Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)

L2TP/IPsec with NAT-Traversal optimal MTU setting

I ran some tests to verify the MTU setting, that I suggested in [POST="149202"]Part II[/POST] of this thread, namely 1280, which is the recommended choice for L2TP without NAT-Traversal.

In order to check this, I established a L2TP/IPsec connection from my iPhone (iOS 7.0.4) via 3G to my VPN server behind a NAT, and sent a ping(8) from the server to the internal VPN address of the iPhone.
# ping -D -c1 -s1252 192.168.0.150

-D is the don't fragment flag
-c1 means, send only 1 ping
-snnnn is the payload size in bytes of the ping (without the headers)

The payload size of 1252 bytes corresponds to a MTU of 1280, since the size of the IP header (20 bytes) and of the ICMP header (8 bytes) has to be added. Anyway, the iPhone did not respond.

The iPhone began responding to pings with payload sizes less or equal than 1202, i.e. the MTU for this kind of connection shall be 1230. The WAN-link of the server got a MTU of 1500. Of course, the final result might differ, if the raw MTU is already less than 1500. You might want to repeat the tests with you connection. For the tests remove the MTU setting from /usr/local/etc/mpd5/mpd.conf

During these tests, it turned out that the multilink option in /usr/local/etc/mpd5/mpd.conf had no effect, so I removed this. Without multilink, it is not necessary to add sequential information, and therefore, I removed the l2tp option length and disabled the l2tp option dataseq. Finally, the iPhone supports header compressions, and I enabled the link options acfcomp protocomp.

For the record, here comes the improved file /usr/local/etc/mpd5/mpd.conf:
Code:
startup:
# configure mpd users
        set user super pwSuper admin

# configure the console
        set console self 127.0.0.1 5005
        set console open

# configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
        set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
        set link action bundle B_l2tp
        set link mtu 1230
        set link keep-alive 0 0
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap

# Configure L2TP
        set l2tp self 192.168.0.1
        set l2tp disable dataseq

# Allow to accept calls
        set link enable incoming

I updated [POST="149202"]Part II[/POST] of this thread with these improvements.
 
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

Is it still necessary to include the two patches on FreeBSD 10 systems?

I currently have FreeBSD 10.0-BETA3 running and when trying to install ipsec-tools with the two patches I get:
Code:
root@Secretum:/usr/ports/security/ipsec-tools # make install clean
===>  Patching for ipsec-tools-0.8.1_3
===>  Applying FreeBSD patches for ipsec-tools-0.8.1_3
2 out of 2 hunks failed--saving rejects to src/racoon/grabmyaddr.c.rej
=> Patch patch-zz-local-0.diff failed to apply cleanly.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/ipsec-tools
*** Error code 1

Stop.
make: stopped in /usr/ports/security/ipsec-tools
 
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

@Haga, I meant the two patches supplied in the topic start.
 
Last edited by a moderator:
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

Hello @sukosevato,

I'm looking forward to the kernel patch labeled ipsec-patches.diff that @rolfheinrich mentioned in the middle of the post, not the zip archive. This archive just contains patches only for racoon and ipsec-tools. The kernel patch should be applied to sys/netinet and sys/netipsec as he said, is linked to http://forums.freebsd.org/attachment.ph ... 1375044889. It seems like the FreeBSD Forum has changed its URL routing after he gave the patch, leaving URLs as plain texts. Does anybody have a copy of that?
 
Last edited by a moderator:
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

I'm having an issue connecting with my Droid or a remote Windows host. Here is my racoon.log file from the connection attempt from my Droid (4.3) configured as a IPSec/L2TP with preshared keys. PUBLIC_IP is the IP address of my Droid. 192.168.11.7 is the IP address of the freebsd FreeBSD interface. I have NAT and firewall rules configured on my outside firewall and it does indeed start the connection but it never finishes. Can anyone tell by looking at this log file what is wrong? I've gone through the guide a few times and I can't find anything wrong. I configured the configuration files to be tailored to my local private network (192.168.11.0/24) so I'm at a loss at this point.

