHUTDOWN event
[L_l2tp-1] Link: Shutdown

The mpd.conf in use contains nothing but the example code you provided in your Howto, modified only to reflect the local IP configuration. You may notice that it's running in an RFC1918 net but mpd distributes a different IP pool for its VPN clients. Also, there is no NAT involved.

As said, it works with my Mac. Any help is much appreciated.
 
OP
A

Anonymous

Guest


carp said:
... Your write-up got got me a working L2TP+IPsec connection from my Mac but it fails when connecting from my iOS device (tested only with an iPhone 4S running iOS 6.0).

Note, on iOS you need to use the L2TP client and not the IPsec client (which is in fact a Cisco client). Please try again using the VPN-L2TP (IPsec) client.

Best regards

Rolf
 

carp

New Member


Messages: 3

rolfheinrich said:
Note, on iOS you need to use the L2TP client and not the IPsec client (which is in fact a Cisco client). Please try again using the VPN-L2TP (IPsec) client.

Best regards

Rolf

Yes, yes - I'm using the L2TP client (ie. the first tab in the VPN settings).
 
OP
A

Anonymous

Guest


carp said:
... You may notice that it's running in an RFC1918 net but mpd distributes a different IP pool for its VPN clients. Also, there is no NAT involved.

As said, it works with my Mac. Any help is much appreciated.

Sorry, it didn't jump directly into my mind, that client and server are in the same local network.

I have to admit, that neither my Mac nor my iPhone would connect to my VPN server sitting in the same local network. In my setup, these kind of connection attempts are already failing in racoon. I just tried it again from my Mac:

Code:
2013-01-09 10:11:22: INFO: respond new phase 1 negotiation: 192.168.1.35[500]<=>192.168.1.5[500]
2013-01-09 10:11:22: INFO: begin Identity Protection mode.
2013-01-09 10:11:22: INFO: received Vendor ID: RFC 3947
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-01-09 10:11:22: INFO: received Vendor ID: DPD
2013-01-09 10:11:22: [192.168.1.5] INFO: Selected NAT-T version: RFC 3947
2013-01-09 10:11:22: [192.168.1.35] INFO: Hashing 192.168.1.35[500] with algo #2 
2013-01-09 10:11:22: INFO: NAT-D payload #0 verified
2013-01-09 10:11:22: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #2 
2013-01-09 10:11:22: INFO: NAT-D payload #1 verified
2013-01-09 10:11:22: INFO: NAT not detected 
2013-01-09 10:11:22: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #2 
2013-01-09 10:11:22: [192.168.1.35] INFO: Hashing 192.168.1.35[500] with algo #2 
2013-01-09 10:11:22: INFO: Adding remote and local NAT-D payloads.
2013-01-09 10:11:22: [192.168.1.5] INFO: received INITIAL-CONTACT
2013-01-09 10:11:22: INFO: ISAKMP-SA established 192.168.1.35[500]-192.168.1.5[500] spi:d3ef6ddca54798b4:64b2c9272120cba1
2013-01-09 10:11:25: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:11:28: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:11:31: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:11:43: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:12:07: [192.168.1.5] INFO: DPD: remote (ISAKMP-SA spi=d3ef6ddca54798b4:64b2c9272120cba1) seems to be dead.
2013-01-09 10:12:07: INFO: purging ISAKMP-SA spi=d3ef6ddca54798b4:64b2c9272120cba1.
2013-01-09 10:12:07: INFO: purged ISAKMP-SA spi=d3ef6ddca54798b4:64b2c9272120cba1.
2013-01-09 10:12:07: INFO: ISAKMP-SA deleted 192.168.1.35[500]-192.168.1.5[500] spi:d3ef6ddca54798b4:64b2c9272120cba1

Although, others are claiming that this should work, I never put much effort into this, because a VPN in a LAN seems to be not too useful for me.

Anyway, could you please post your racoon.log as well as your racoon.conf and mpd5.conf. I would compare it against mine.

Best regards

Rolf
 

carp

New Member


Messages: 3

[SOLVED]

Hej,

I got it working by deleting the VPN settings on the iOS device and re-creating them from scratch. Only the Ghost in the Greate Machine knows what misconfigured artefacts lingered in the background. :\ Sorry, I could have tried this before posting.

rolfheinrich said:
Sorry, it didn't jump directly into my mind, that client and server are in the same local network.

I have to admit, that neither my Mac nor my iPhone would connect to my VPN server sitting in the same local network. In my setup, these kind of connection attempts are already failing in racoon. I just tried it again from my Mac:

Although, others are claiming that this should work, I never put much effort into this, because a VPN in a LAN seems to be not too useful for me.

Anyway, could you please post your racoon.log as well as your racoon.conf and mpd5.conf. I would compare it against mine.

Yes, I was able to connect from the same network. My guess is the problems arise when mpd distributes an IP address pool from the same net, which it wasn't in my case: it listened on 192.168.1.23:1701 and distributed IP addresses from 192.168.0/24.

I agree that a VPN in a LAN does not seem to be too useful (except for a Wifi connection), but I was happy to have had direct access so as to eliminate all problems originating from NAT, bad routing and the like.

Cheers for your help!
-Carsten
 

jmartinez

New Member


Messages: 3

I am trying to configure an VPN server based on L2TP over IPsec. I tried to do it on Debian but I couldn't. So, I was reading a lot about it and I heard that it would be easier with BSD.

I decided to try it with a Xen-based VM, following this guide: http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD. But I can't do it make works at all. I am always getting this error if I try to connect from OSX:

Code:
    ERROR: no configuration found for 46.232.124.12.
    ERROR: failed to begin ipsec sa negotication.
If I try to connect from my iPhone it stacks on:

Code:
    INFO: received Vendor ID: DPD
    [46.232.124.12] INFO: Selected NAT-T version: RFC 3947
    NOTIFY: the packet is retransmitted by 46.232.124.12[500] (1).
    NOTIFY: the packet is retransmitted by 46.232.124.12[500] (1).
    NOTIFY: the packet is retransmitted by 46.232.124.12[500] (1).
    ERROR: phase1 negotiation failed due to time up. cc9f6dd769f9aa0d:b02b5a31612f199b
#Configuration files:

Code:
    94.28.23.24 --------> Dom0 public Internet ip
    172.69.0.1 ----------> Dom0 private LAN ip
    172.69.0.11 ---------> DomU private LAN ip
    46.232.124.12 ---> My home public Internet ip
/usr/local/etc/racoon/racoon.conf
Code:
    path pre_shared_key "/usr/local/etc/racoon/psk.txt";
    
    listen
    {
            isakmp           172.69.0.11 [500];
            isakmp_natt      172.69.0.11 [4500];
            strict_address;
    }
    
    remote anonymous
    {
            exchange_mode    main;
            passive          on;
            proposal_check   obey;
            support_proxy    on;
            nat_traversal    on;
            ike_frag         on;
            dpd_delay        20;
    
            proposal
            {
                    encryption_algorithm  aes;
                    hash_algorithm        sha1;
                    authentication_method pre_shared_key;
                    dh_group              modp1024;
            }
    
            proposal
            {
                    encryption_algorithm  3des;
                    hash_algorithm        sha1;
                    authentication_method pre_shared_key;
                    dh_group              modp1024;
            }
    }
    
    sainfo anonymous
    {
            encryption_algorithm     aes,3des;
            authentication_algorithm hmac_sha1;
            compression_algorithm    deflate;
            pfs_group                modp1024;
    }
/usr/local/etc/racoon/setkey.conf
Code:
    flush;
    spdflush;
    spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
    spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;

/usr/local/etc/mpd5/mpd.conf
Code:
    startup:
            # configure mpd users
            set user super pwSuper admin
            # configure the console
            set console self 127.0.0.1 5005
            set console open
            # configure the web server
            set web self 0.0.0.0 5006
            set web open
    
    default:
            load l2tp_server
    
    l2tp_server:
    # Define dynamic IP address pool - these are the IP addresses which will be
    # allocated to our remote clients when they join the LAN
            set ippool add pool_l2tp 172.69.0.120.from 172.69.0.130
    
    # Create clonable bundle template named B_l2tp
            create bundle template B_l2tp
            set iface enable proxy-arp
            set iface enable tcpmssfix
            set ipcp yes vjcomp
    # Specify IP address pool for dynamic assigment.
            set ipcp ranges 172.69.0.11/24 ippool pool_l2tp
           # an accessible DNS server for clients to use
            set ipcp dns 172.69.0.2
    
    # Create clonable link template named L_l2tp
            create link template L_l2tp l2tp
    # Set bundle template to use
            set link action bundle B_l2tp
    # Multilink adds some overhead, but gives full 1500 MTU.
            set link enable multilink
            set link no pap chap eap
            set link enable chap
            set link keep-alive 0 0
    # We reducing link mtu to avoid ESP packet fragmentation.
            set link mtu 1280
    # Configure L2TP
            set l2tp self 172.69.0.11
            set l2tp enable length
    # Allow to accept calls
            set link enable incoming
/usr/local/etc/mpd5/mpd.secret
Code:
    javi      "pwTest"

As I said, this FreeBSD is running as DomU. So, I have a shorewall in Dom0 for all VM's. This is the rules corresponding to that VM:
Code:
    ## L2TP IPSEC
    DNAT            inet                               road:172.69.0.11                tcp     1701    -       94.28.23.24
    DNAT            inet                               road:172.69.0.11                udp     1701    -       94.28.23.24
    DNAT            inet                               road:172.69.0.11                udp     4500    -       94.28.23.24
    DNAT            inet                               road:172.69.0.11                udp     500     -       94.28.23.24
 
OP
A

Anonymous

Guest


The errors look to me like something with NAT/Firewall is wrong. However, I cannot be of any help here, because I never heard of Xen, Dom0, DomU, shorewall, etc. I am sorry for not having a better answer for you.
 

jmartinez

New Member


Messages: 3

This log is not telling you anything?

