# Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)



## Anonymous (Oct 2, 2011)

*1  Objective and Limitations*

Utilizing net/mpd5 and security/ipsec-tools, a L2TP/IPsec VPN Dial-In Server shall be setup on FreeBSD 8.2-RELEASE. Mobile clients shall be able to connect from any IP in the world by Pre-Shared Key authentication (Wildcard PSK)

This setup has been proven to work with Mac OS X and iOS Clients. It works well with both, the server and the client, sitting behind NATs. Multiple clients may connect at the same time. However, a bug in IPsec-SA householding prevent more than one client sitting behind the same NAT, i.e. having the same public IP, from establishing connections.

I have no experience with FreeBSD and Linux clients.

*Update:*
The following statement is no more exactly true:


> I was not able to establish a connection with a Windows 7 client ...


As a matter of fact I achieved Windows 7 connectivity by applying some more patches to ipsec-tools and in addition by patching the kernel. The patches are revealed in post #82, and with the complete set of patches applied, Windows 7 clients can connect from behind NAT utilizing its built-in VPN software, so there is no need to switch to a commercial one. These patches resolve also another issue with all sorts of clients, namely, finally many clients may concurrently connect from behind the same NAT to the VPN server.

*2 Installation Procedure*

Login as user root.

*2.1 Build a Kernel with IPsec support*

This is basically the way as outlined in Chapter 8.5 of the FreeBSD Handbook. Here I add IPsec support to the GENERIC kernel. My favorite editor is editors/nano. Of course, you may do all the necessary editing with any other editor. 

Copy the kernel configuration of your present kernel and add the IPsec related options to it - in the following commands, replace "i386" and "GENERIC" as appropriate for your architecture and your present Kernel:
`cd /usr/src/sys/i386/conf`
`cp GENERIC GENERIC_IPsec`

Then edit the new configuration file, changing the ident parameter (quite at the top of the file) and adding the relevant IPsec options:
`nano GENERIC_IPsec`

```
ident           GENERIC_IPsec
```
I placed the following below the first big options block:

```
# Options for an IPsec enabled kernel
options         IPSEC
options         IPSEC_NAT_T
device          crypto
```

Build and install the new kernel. Be prepared that building the kernel will take some time.
`cd /usr/src`
`make buildkernel KERNCONF=GENERIC_IPsec`
`make installkernel KERNCONF=GENERIC_IPsec`

The new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel. Now restart your system.
`shutdown -r now`


*2.2 Installation of security/ipsec-tools*

Before building and installing ipsec-tools, two additional patch files shall be put into place. The first one fixes a problem of racoon frequently throwing a warning about an "unrecognized route message with rtm_type: RTM_GET".

Save the following content as /usr/ports/security/ipsec-tools/files/patch-zz-local-0.diff:
`nano /usr/ports/security/ipsec-tools/files/patch-zz-local-0.diff`

```
diff -rup srca/racoon/grabmyaddr.c srcb/racoon/grabmyaddr.c
--- src/racoon/grabmyaddr.c     2011-03-14 14:18:12.000000000 -0300
+++ src/racoon/grabmyaddr.c     2011-04-25 15:56:41.000000000 -0300
@@ -753,6 +753,7 @@ kernel_handle_message(msg)
        case RTM_ADD:
        case RTM_DELETE:
        case RTM_CHANGE:
+       case RTM_GET:
        case RTM_MISS:
        case RTM_IFINFO:
 #ifdef RTM_OIFINFO
@@ -768,7 +769,7 @@ kernel_handle_message(msg)
                break;
        default:
                plog(LLV_WARNING, LOCATION, NULL,
-                    "unrecognized route message with rtm_type: %d",
+                    "unrecognized route message with rtm_type: %d\n",
                     rtm->rtm_type);
                break;
        }
```

