L2TP

[Tripple_Delta]

Next challenge, setup L2TP. 

I tried this:
https://thepracticalsysadmin.com/setting-up-an-l2tp-vpn-with-pfsense/

But again, no luck.
I can ping the VPN router from outside. But when I try to connect nothing happens. Server unavailable.
L2TP looks better because I need to send all traffic through the VPN. I don't see that option with IPsec.

[Tripple_Delta]

Funny, no entries in l2pts.log, but in ipsec.log I can see this:

Oct 12 22:37:13 firewall charon: 06[ENC] invalid ID_V1 payload length, decryption failed?
Oct 12 22:37:13 firewall charon: 06[ENC] could not decrypt payloads
Oct 12 22:37:13 firewall charon: 06[IKE] <3> message parsing failed

[franco]

Hi there,

This is confusing, you talk about L2TP, look into L2TP/IPsec and blog entry starts with:

UPDATE:  I think it is important that I inform readers that this guide is strictly for setting up and using L2TP.  It has come to my attention that many of you are are looking for a L2TP/IPSec solution, which is currently not supported in PFSense as of the version I am using (2.0.1).  I will update this post with full L2TP/IPSec instructions once this functionality has been added in new versions of PFSense.

So L2TP works, while L2TP/IPsec never made it into *sense as an easy GUI-driven option, but according to pfSense docs it's possible to configure it since 2.2[1], which is basically when we forked.

There are a few threads about L2TP/IPsec, I don't know the definite state of their success, but I've also not heard anything to the contrary. If anybody has a writeup on how to set it up we offer inclusion in our docs.

Note that L2TP/IPsec means L2TP *over* IPsec, which means in order for L2TP to authenticate, the encrypted connection needs to be working over IPsec.

And to start from the top... which one are you trying to achieve?


Cheers,
Franco

[1] https://doc.pfsense.org/index.php/L2TP/IPsec

[Tripple_Delta]

I'm trying to send all traffic from my iPad through VPN.
It looks like this is only possible with L2TP.
I'm not sure but in the early days I think I was able to send all traffic through all VPN's.

Edit:
It looks like the IOS VPN client is L2TP over IPSec

[franco]

iOS, ok.... IKEv2 is by far more portable and easy to set up.

https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile
https://discussions.apple.com/thread/7483115


Cheers,
Franco

[kinch]

hi im also struggeling with this topic.

i tried this:

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html

and it works directly with pfsense without any issue.
so i tried to do the same with opnsense (setup is almost the same)
but it doesnt work.

on ipsec log it stocks on:
Jun 13 16:06:03 OPNsense charon: 09[NET] <23> sending packet: from "opnsenseWANIP"[500] to "clientIP"[500] (56 bytes)

on l2tp log, nothing happen

Setup is the same, same Network, same client, but only in pfsense it is working.


Someone was susseccfull with L2TP/IPsec with opnsense?

best regards

10.50.2.170 is client
10.100.2.151 is opnsense wan interface

Code: [Select]

Jun 13 16:24:38 OPNsense charon: 16[NET] <29> received packet: from 10.50.2.170[500] to 10.100.2.151[500] (408 bytes)
Jun 13 16:24:38 OPNsense charon: 16[ENC] <29> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jun 13 16:24:38 OPNsense charon: 16[ENC] <29> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Jun 13 16:24:38 OPNsense charon: 16[IKE] <29> received MS NT5 ISAKMPOAKLEY vendor ID
Jun 13 16:24:38 OPNsense charon: 16[IKE] <29> received NAT-T (RFC 3947) vendor ID
Jun 13 16:24:38 OPNsense charon: 16[IKE] <29> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 13 16:24:38 OPNsense charon: 16[IKE] <29> received FRAGMENTATION vendor ID
Jun 13 16:24:38 OPNsense charon: 16[ENC] <29> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jun 13 16:24:38 OPNsense charon: 16[ENC] <29> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jun 13 16:24:38 OPNsense charon: 16[ENC] <29> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jun 13 16:24:38 OPNsense charon: 16[IKE] <29> 10.50.2.170 is initiating a Main Mode IKE_SA
Jun 13 16:24:38 OPNsense charon: 16[CFG] <29> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 13 16:24:38 OPNsense charon: 16[ENC] <29> generating ID_PROT response 0 [ SA V V V V ]
Jun 13 16:24:38 OPNsense charon: 16[NET] <29> sending packet: from 10.100.2.151[500] to 10.50.2.170[500] (160 bytes)
Jun 13 16:24:38 OPNsense charon: 16[NET] <29> received packet: from 10.50.2.170[500] to 10.100.2.151[500] (388 bytes)
Jun 13 16:24:38 OPNsense charon: 16[ENC] <29> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 13 16:24:39 OPNsense charon: 16[IKE] <29> no shared key found for '10.100.2.151'[10.100.2.151] - '%any'[10.50.2.170]
Jun 13 16:24:39 OPNsense charon: 16[IKE] <29> no shared key found for 10.100.2.151 - 10.50.2.170
Jun 13 16:24:39 OPNsense charon: 16[ENC] <29> generating INFORMATIONAL_V1 request 3358429950 [ N(INVAL_KE) ]
Jun 13 16:24:39 OPNsense charon: 16[NET] <29> sending packet: from 10.100.2.151[500] to 10.50.2.170[500] (56 bytes)

[kinch]

I've looked into it further.
I think the bug is that the L2TP server does not return the data back to the IPSec service.

When I record a connection start between client and pfsense I can't detect UDP1701 packets but only ESP.

When I record a connection start between client and opnsense I see that the firewall tries to reach the client on 1701 UDP. The client, however, has never tried to reach the firewall on this port. I only see traffic from client to opnsense ESP.



opnsense 10.100.2.151

Code: [Select]

20:03:29.992063 IP 10.50.2.170 > 10.100.2.151: ESP(spi=0xcd0e2536,seq=0x1), length 164
20:03:30.987384 IP 10.50.2.170 > 10.100.2.151: ESP(spi=0xcd0e2536,seq=0x2), length 164
20:03:32.994776 IP 10.50.2.170 > 10.100.2.151: ESP(spi=0xcd0e2536,seq=0x3), length 164

pfsense 10.100.2.148

Code: [Select]

20:04:43.419714 IP 10.50.2.170 > 10.100.2.148: ESP(spi=0xc4f9eacd,seq=0x1), length 164
20:04:44.423593 IP 10.50.2.170 > 10.100.2.148: ESP(spi=0xc4f9eacd,seq=0x2), length 164
20:04:44.426226 IP 10.100.2.148 > 10.50.2.170: ESP(spi=0x93ecb4d8,seq=0x1), length 164
20:04:44.430347 IP 10.50.2.170 > 10.100.2.148: ESP(spi=0xc4f9eacd,seq=0x3), length 68
20:04:44.434370 IP 10.50.2.170 > 10.100.2.148: ESP(spi=0xc4f9eacd,seq=0x4), length 100
20:04:44.435850 IP 10.100.2.148 > 10.50.2.170: ESP(spi=0x93ecb4d8,seq=0x2), length 84
20:04:44.438398 IP 10.50.2.170 > 10.100.2.148: ESP(spi=0xc4f9eacd,seq=0x5), length 100
20:04:44.440815 IP 10.100.2.148 > 10.50.2.170: ESP(spi=0x93ecb4d8,seq=0x3), length 100

someone any idea?