Code:
ERROR: fatal parse failure (1 errors)
INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
INFO: @(#)This product linked OpenSSL 0.9.8x 10 May 2012 (http://www.openssl.org/)
INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
INFO: 172.69.0.11[4500] used for NAT-T
INFO: 172.69.0.11[4500] used as isakmp port (fd=4)
INFO: 172.69.0.11[500] used for NAT-T
INFO: 172.69.0.11[500] used as isakmp port (fd=5)
ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[0] 0.0.0.0/0[1701] proto=udp dir=in
ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[1701] 0.0.0.0/0[0] proto=udp dir=out

Thanks you anyway
 
OP
A

Anonymous

Guest


jmartinez said:
This log is not telling you anything?

Code:
(1) ERROR: fatal parse failure (1 errors)
    INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    INFO: @(#)This product linked OpenSSL 0.9.8x 10 May 2012 (http://www.openssl.org/)
    INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
    INFO: 172.69.0.11[4500] used for NAT-T
    INFO: 172.69.0.11[4500] used as isakmp port (fd=4)
    INFO: 172.69.0.11[500] used for NAT-T
    INFO: 172.69.0.11[500] used as isakmp port (fd=5)
(2) ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[0] 0.0.0.0/0[1701] proto=udp dir=in
(3) ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[1701] 0.0.0.0/0[0] proto=udp dir=out

OK, let's analyze it:

  1. I am missing the timestamps.
  2. I guess, the first error is from a previous launch of racoon, you changed its configuration and made a mistake, that you corrected for the next launch
  3. I saw already a lot of errors in racoon.log, but never (2) and (3), and I guess that your changes to racoon.conf still didn't work out, so you need to change it once again. Best would be, to reset it to the working configuration of others.
Please try (in the given sequence):

# service ipsec restart
# service racoon restart
# service mpd5 restart

Then start another VPN connection trial from your Mac and send us the complete racoon.log.

I would also like to suggest, that you configure a test http server at the same machine and open and NAT-redirect the port 80 in your shorewall. Before, spending any more work into the VPN setup, I would make sure that a simple http connection from outside works.
 

jmartinez

New Member


Messages: 3

I tried last night to compile and configure it from scratch in Debian and I was succes. Anyway thanks you and thanks for your time. Appreciate.
 

Vovka

New Member


Messages: 1

Hello all!
Rolf, thank you for howto

rolfheinrich said:
After applying kernel and racoon patches from the following two sources ...:
  1. http://www.freebsd.org/cgi/query-pr.cgi?pr=146190
  2. http://lists.freebsd.org/pipermail/freebsd-stable/2012-May/067416.html

..., I was able to resolve the persisting problems:
  • dial-in of more than 1 client behind the same NAT
  • Windows 7 connectivity

This worked out for me for FreeBSD 9.1-RC3 and FreeBSD 8.3-RELEASE.

Important notes:
  • use the latest patches (links at the very end of kern/146190), i.e. ipsec_natt.v4.diff and ipsec_tools.context.v2.diff.
  • for FreeBSD 9.1-RC3 remove the diff entry for sys/netipsec/ipsec.c from ipsec_natt.v4.diff since this has been already addressed.
  • the kernel patch adds the new sysctl net.inet.esp.esp_ignore_natt_cksum, and this MUST be set to one, or any NATT connection will be dropped.

My design:
Code:
[FreeBSD 8.3 stable l2tp/ipsec server] <-> [internet] <-> [my provider] <-> [my NAT device] <-> [LAN]
It works!
But, if I try to connect from my LAN a second device, it can't establish a connection. You wrote "dial-in of more than 1 client behind the same NAT" You can connect more than one client simultaneously behind the same NAT?
 
OP
A

Anonymous

Guest


Vovka said:
...
My design:
Code:
[FreeBSD 8.3 stable l2tp/ipsec server] <-> [internet] <-> [my provider] <-> [my NAT device] <-> [LAN]
It works!
But, if I try to connect from my LAN a second device, it can't establish a connection. You wrote "dial-in of more than 1 client behind the same NAT" You can connect more than one client simultaneously behind the same NAT?

Yes, I tried it with up to 4 clients behind the same NAT, among these, one Windows 7 in a VirtualBox.

Did you apply all the kernel patches and did you re-build and re-install the kernel?
Did you apply the other racoon patches, and re-install racoon?

Then, in /usr/local/etc/racoon/racoon.conf change the setting generate_policy:

Code:
...
        generate_policy  unique;
...

In addition in /usr/local/etc/racoon/setkey.conf remove or comment-out the spdadd directives, because with generate_policy unique, racoon will create unique spd's on each connection request:

Code:
flush;
spdflush;
#spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
#spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;

Do not forget, to set sysctl net.inet.esp.esp_ignore_natt_cksum=1.
 
Top