[Problem] FreeBSD 10: L2TP VPN routing failed

S

siegfried

I have a L2TP over IPsec VPN server with Internet connection using FreeBSD 10 set up as http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD. I can connect to it, and when I connect to it, I can ping all the devices in the VPN by the IP address assigned by VPN server. My problem is that I cannot access Internet resources through the VPN.
After three days' troubleshooting, I believe something is wrong with NAT. When I connect to the VPN, I tried to ping 8.8.8.8. In the meantime, I ran `tcpdump icmp and host 8.8.8.8` on the VPN server whose IP address in VPN is 10.0.0.1.
Code: 
# tcpdump icmp and host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:35:36.438601 IP 10.0.0.150 > google-public-dns-a.google.com: ICMP echo request, id 49764, seq 0, length 64
12:35:37.451196 IP 10.0.0.150 > google-public-dns-a.google.com: ICMP echo request, id 49764, seq 1, length 64
12:35:38.456786 IP 10.0.0.150 > google-public-dns-a.google.com: ICMP echo request, id 49764, seq 2, length 64
12:35:39.455780 IP 10.0.0.150 > google-public-dns-a.google.com: ICMP echo request, id 49764, seq 3, length 64
12:35:40.459273 IP 10.0.0.150 > google-public-dns-a.google.com: ICMP echo request, id 49764, seq 4, length 64
There were no response from 8.8.8.8, so ping requests timeout.
Code: 
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Could this be a problem of my NAT configuration? Because routable packets should use the external IP address of the VPN server as source address but my private IP address 10.0.0.150.
I cannot tell what is wrong with my pf.conf. Is there anyone can help me? I feel a little desperate. x(
Code: 
# /etc/pf.conf

ext_if="vtnet0"
wan=$ext_if:network
lan="10.0.0.0/8"

nat on $ext_if from $lan to any -> ($ext_if)
 
You're correct, it's a NAT issue. Did you follow that site completely? As that uses a different firewall. You may now have two different firewalls running with different configurations and that's going to cause all sorts of weird and wonderful issues.
 
SirDice said:
You're correct, it's a NAT issue. Did you follow that site completely? As that uses a different firewall. You may now have two different firewalls running with different configurations and that's going to cause all sorts of weird and wonderful issues.
Click to expand...
Yes, almost. The /etc/pf.conf is different with that site. This is the first time I use FreeBSD. Isn't PF the default firewall for FreeBSD 10? Thanks.
 
SirDice said:
You're correct, it's a NAT issue. Did you follow that site completely? As that uses a different firewall. You may now have two different firewalls running with different configurations and that's going to cause all sorts of weird and wonderful issues.
Click to expand...

Indeed, there were two firewalls, IPFW and PF. This time I disable IPFW, but the NAT issue remains.
Code: 
# mkdir /root/kernels
# cp /usr/src/sys/`uname -m`/conf/GENERIC /root/kernels/CUSTOM
# sed -i -e 's/GENERIC/CUSTOM/g' /root/kernels/CUSTOM
# cat << EOT >> /root/kernels/CUSTOM
# IPsec
options         IPSEC
options         IPSEC_NAT_T
device          crypto
options         IPSEC_FILTERTUNNEL
device          enc

# ALTQ
options         ALTQ
options         ALTQ_CBQ        # Class Based Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
EOT
# ln -s /root/kernels/CUSTOM /usr/src/sys/`uname -m`/conf/CUSTOM
# cd /usr/src
# make buildkernel KERNCONF=CUSTOM && make installkernel KERNCONF=CUSTOM
Code: 
# /etc/rc.conf

# IPsec and L2TP
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"

# PF
pf_enable="YES"
gateway_enable="YES"
Code: 
# /etc/pf.conf

ext_if="vtnet0"
wan=$ext_if:network
lan="10.0.0.0/8"

nat on $ext_if from $lan to any -> ($ext_if)
 
siegfried said:
... http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD ...
Click to expand...
siegfried said:
...
Code: 
# /etc/pf.conf

ext_if="vtnet0"
wan=$ext_if:network
lan="10.0.0.0/8"

nat on $ext_if from $lan to any -> ($ext_if)
Click to expand...

Compared to the instructions on the wiki to that you gave a link in your first post, you omitted some rules in your file pf.conf:
Code: 
...
# There is a better way to do this with ifconfig groups - you're welcome to try getting
# mpd5 to do that!
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
pass quick on ng4 all
pass quick on ng5 all
# . . . .

Are you sure, you don't need these?

At least, I need a similar rule in my ipfw(8) setup. However, I cannot tell anything for pf.
 
obsigna said:
siegfried said:
... http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD ...
Click to expand...
siegfried said:
...
Code: 
# /etc/pf.conf

ext_if="vtnet0"
wan=$ext_if:network
lan="10.0.0.0/8"

nat on $ext_if from $lan to any -> ($ext_if)
Click to expand...

Compared to the instructions on the wiki to that you gave a link in your first post, you omitted some rules in your file pf.conf:
Code: 
...
# There is a better way to do this with ifconfig groups - you're welcome to try getting
# mpd5 to do that!
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
pass quick on ng4 all
pass quick on ng5 all
# . . . .

Are you sure, you don't need these?

At least, I need a similar rule in my ipfw(8) setup. However, I cannot tell anything for pf.
Click to expand...

I tried, but that did not help. Because there is no `block all` appended, all packets should pass as default. Is there some connection between filter rules and NAT rules?
 
Perhaps your problem is related to this issue:

http://lists.freebsd.org/pipermail/free ... 31161.html

You might want to try:
  1. to set sysctl net.inet.ipsec.filtertunnel=0 and net.inet6.ipsec6.filtertunnel=0,
  2. or to rebuild the kernel without options IPSEC_FILTERTUNNEL,
  3. or if you need to filter ipsec packets then to patch the file ng_l2tp.c as shown in said post, and rebuild the kernel.
 
There is a bug in 10.0-RELEASE with how how the kernel is tagging the mbuf allocated with IPsec packets as it gets tagged to skip firewalling. Hence PF/IPFW/IPF can't NAT what it can't see. The short answer is that you need to upgrade to the latest 10.1-BETA or use an older version of FreeBSD.

Long answers:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185876 - The PR with the technical details.
https://forums.freebsd.org/viewtopic.php?f=7&t=45691 - Same issue and the troubleshooting that helped find it.
 
You must log in or register to reply here.
Back
Top