The second one patches-in Wildcard-PSK handling into racoon. This issue has been exhaustively discussed elsewhere. The bottom-line is, that we cannot expect this to enter into racoon at any time (soon). Alternatively, mobile clients and the server could be configured using certificates - however this would make up for another Howto. Anyway here comes the patch - save the following content as /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff:
`nano /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff`

```
diff -rup srca/racoon/localconf.c srcb/racoon/localconf.c
--- src/racoon/localconf.c      2008-12-23 12:04:42.000000000 -0200
+++ src/racoon/localconf.c      2011-04-25 15:44:24.000000000 -0300
@@ -207,7 +207,8 @@ getpsk(str, len)
                if (*p == '\0')
                        continue;       /* no 2nd parameter */
                p--;
-               if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+               if (strcmp(buf, "*") == 0 ||
+                   (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
                        p++;
                        keylen = 0;
                        for (q = p; *q != '\0' && *q != '\n'; q++)
```

Now, build and install security/ipsec-tools.
`cd /usr/ports/security/ipsec-tools`
`make install clean`





*2.3 Installation of net/mpd5*

mpd5 works out of the box, without any patching and without changes to the default configure options, so simply do the following:
`cd /usr/ports/net/mpd5`
`make install clean`


*3 Configuration*

*3.1 IPsec Configuration*

Racoon assumes its configuration file being at /usr/local/etc/racoon/racoon.conf, the file and its configuration directory do not exist on fresh installation, so create the directory and save the following content to the respective configuration file - replace 192.168.0.1 by the local IP of your server:
`mkdir -p /usr/local/etc/racoon`
`nano /usr/local/etc/racoon/racoon.conf`

```
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
        isakmp           192.168.0.1 [500];
        isakmp_natt      192.168.0.1 [4500];
        strict_address;
}

remote anonymous
{
        exchange_mode    main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        20;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}
```

You might want to review the options on racoon.conf(5)().

Now create the file holding the Pre-Shared Key - of course, you would replace "Ach_wie_gut,_daÃŸ_niemand_weiÃŸ,_daÃŸ_ich_Rumpelstielzchen_heiÃŸ." with your super secret PSK pass phrase. The * is the wildcard for any IP address. If you did not patch-in Wildcard PSK handling into racoon, as suggested above, then you need to put a real IP here. In this case you may have several lines with different IPs and secrets.
`nano /usr/local/etc/racoon/psk.txt`

```
* Ach_wie_gut,_daÃŸ_niemand_weiÃŸ,_daÃŸ_ich_Rumpelstielzchen_heiÃŸ.
```
Then change the access rights to a bare minimum
`chmod 600 /usr/local/etc/racoon/psk.txt`

Finally the file holding the security policies must be created:
`nano /usr/local/etc/racoon/setkey.conf`

```
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
```


*3.2 mpd5 Configuration* (s. Part II)


----------



## Anonymous (Oct 2, 2011)

*Howto set up a L2TP/IPsec VPN Dial-In Server (Part II)*

*3.2 mpd5 Configuration*

Create the file holding the mpd secrets. Here you basically setup the credentials for the administrator of mpd5 and for the users who may connect to the VPN service. For example my entries look roughly like this:
`nano /usr/local/etc/mpd5/mpd.secret`

```
super      "pwSuper"
rolf       "pwRolf"
thomas     "pwThomas"
alex       "pwAlex"
anna       "pwAnna"
etc        "pwEtc"
```

Remember the login-id of the admin user (in the above example super, because you need this in the next step, i.e. creation and editing the principal configuration file. You could start with a copy of mpd.conf.sample, however this contains configurations for a lot of different operation modes of mpd5. So, I suggest, to create a new file, and copy my configuration suggestion below into it. You might want to review the file /usr/local/etc/mpd5/mpd5.conf.sample at some point in time later, though.
`nano /usr/local/etc/mpd5/mpd.conf`

```
startup:
# configure mpd users
        set user super pwSuper admin

# configure the console
        set console self 127.0.0.1 5005
        set console open

# configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
        set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
        set link action bundle B_l2tp
        set link mtu 1230
        set link keep-alive 0 0
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap

# Configure L2TP
        set l2tp self 192.168.0.1
        set l2tp disable dataseq

# Allow to accept calls
        set link enable incoming
```

The above setup assumes that the local network is 192.168.0.0/24, and that the L2TP/IPsec-VPN host has the IP 192.168.0.1. Furthermore, an IP range from 192.168.0.150 to 192.168.0.199 is reserved for VPN.

"set iface enable proxy-arp" is required, if VPN clients are allowed to connect to other machines in- and outside of your local network. If VPN clients should be restricted to services of the VPN host only, then remove this setting. By default, proxy-arp is disabled.

In my setup the VPN host, hosts also the DNS server. If you have another DNS, change "set ipcp dns 192.168.0.1" accordingly. Of course, this would mean also that proxy-arp should be enabled, since otherwise, VPN clients cannot connect to another DNS.


*3.3 System configurations*


If VPN clients are allowed to connect to other hosts, then you need to add to /etc/rc.conf the following line:
`nano /etc/rc.conf`

```
gateway_enable="YES"
```

Make sure, that your firewall is open for the UDP ports 500 and 4500.

Enable ipsec, racoon, and mpd by adding the following lines to /etc/rc.conf
`nano /etc/rc.conf`

```
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
```


Now restart your machine.
`shutdown -r now`

The L2TP/IPsec-VPN server should be up and waiting for connections.


----------



## Anonymous (Nov 10, 2011)

*Howto set up a L2TP/IPsec VPN Dial-In Server (Part III)*

*4. ipfw(8)()/NAT for the L2TP/IPsec and PPTP Dial-In Services, all running on the same FreeBSD box*

Once I wrote Part I and Part II of this Howto, my FreeBSD home server was sitting in the DMZ behind a SOHO router into the internet, and firewall/NAT was managed by the router. Recently, I connected the cable modem via USB directly to the FreeBSD box, enabled ipfw and NAT, and now it plays the role of the gateway into the internet.

Well, the switch was not that easy, and some subtleties that were not explained in the Handbook or in the relevant man pages had to be resolved before everything was working well together. I figured this would justify a separate chapter 4, making up the present new Part III of the Howto.

*4.1 Adding NAT support to the Kernel*

Note: This chapter 4.1 is meant to replace chapter 2.1 of Part I of this Howto.

This is basically the way as outlined in Chapter 8.5 of the FreeBSD Handbook. Here I add IPsec support as described in chapter 2.1 and additionally ipfw/NAT support to the GENERIC kernel. My favorite editor is editors/nano. Of course, you may do all the necessary editing with any other editor. 

Login as root. Copy the kernel configuration of your present kernel and add the IPsec and ipfw/NAT related options to it. In the following commands, replace "i386" and "GENERIC" as appropriate for your architecture and your present Kernel:
`cd /usr/src/sys/i386/conf`
`cp GENERIC GENERIC_IPsec_NAT`

Then edit the new configuration file, changing the ident parameter (quite at the top of the file) and adding the relevant IPsec and ipfw/NAT options:
`nano GENERIC_IPsec_NAT`

```
ident           GENERIC_IPsec_NAT
```
I placed the following below the first big options block:

```
# Options for a IPsec enabled kernel
options         IPSEC
options         IPSEC_FILTERTUNNEL
options         IPSEC_NAT_T
device          crypto
device          enc

# Options for a NAT enabled kernel
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         LIBALIAS
options         IPDIVERT
```

IPDIVERT is not exactly needed, because I am going to setup in-kernel NAT, however, this gives me the option to do the same thing using the traditional divert method. In addition, divert is also useful for other things, like ipfw(8)() tee rules.

Build and install the new kernel. Be prepared that building the kernel will take some time.
`cd /usr/src`
`make buildkernel KERNCONF=GENERIC_IPsec_NAT`
`make installkernel KERNCONF=GENERIC_IPsec_NAT`

The new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel. Now restart your system.
`shutdown -r now`


*4.2 Firewall Configuration*

Remember, that net/mpd5 and the security/ipsec-tools are configured to listen on the LAN interface. I wanted to keep it like this, because my LAN interface got a fixed IP address, while my WAN interface gets its IP address via DHCP from the ISP, and that may change from time to time.