EDIT: also, this is FreeBSD 10 amd64 running on Hyper-V. No packet filter is running. My border firewall is a Cisco ASA 5505 and as far as I know I've allowed 500, 1701 and 4500 through the outside interface and configured NAT to translate these ports to 192.168.11.7. The Cisco logs do not show any kind of denies during the connection attempt either so i'm fairly certain it's not my border firewall. The firewall on the Hyper-V host is disabled completely.
Code:
2014-01-26 18:58:04: INFO: received Vendor ID: DPD
2014-01-26 18:58:04: [PUBLIC_IP] INFO: Selected NAT-T version: RFC 3947
2014-01-26 18:58:04: [192.168.11.7] INFO: Hashing 192.168.11.7[500] with algo #2 
2014-01-26 18:58:04: INFO: NAT-D payload #0 doesn't match
2014-01-26 18:58:04: [PUBLIC_IP] INFO: Hashing PUBLIC_IP[5428] with algo #2 
2014-01-26 18:58:04: INFO: NAT-D payload #1 doesn't match
2014-01-26 18:58:04: INFO: NAT detected: ME PEER
2014-01-26 18:58:04: [PUBLIC_IP] INFO: Hashing PUBLIC_IP[5428] with algo #2 
2014-01-26 18:58:04: [192.168.11.7] INFO: Hashing 192.168.11.7[500] with algo #2 
2014-01-26 18:58:04: INFO: Adding remote and local NAT-D payloads.
2014-01-26 18:58:05: INFO: NAT-T: ports changed to: PUBLIC_IP[5430]<->192.168.11.7[4500]
2014-01-26 18:58:05: INFO: KA list add: 192.168.11.7[4500]->PUBLIC_IP[5430]
2014-01-26 18:58:05: INFO: ISAKMP-SA established 192.168.11.7[4500]-PUBLIC_IP[5430] spi:01ee99f8f332f3c6:c170a2f30265fe5b
2014-01-26 18:58:05: [PUBLIC_IP] INFO: received INITIAL-CONTACT
2014-01-26 18:58:06: INFO: respond new phase 2 negotiation: 192.168.11.7[4500]<=>PUBLIC_IP[5430]
2014-01-26 18:58:06: INFO: Adjusting my encmode UDP-Transport->Transport
2014-01-26 18:58:06: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2014-01-26 18:58:06: INFO: IPsec-SA established: ESP/Transport 192.168.11.7[500]->PUBLIC_IP[500] spi=8914154(0x8804ea)
2014-01-26 18:58:06: INFO: IPsec-SA established: ESP/Transport 192.168.11.7[500]->PUBLIC_IP[500] spi=48277957(0x2e0a9c5)
2014-01-26 18:59:31: [PUBLIC_IP] INFO: DPD: remote (ISAKMP-SA spi=01ee99f8f332f3c6:c170a2f30265fe5b) seems to be dead.
2014-01-26 18:59:31: INFO: purging ISAKMP-SA spi=01ee99f8f332f3c6:c170a2f30265fe5b.
2014-01-26 18:59:31: INFO: purged IPsec-SA spi=48277957.
2014-01-26 18:59:31: INFO: purged IPsec-SA spi=8914154.
2014-01-26 18:59:31: INFO: purged ISAKMP-SA spi=01ee99f8f332f3c6:c170a2f30265fe5b.
2014-01-26 18:59:31: INFO: ISAKMP-SA deleted 192.168.11.7[4500]-PUBLIC_IP[5430] spi:01ee99f8f332f3c6:c170a2f30265fe5b
2014-01-26 18:59:31: INFO: KA remove: 192.168.11.7[4500]->PUBLIC_IP[5430]
 
