OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: smoore on April 06, 2017, 04:32:16 pm

Title: Getting a VPN to work (PP2P, L2TP, IPsec)
Post by: smoore on April 06, 2017, 04:32:16 pm

I can’t seem to get a VPN working. My test setup is OPNsense connected to WAN configured with DynDNS dynamic address. I am attempting to connect to the OPNsense VPN using an iPad (iOS 10) over 3G network. This setup works well to test VPN (PPTP, L2TP, IPsec) on firewalls e.g. monowall or Sophos. This pathway has no demonstrated VPN connectivity problems and the WAN IP address is correct.

I have tried three VPN setups (PP2P, L2TP, IPsec) on OPNsense without success:

PPTP:  installed plugin, configured PPTP settings listening on WAN, created PPTP user, and setup PPTP firewall rules (screenshot attached). When I try to connect with the iPad: “The PPTP-VPN server did not respond”. The most recent entries in the PPTP log file:

Apr 6 09:07:32   pptps: PPTP: waiting for connection on 192.168.1.1 1723
Apr 6 09:07:32   pptps: process 11772 started, version 5.8 (root@sensey64 21:52 27-Mar-2017)

L2TP: installed plugin, configured L2TP settings listening on WAN, created L2TP user, and setup L2TP firewall rules (screenshot attached).  The iPad does not connect. The L2TP log file:

Apr 5 21:12:18   l2tps: L2TP: waiting for connection on 192.168.1.1 1701
Apr 5 21:12:18   l2tps: process 86558 started, version 5.8 (root@sensey64 21:52 27-Mar-2017)

IPsec: Setup tunnel and mobile client. Screenshot attached. I did notice on the Phase 1 proposal, there is not a place for Peer Identifier, which is called Group Name on the iPad VPN client. I left this empty when setting up the iPad settings. I created a system level group named “VPN Users” and a user with VPN: IPsec XAUTH dialin privileges. Firewall rules were created. The IPsec log is as follows:

Apr 6 09:17:06   charon: 16[NET] sending packet: from 73.xxx.xxx.247[4500] to 166.xxx.xxx.144[35000] (92 bytes)
Apr 6 09:17:06   charon: 16[ENC] generating INFORMATIONAL_V1 request 220118731 [ HASH N(AUTH_FAILED) ]
Apr 6 09:17:06   charon: 16[IKE] found 1 matching config, but none allows XAuthInitPSK authentication using Main Mode
Apr 6 09:17:06   charon: 16[CFG] looking for XAuthInitPSK peer configs matching 73.xxx.xxx.247...166.xxx.xxx.144[10.xxx.xxx.16]
Apr 6 09:17:06   charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Apr 6 09:17:06   charon: 16[NET] received packet: from 166.xxx.xxx.144[35000] to 73.xxx.xxx.247[4500] (108 bytes)
Apr 6 09:17:06   charon: 16[NET] sending packet: from 73.xxx.xxx.247[500] to 166.xxx.xxx.144[54300] (244 bytes)
Apr 6 09:17:06   charon: 16[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 6 09:17:06   charon: 16[IKE] remote host is behind NAT
Apr 6 09:17:06   charon: 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 6 09:17:06   charon: 16[NET] received packet: from 166.xxx.xxx.144[54300] to 73.xxx.xxx.247[500] (228 bytes)
Apr 6 09:17:06   charon: 16[NET] sending packet: from 73.xx.xx.247[500] to 166.xx.xx.144[54300] (160 bytes)
Apr 6 09:17:06   charon: 16[ENC] generating ID_PROT response 0 [ SA V V V V ]
Apr 6 09:17:06   charon: 16[IKE] 166.xxx.xxx.144 is initiating a Main Mode IKE_SA
Apr 6 09:17:06   charon: 16[IKE] 166.xxx.xxx.144 is initiating a Main Mode IKE_SA
Apr 6 09:17:06   charon: 16[IKE] received DPD vendor ID
Apr 6 09:17:06   charon: 16[IKE] received FRAGMENTATION vendor ID
Apr 6 09:17:06   charon: 16[IKE] received Cisco Unity vendor ID
Apr 6 09:17:06   charon: 16[IKE] received XAuth vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 6 09:17:06   charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 6 09:17:06   charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Apr 6 09:17:06   charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Apr 6 09:17:06   charon: 16[NET] received packet: from 166.xxx.xxx.144[54300] to 73.xxx.xxx.247[500] (848 bytes)

Any suggestions on getting any of these interfaces to work?

Title: Re: Getting a VPN to work (PP2P, L2TP, IPsec)
Post by: bartjsmit on April 06, 2017, 04:52:14 pm

Any reason not to use OpenVPN? It's more secure than pptp and by far the easiest to configure

Bart...

Title: Re: Getting a VPN to work (PP2P, L2TP, IPsec)
Post by: smoore on April 06, 2017, 04:56:50 pm

Quote

Any reason not to use OpenVPN? It's more secure than pptp and by far the easiest to configure

OP:   "Re: Getting a VPN to work (PP2P, L2TP, IPsec)"