While it is possible to use the /etc/dhclient-exit-hooks to script restarting mpd5 and ipsec after the public IP changed, I preferred to having mpd5 and ipsec address settings being immutable. So, I need to use NAT redirect rules for routing the respective packets from the WAN interface to the LAN interface.

I have also a VPN-PPTP dial-in server running on port 1723, therefore my firewall rules cover this one too.

Create the shell script file holding the ipfw/NAT configuration.
`nano /etc/ipfw.conf; chmod ugo+x /etc/ipfw.conf`

You need to replace "WAN" and "LAN" with your respective interface names. In my case, ue0 is the WAN interface and re0 is the LAN interface.


```
#!/bin/sh
ipfw -q flush

add="ipfw -q add"

ipfw -q nat 1 config if WAN reset\
                            redirect_port tcp 192.168.0.1:1723 1723\
                            redirect_port udp 192.168.0.1:1701 1701\
                            redirect_port udp 192.168.0.1:500   500\
                            redirect_port udp 192.168.0.1:4500 4500

# Allow everything within the LAN
$add 10 allow ip from any to any via LAN
$add 20 allow ip from any to any via lo0
$add 30 allow ip from any to any via ng*

# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in

$add 100 nat 1 ip from any to any via WAN in
$add 101 check-state

# Rules for allowing dial-in calls to the PPTP and L2TP/IPsec VPN servers
# that are listening on a LAN interface behind the NAT
$add 200 skipto 10000 tcp from any to any 1723 via WAN in setup keep-state
$add 202 skipto 10000 udp from any to any 1701 via WAN in keep-state
$add 203 skipto 10000 udp from any to any  500 via WAN in keep-state
$add 204 skipto 10000 udp from any to any 4500 via WAN in keep-state

# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 25, 53 via WAN out

# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via WAN out setup keep-state
$add 2010 skipto 10000 udp from any to any via WAN out keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed
$add 5000 allow tcp from any to any 4, 80, 443, 548 via WAN in setup limit src-addr 10

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via WAN
$add 9999 deny udp from any to any via WAN

$add 10000 nat 1 ip from any to any via WAN out
$add 65534 allow ip from any to any
```

Rules 10 to 30 deal with the traffic inside the LAN. ng* are the interfaces that are dynamically created by VPN connections, and of course, packets comming in or going out here shall be considered LAN packets. If you want to restrict VPN users to use certain services only, then you might want to modify rule 30.

Rule 100 sends incomming packets through the NAT, and Rule 101 checks packets against the dynamic 
rule set. A crucial subtlety that is mentioned nowhere is that this rule must be numbered 101 (i.e. number of nat rule + 1). I don't know the reason for this, however, I spent hours of firewall testing, only for finding out that any other rule number than 101 did not work here for me.

Because the VPN traffic passes the NAT to another interface, i.e. has to go in and out, it cannot be simply allowed, but it has to be skipped-to the outgoing nat rule 10000.

Personnaly, I prefer the firewall style, which allows everything going-out that is not explicitely denied, and which denies everything comming-in that is not explicitely allowed. However, this is pretty much a matter of taste and there are several other ways of doing the right thing between rule numbers 1000 to 9997.

Another subtlety is, that there is not the one and only rule catching all at 9999, but there are two rules catching explicitly tcp and udp traffic, and by this leaving alone gre, esp, and icmp packets.

Rule 10000 sends outgoing packets to the NAT. Finally, the default rule 65535 of the firewall denies everything, therefore, there is the "semi-final" rule 65534 allowing everything.


*4.3 Firewall Activation*

In file /etc/rc.conf add the following:
`nano /etc/rc.conf`

```
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
```
Finally there are two more subtleties, that can be addressed by adding the following two lines to /etc/sysctl.conf:
`nano /etc/sysctl.conf`

```
net.inet.ip.fw.one_pass=0
net.inet.tcp.tso=0
net.inet.ipsec.filtertunnel=0
net.inet6.ipsec6.filtertunnel=0
```

Restart the server, and verify that everything is working as expected.


----------



## jerome (Dec 15, 2011)

Thanks for this help to create a vpn for iOS!

