L2TP/IPSec VPN problems

Hi Everyone,

I have followed the tutorial here Thread 26755, and I cannot seem to get anywhere, so here is my debugging.. Please note I have disabled my firewall as I am still configuring a new server, I will add all rule sets in once I know everything is working.

My server IP is, with the DNS at and lastly the range of IP addresses that I want available to the VPN are " -->"

So I am trying to connect to my server from an Android phone (IPV6 address masked), I connect and this is the wireshark dump

13:33:16.467067 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 >  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(35359) *RECV_WIN_SIZE(1)
13:33:16.467162 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 >  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(35359) *RESULT_CODE(6)

Here you can see the server is getting the connection from the device, coming in, but nothing else.

My racoon.log
2014-12-22 12:55:00: INFO: caught signal 15
2014-12-22 12:55:00: INFO: racoon process 77362 shutdown
2014-12-22 12:57:17: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2014-12-22 12:57:17: INFO: @(#)This product linked OpenSSL 1.0.1j-freebsd 15 Oct 2014 (http://www.openssl.org/)
2014-12-22 12:57:17: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-12-22 12:57:17: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Invalid argument
2014-12-22 12:57:17: INFO:[4500] used as isakmp port (fd=4)
2014-12-22 12:57:17: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
2014-12-22 12:57:17: INFO:[500] used as isakmp port (fd=5)

Nothing in here, but a warning on a configuration file, this error (after some googling) doesn't look like it could be causing the problems, but I could be wrong.

path pre_shared_key "/usr/local/etc/racoon/psk.txt";
  isakmp [500];
  isakmp_natt [4500];
remote anonymous
  exchange_mode  main;
  passive  on;
  proposal_check  obey;
  support_proxy  on;
  nat_traversal  on;
  ike_frag  on;
  dpd_delay  20;
  encryption_algorithm  aes;
  hash_algorithm  sha1;
  authentication_method pre_shared_key;
  dh_group  modp1024;
  encryption_algorithm  3des;
  hash_algorithm  sha1;
  authentication_method pre_shared_key;
  dh_group  modp1024;
sainfo anonymous
  encryption_algorithm  aes,3des;
  authentication_algorithm hmac_sha1;
  compression_algorithm  deflate;
  pfs_group  modp1024;

And my ppp.log
Sep 16 12:42:47 freebsd newsyslog[619]: logfile first created

Nothing in here.

Other configuration files are:
# configure mpd users
  set user super adminpassword admin

# configure the console
  set console self 5005
  set console open

# configure the web server
  set web self 5006
  set web open

  load l2tp_server

# Define dynamic IP address pool.
  set ippool add pool_l2tp

# Create clonable bundle template named B_l2tp
  create bundle template B_l2tp
  set iface enable proxy-arp
  set iface enable tcpmssfix
  set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
   set ipcp ranges ippool pool_l2tp
  set ipcp dns

# Create clonable link template named L_l2tp
  create link template L_l2tp l2tp
  set link action bundle B_l2tp
  set link mtu 1230
  set link keep-alive 0 0
  set link yes acfcomp protocomp
  set link no pap chap eap
  set link enable chap

# Configure L2TP
  set l2tp self
  set l2tp disable dataseq

# Allow to accept calls
  set link enable incoming

spdadd[0][1701] udp -P in  ipsec esp/transport//require;
spdadd[1701][0] udp -P out ipsec esp/transport//require;


Custom kernel options
device crypto

I think that is all the relevant information, if I am missing anything please ask, all help greatly appreciated!
I found that the existing patches, the ones that let you set a sysctl called "net.inet.esp.esp_ignore_natt_cksum" to 1. These work fine for IOS and MacOS, both from behind NAT boxes and on fully-routed address, and succeed on windows on a fully-routed address... and then fail on windows when the windows client is behind a NAT wall.

The problem there seems to be that FreeBSD and Windows have different notions of what the UDP checksum should be, and the net.inet.esp.esp_ignore_natt_cksum fix isn't sufficient to fix this entirely. You can try this yourself, and see netstat -s report a couple of "with bad checksum" packets each time you try to connect with windows.

I therefore performed the following butchery on a 10.1 system, which turns off all UDP checksum-checking:

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 6c7d341..b1c1e37 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -461,7 +461,9 @@ udp_input(struct mbuf *m, int off)
    * Checksum extended UDP header and data.
-  if (uh->uh_sum) {
+  /* NRH %%% DISABLE UDP CHECKSUMMING! Incoming stuff will show up as "no checksum", I think */
+/*  if (uh->uh_sum) { */
+  if (FALSE) {
     u_short uh_sum;
     if ((m->m_pkthdr.csum_flags & CSUM_DATA_VALID) &&

and find that I can now connect via L2TP/IPSEC from a windows box behind a NAT wall.

I'm sure someone can figure out the discrepancy in checksum computation, and I'm sure someone can make this an "ignore all UDP checksums" sysctl (I may do this last part myself, eventually), but for now, this works for me.

I'm going to post a copy of this in the relevant bug report.
Last edited by a moderator: