Hi,
I'm a week, trying to figure out why FreeBSD L2TP over IPSec cannot work with Windows/Android boxes, that are behind NAT. I readed that L2TP/IPSec NAT-T protocol is "broken by design" at StrongSwan mail list, but this problem only occour at FreeBSD server, no issues with Cisco, MikroTik or OpenBSD! How this can be explained? I had to try it myself, then I ran L2TP/IPSec in my office MikroTik router, and the Windows/Android boxes at my home, that are behind NAT, were connected succesfuly. What the heck is that? There is no conclusive answer for that on the web...
/usr/src/sys/amd64/conf/CUSTOM
/usr/local/etc/ipsec.conf
/usr/local/etc/ipsec.secrets
/usr/local/etc/mpd5/mpd.conf
Tcpdump
Thanks!
I'm a week, trying to figure out why FreeBSD L2TP over IPSec cannot work with Windows/Android boxes, that are behind NAT. I readed that L2TP/IPSec NAT-T protocol is "broken by design" at StrongSwan mail list, but this problem only occour at FreeBSD server, no issues with Cisco, MikroTik or OpenBSD! How this can be explained? I had to try it myself, then I ran L2TP/IPSec in my office MikroTik router, and the Windows/Android boxes at my home, that are behind NAT, were connected succesfuly. What the heck is that? There is no conclusive answer for that on the web...
Code:
# uname -a
FreeBSD web.***.com.br 10.3-RELEASE-p21 FreeBSD 10.3-RELEASE-p21 #2: Sat Sep 2 23:53:31 BRT 2017 victor@web.***.com.br:/usr/obj/usr/src/sys/CUSTOM amd64
/usr/src/sys/amd64/conf/CUSTOM
Code:
options IPSEC
options IPSEC_NAT_T
device crypto
device enc
/usr/local/etc/ipsec.conf
Code:
conn L2TP/IPsec-PSK
keyexchange = ikev1
type = transport
leftauth = psk
rightauth = psk
left = %defaultroute
right = %any
auto = add
/usr/local/etc/ipsec.secrets
Code:
: PSK "My_Secret_Phrase"
/usr/local/etc/mpd5/mpd.conf
Code:
startup:
set user admin MYPASSWORD admin
set console self 127.0.0.1 5005
set console open
set web self 192.168.0.1 5006
set web open
default:
load l2tp_server
l2tp_server:
set ippool add pool_l2tp 192.168.0.100 192.168.0.110
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
set ipcp dns 192.168.0.1
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link mtu 1230
set link keep-alive 0 0
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap-msv2
set l2tp self 0.0.0.0
set l2tp disable dataseq
set link enable incoming
Tcpdump
Code:
# tcpdump -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
12:15:07.704792 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:08.705074 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:10.705948 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:14.714536 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
Thanks!