But I guess I failed to follow it. I can't connect. What should I check to find my error?


```
2011-12-15 01:51:58: INFO: respond new phase 1 negotiation: 192.168.174.202[500]<=>192.168.174.123[500]
2011-12-15 01:51:58: INFO: begin Identity Protection mode.
2011-12-15 01:51:58: INFO: received Vendor ID: RFC 3947
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-12-15 01:51:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-15 01:51:58: INFO: received Vendor ID: DPD
2011-12-15 01:51:58: [192.168.174.123] INFO: Selected NAT-T version: RFC 3947
2011-12-15 01:51:58: [192.168.174.202] INFO: Hashing 192.168.174.202[500] with algo #2 
2011-12-15 01:51:58: INFO: NAT-D payload #0 verified
2011-12-15 01:51:58: [192.168.174.123] INFO: Hashing 192.168.174.123[500] with algo #2 
2011-12-15 01:51:58: INFO: NAT-D payload #1 verified
2011-12-15 01:51:58: INFO: NAT not detected 
2011-12-15 01:51:58: [192.168.174.123] INFO: Hashing 192.168.174.123[500] with algo #2 
2011-12-15 01:51:58: [192.168.174.202] INFO: Hashing 192.168.174.202[500] with algo #2 
2011-12-15 01:51:58: INFO: Adding remote and local NAT-D payloads.
2011-12-15 01:51:58: [192.168.174.123] ERROR: couldn't find the pskey for 192.168.174.123.
2011-12-15 01:51:58: [192.168.174.123] ERROR: failed to process ph1 packet (side: 1, status: 4).
2011-12-15 01:51:58: [192.168.174.123] ERROR: phase1 negotiation failed.
2011-12-15 01:52:28: INFO: respond new phase 1 negotiation: 192.168.174.202[500]<=>192.168.174.123[500]
2011-12-15 01:52:28: INFO: begin Identity Protection mode.
2011-12-15 01:52:28: INFO: received Vendor ID: RFC 3947
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-12-15 01:52:28: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-15 01:52:28: INFO: received Vendor ID: DPD
2011-12-15 01:52:28: [192.168.174.123] INFO: Selected NAT-T version: RFC 3947
2011-12-15 01:53:18: ERROR: phase1 negotiation failed due to time up. 49cd238be9a1863a:8f259c9c2c44778f
```


----------



## Anonymous (Dec 15, 2011)

jerome said:
			
		

> Thanks for this help to create a vpn for iOS!
> 
> But I guess I failed to follow it. I can't connect. What should I check to find my error?
> 
> ...



It seems to me, that you tried to establish a VPN connection from an iOS device being in the same network  as your VPN service (both having 192.168.174.xxx) - as a matter of fact this will neither work this way, nor does it make any sense, because the device is already sitting in the "private" network.

If you got a device with 3G connectivity then you might want to disconnect it from your in-house wireless-lan while testing the VPN connectivity - later, you would switch WLAN on again, and would use VPN from outside only, of course.

Best regards

Rolf


----------



## jerome (Dec 16, 2011)

Yes, I did try from my local network. I'm not sure which TCP and UDP ports to open. I had previously a vpn server on mac os x, and I was able to test from my local network, so I excepted to not be an issue.

Do you know which TCP and UDP ports to open?

Thanks for your time!


----------



## Anonymous (Dec 16, 2011)

jerome said:
			
		

> Do you know which TCP and UDP ports to open?



For L2TP/IPsec dial-in VPN, open the UDP ports 1701, 500, and 4500.

