Hello!
Prompt the problem resolution.
It is necessary to adjust the client of L2TP/IPSEC on FreeBSD.
I perform tuning according to https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html.
But nothing is impossible.
Clients are connected by Windows without problems.
Local internal network: 192.168.190.0/24
Remote internal network: 192.168.10.0/24
VPN network: 192.168.196.0/24
VPN server - router Mikrotik.
The kernel is collected with parameters:
/etc/rc.conf:
/usr/local/etc/racoon/racoon.conf:
/usr/local/etc/racoon/psk.txt:
/etc/ipsec.conf
racoon.log
Prompt the problem resolution.
It is necessary to adjust the client of L2TP/IPSEC on FreeBSD.
I perform tuning according to https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html.
But nothing is impossible.
Clients are connected by Windows without problems.
Local internal network: 192.168.190.0/24
Remote internal network: 192.168.10.0/24
VPN network: 192.168.196.0/24
VPN server - router Mikrotik.
The kernel is collected with parameters:
Code:
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/IPSEC)
options IPSEC_FILTERTUNNEL
options IPSEC_NAT_T
options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
device crypto
device enc
device gif
/etc/rc.conf:
Code:
gif_interfaces="gif0"
gifconfig_gif0="My_external_IP Server_External_IP"
ifconfig_gif0="inet 192.168.190.1 192.168.10.1 netmask 0xffffffff"
racoon_enable="YES"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/etc/ipsec.conf"
mpd_enable="YES"
Code:
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
path include "@sysconfdir_x@/racoon";
#include "remote.conf";
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "@sysconfdir_x@/cert";
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log debug2;
# "padding" defines some padding parameters. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
isakmp My_External_IP [7001];
isakmp My_External_IP [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote Server_External_IP
{
exchange_mode main,aggressive;
doi ipsec_doi;
lifetime time 24 hour;
situation identity_only;
my_identifier address;
peers_identifier address;
proposal_check obey;
passive off;
generate_policy off;
nat_traversal on;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp2048;
}
}
remote ::1 [8000]
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "sakane@kame.net";
peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo subnet 192.168.190.0/24 any subnet 192.168.10.0/24 any
{
pfs_group modp2048;
encryption_algorithm blowfish,3des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
sainfo anonymous {
encryption_algorithm 3des;
authentication_algorithm hmac_md5, hmac_sha1;
lifetime time 1 hour ;
compression_algorithm deflate;
}
/usr/local/etc/racoon/psk.txt:
Code:
# IPv4/v6 addresses
Server_External_IP password
/etc/ipsec.conf
Code:
flush;
spdflush;
spdadd 192.168.190.1/24 192.168.196.1/24 ipencap -P out ipsec esp/tunnel/My_External_IP-Server_External_IP/require;
spdadd 192.168.196.1/24 192.168.190.1/24 ipencap -P in ipsec esp/tunnel/Server_External_IP-My_External_IP/require;
Code:
/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
Foreground mode.
2017-07-12 15:49:15: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
2017-07-12 15:49:15: INFO: @(#)This product linked OpenSSL 1.0.1s-freebsd 1 Mar 2016 (http://www.openssl.org/)
2017-07-12 15:49:15: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2017-07-12 15:49:15: DEBUG2: lifetime = 86400
2017-07-12 15:49:15: DEBUG2: lifebyte = 0
2017-07-12 15:49:15: DEBUG2: encklen=128
2017-07-12 15:49:15: DEBUG2: p:1 t:1
2017-07-12 15:49:15: DEBUG2: Blowfish-CBC(3)
2017-07-12 15:49:15: DEBUG2: MD5(1)
2017-07-12 15:49:15: DEBUG2: 2048-bit MODP group(14)
2017-07-12 15:49:15: DEBUG2: pre-shared key(1)
2017-07-12 15:49:15: DEBUG2:
2017-07-12 15:49:15: DEBUG2: Etype mismatch: got 2, expected 4.
2017-07-12 15:49:15: DEBUG: hmac(modp2048)
2017-07-12 15:49:15: DEBUG2: lifetime = 60
2017-07-12 15:49:15: DEBUG2: lifebyte = 0
2017-07-12 15:49:15: DEBUG2: encklen=0
2017-07-12 15:49:15: DEBUG2: p:1 t:1
2017-07-12 15:49:15: DEBUG2: 3DES-CBC(5)
2017-07-12 15:49:15: DEBUG2: SHA(2)
2017-07-12 15:49:15: DEBUG2: 1024-bit MODP group(2)
2017-07-12 15:49:15: DEBUG2: pre-shared key(1)
2017-07-12 15:49:15: DEBUG2:
2017-07-12 15:49:15: DEBUG: hmac(modp1024)
2017-07-12 15:49:15: DEBUG: no check of compression algorithm; not supported in sadb message.
2017-07-12 15:49:15: DEBUG: getsainfo params: loc='192.168.190.0/24' rmt='192.168.10.0/24' peer='NULL' client='NULL' id=0
2017-07-12 15:49:15: DEBUG: no check of compression algorithm; not supported in sadb message.
2017-07-12 15:49:15: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
2017-07-12 15:49:15: DEBUG: evaluating sainfo: loc='192.168.190.0/24', rmt='192.168.10.0/24', peer='ANY', id=0
2017-07-12 15:49:15: DEBUG: check and compare ids : values matched (ANONYMOUS)
2017-07-12 15:49:15: DEBUG: check and compare ids : values matched (ANONYMOUS)
2017-07-12 15:49:15: DEBUG2: parse successed.
2017-07-12 15:49:15: INFO: My_External_IP[500] used as isakmp port (fd=4)
2017-07-12 15:49:15: INFO: My_External_IP[7001] used as isakmp port (fd=5)
2017-07-12 15:49:15: DEBUG: pk_recv: retry[0] recv()
2017-07-12 15:49:15: DEBUG: got pfkey X_SPDDUMP message
2017-07-12 15:49:15: DEBUG2:
02120000 0b000100 01000000 5b0c0000 03000500 11200000 10020000 1fad3aed
00000000 00000000 03000600 11200000 100206a5 5becb16f 00000000 00000000
03001200 02000100 01000000 00000000 08003200 01020000
2017-07-12 15:49:15: DEBUG: pk_recv: retry[0] recv()
2017-07-12 15:49:15: DEBUG: got pfkey X_SPDDUMP message
2017-07-12 15:49:15: DEBUG2:
02120000 0b000100 00000000 5b0c0000 03000500 11200000 100206a5 5becb16f
00000000 00000000 03000600 11200000 10020000 1fad3aed 00000000 00000000
03001200 02000200 02000000 00000000 08003200 01020000
2017-07-12 15:49:15: DEBUG: sub:0x7fffffffe278: Server_External_IP/32[1701] My_External_IP/32[0] proto=udp dir=out
2017-07-12 15:49:15: DEBUG: db :0x80205d610: My_External_IP/32[0] Server_External_IP/32[1701] proto=udp dir=in