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

Hi, friends! I have FreeBSD 10.0-RELEASE, mpd5 with L2TP and last ipsec-tools from ports. I applied the patches from the link http://forums.freebsd.org/download/file.php?id=1926 successfully. Then I applied the patch (look at attachment), but it was with 3 rejects. It was due to the difference in the source code FreeBSD 10.0 lines. I manually corrected this two reject (third did not have to fix because the default source code file was correct) and recompiled mu custom kernel.

sysctl net.inet.esp.esp_ignore_natt_cksum=1 it's works
net.inet.esp.esp_ignore_natt_cksum: 0 -> 1 (if set to "0", connecting Windows client will be rejected) tunnel works, but tcpdump said: packets that come out of the tunnel does not fall under the ipfw NAT rules (Windows XP client from NAT). This configuration was working on FreeBSD 9.X, but on 10.0-RELEASE it does not work.

Part of kernel configuration:
Code:
# IPSec
options         IPSEC
options         IPSEC_FILTERTUNNEL
options         IPSEC_NAT_T
options         IPSEC_DEBUG
device crypto
device enc
Is there a working solution for FreeBSD 10.0-RELEASE?
 

Attachments

  • ipsec-patches.zip
    3.5 KB · Views: 460
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

ernix said:
Hello @sukosevato,
I'm looking forward to the kernel patch labeled ipsec-patches.diff that @rolfheinrich mentioned in the middle of the post, not the zip archive. This archive just contains patches only for racoon and ipsec-tools. The kernel patch should be applied to sys/netinet and sys/netipsec as he said, is linked to http://forums.freebsd.org/attachment.ph ... 1375044889. It seems like the FreeBSD Forum has changed its URL routing after he gave the patch, leaving URLs as plain texts. Does anybody have a copy of that?

Please read my previous post.
 
Last edited by a moderator:
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

Hello !

I've made some changes to ipsec patches to match kernel 10.0.

Best regards
 

Attachments

  • ipsec-patches-FBSD-10.0.zip
    3.4 KB · Views: 636
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

IntelliSUN said:
Hello !

I've made some changes to ipsec patches to match kernel 10.0.

Best regards

Thank you very much! Now I will test, the results of write here...
Results:
ping from Windows XP client from NAT, tcpdump said:

Code:
tcpdump -i ng0 -n 'host 62.33.98.20'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
11:08:48.625277 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 11264, length 40
11:08:53.646349 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 11520, length 40
11:08:58.660931 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 11776, length 40
11:09:03.690800 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 12032, length 40

Where is:
10.1.1.100 - tunnel address Windows XP client, who connected from NAT
ng0 - external interface (my extrnal ip address)
ng1 - interface on which tunnel client

Code:
server# ipfw nat 123 config ip (there is my external ip) log
ipfw nat 123 config ip (there is my external ip) log

server# ipfw list
00850 nat 123 ip from 10.1.1.0/24 to any
00900 nat 123 ip from any to (there is my external ip)
65535 allow ip from any to any

Why packets that come out of the tunnel do not fall under the ipfw NAT rules?
 
Re: Broken Links

Thank you very much.

I configured pptp/l2tp on FreeBSD-9.2-stable+ipsec-tools-0.8.1+mpd5.7 working fine with MacOS 10.9, iPhone 7.1/7.1.1.

Problem with Android 4.2.2, 4.4.2 and Windows 7 clients.
 
More details please!

balgaa said:
Problem with Android 4.2.2, 4.4.2 and Windows 7 clients...
  • What does not work with Windows 7 -- PPTP, L2TP/IPsec, or both?
  • What does not work with Android 4.x -- PPTP, L2TP/IPsec, or both?
  • Are the clients running behind NAT?
  • Is the VPN server operating behind NAT?
  • Did you patch security/ipsec-tools? With which patches -- the initial set or the full set of patches?
  • Did you patch and recompile the kernel?
  • Did you set AssumeUDPEncapsulationContextOnSendRule in the Windows 7 registry to 2?
  • Did you set net.inet.esp.esp_ignore_natt_cksum to 1 in the file /ect/sysctl.conf of the FreeBSD machine?
  • What is the error message on Windows, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?
  • What is the error message on Android, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?
 
Re: More details please!

obsigna said:
balgaa said:
Problem with Android 4.2.2, 4.4.2 and Windows 7 clients...
  • What does not work with Windows 7 -- PPTP, L2TP/IPsec, or both?
  • What does not work with Android 4.x -- PPTP, L2TP/IPsec, or both?
PPTP working fine both, L2TP I am following instruction earlier this forum.

[*]Are the clients running behind NAT?
Yes, it is with dynamic IP address.

[*]Is the VPN server operating behind NAT?
No, with public IP address.

[*]Did you patch security/ipsec-tools? With which patches -- the initial set or the full set of patches?
Can you point me both initial and full set of patches?

[*]Did you patch and recompile the kernel?
Not yet.

[*]Did you set AssumeUDPEncapsulationContextOnSendRule in the Windows 7 registry to 2?
Already done.

[*]Did you set net.inet.esp.esp_ignore_natt_cksum to 1 in the file /ect/sysctl.conf of the FreeBSD machine?
Yes, did it.

[*]What is the error message on Windows, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?
[*]What is the error message on Android, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?
When I try to connect both Windows/Android client only request goes to racoon, not to mpd5.
 
Re: More details please!

balgaa said:
obsigna said:
balgaa said:
Problem with Android 4.2.2, 4.4.2 and Windows 7 clients...
  • What does not work with Windows 7 -- PPTP, L2TP/IPsec, or both?
  • What does not work with Android 4.x -- PPTP, L2TP/IPsec, or both?
PPTP working fine both, L2TP I am following instruction earlier this forum...

  • Did you patch security/ipsec-tools? With which patches -- the initial set or the full set of patches?
Can you point me both initial and full set of patches?
For L2TP/IPsec working with Windows, you need the full set of patches. Because of the FreeBSD Forums switched from a different system in November last year, most of the intra-forum links are broken. Therefore, I attach the patches to this message. Place the contents of the respective archive, i.e. the files without the enclosing directory, into /usr/ports/security/ipsec-tools/files/ and re-build security/ipsec-tools.

balgaa said:
  • Did you patch and recompile the kernel?
Not yet.
Without patching the Kernel, Windows clients won't be able to connect via L2TP/IPsec from behind a NAT. The Kernel patches for FreeBSD 9.2 are attached to this message. The instructions on how to apply them are here.

Regarding Android, I have no experience, and I don't own an Android device, and I cannot be of any help with that.
 

Attachments

  • ipsec-tools-patches.zip
    4.7 KB · Views: 480
  • ipsec-9.2-kernel-patches.diff.zip
    3.6 KB · Views: 463
Re: More details please!

After applied all patches everything works fine now with Windows 7 and Android...

My configuration FreeBSD-9.2-stable+mpd5.7+racoon-0.8.1+pf

Thank you...
 
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

Hi all!

My configuration is very similar, or lets say identical, to FreeBSD-9.2-STABLE + mpd5.7 + racoon-0.8.1 + pf. Patches ipsec-9.2-kernel-patches.diff.zip and ipsec-tools-patches.zip were applied. I can connect to the VPN host from MAC, IOS, Android and Windows 7, but I have strange issues. I can access only VPN host. I can not reach any other PC in the network. Seems PF blocks packets outside of the VPN server, but not. What can be the reason? Thanks in advance for the help.
 
Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

b0ba said:
... I can not reach any other PC in the network. Seems PF blocks packets outside of the VPN server, but
not. What can be the reason ?

Is the IPsec server listening on the WAN interface, i.e. before NAT? In this case, consider to put it behind NAT.

Check whether net/mpd5 is configured for proxy-arp:
Code:
...
	set iface enable proxy-arp
...

Check whether the firewall allows any traffic on the ng* interfaces. I have no experience with pf, I use ipfw(8), and the respective rule for this is:
Code:
...
/sbin/ipfw -q add 50 allow ip from any to any via ng*
...
 
Back
Top