Best regards

Rolf


----------



## jerome (Dec 16, 2011)

So I still have the same error. Do you know what should I check to find my mistake?


```
2011-12-16 13:31:58: INFO: respond new phase 1 negotiation: 192.168.174.202[500]<=>90.84.144.59[55134]
2011-12-16 13:31:58: INFO: begin Identity Protection mode.
2011-12-16 13:31:58: INFO: received Vendor ID: RFC 3947
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-12-16 13:31:58: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-16 13:31:58: INFO: received Vendor ID: DPD
2011-12-16 13:31:58: [90.84.144.59] INFO: Selected NAT-T version: RFC 3947
2011-12-16 13:31:59: INFO: respond new phase 1 negotiation: 192.168.174.202[500]<=>90.84.144.59[55134]
2011-12-16 13:31:59: INFO: begin Identity Protection mode.
2011-12-16 13:31:59: INFO: received Vendor ID: RFC 3947
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-12-16 13:31:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-16 13:31:59: INFO: received Vendor ID: DPD
2011-12-16 13:31:59: [90.84.144.59] INFO: Selected NAT-T version: RFC 3947
2011-12-16 13:31:59: [192.168.174.202] INFO: Hashing 192.168.174.202[500] with algo #2 
2011-12-16 13:31:59: INFO: NAT-D payload #0 doesn't match
2011-12-16 13:31:59: [90.84.144.59] INFO: Hashing 90.84.144.59[55134] with algo #2 
2011-12-16 13:31:59: INFO: NAT-D payload #1 doesn't match
2011-12-16 13:31:59: INFO: NAT detected: ME PEER
2011-12-16 13:31:59: [90.84.144.59] INFO: Hashing 90.84.144.59[55134] with algo #2 
2011-12-16 13:31:59: [192.168.174.202] INFO: Hashing 192.168.174.202[500] with algo #2 
2011-12-16 13:31:59: INFO: Adding remote and local NAT-D payloads.
2011-12-16 13:31:59: [90.84.144.59] ERROR: couldn't find the pskey for 90.84.144.59.
2011-12-16 13:31:59: [90.84.144.59] ERROR: failed to process ph1 packet (side: 1, status: 4).
2011-12-16 13:31:59: [90.84.144.59] ERROR: phase1 negotiation failed.
```


----------



## Anonymous (Dec 16, 2011)

jerome said:
			
		

> So I still have the same error. Do you know what should I check to find my mistake?
> 
> 
> ```
> ...



You absolutely do not have the same error. "ERROR: couldn't find the pskey", means that your setup is almost working, and only the Pre-Shared Key, that was offered from the client to the server could not be verified/accepted.

Things to consider:

1. did you apply the wildcard-PSK patch to the ipsec-tools as mentioned in chapter 2.2 of part I of this how-to?

2. did you use exactly the same Pre-Shared Key for the client settings as you set in the file /usr/local/etc/racoon/psk.txt - see chapter 3.1 of part I of this how-to - the Pre-Shared Key is case sensitive.

Best regards

Rolf


----------



## jerome (Dec 16, 2011)

I find my error: I choose a pre shared key with spaces. I removed the spaces, and now I have another error:


```
2011-12-16 21:52:42: INFO: Adding remote and local NAT-D payloads.
2011-12-16 21:52:42: INFO: NAT-T: ports changed to: 90.84.146.239[39936]<->192.168.174.202[4500]
2011-12-16 21:52:42: INFO: KA found: 192.168.174.202[4500]->90.84.146.239[39936] (in_use=2)
2011-12-16 21:52:53: ERROR: phase1 negotiation failed due to time up. b20141e375fa4e58:61d4c318a6d248de
2011-12-16 21:52:53: INFO: KA remove: 192.168.174.202[4500]->90.84.146.239[39936]
2011-12-16 21:53:23: ERROR: phase1 negotiation failed due to time up. aba3c83e3a127b88:cdd06785eed23ce6
2011-12-16 21:53:32: ERROR: phase1 negotiation failed due to time up. d0543eb64ae5f90f:67538ddb57b2468f
2011-12-16 21:53:32: INFO: KA remove: 192.168.174.202[4500]->90.84.146.239[39936]
```


----------



## Anonymous (Dec 16, 2011)

jerome said:
			
		

> I find my error : I choose a pre shared key with spacesâ€¦ I removed the spaces, and now I have another error :
> 
> 
> ```
> ...



The third line of your log file excerpt is strange. Usually this one would instead look like the following:


```
2011-12-16 21:52:42: INFO: KA list add: 192.168.174.202[4500]->90.84.146.239[39936]
```

I guess, that some Key Associations from previous failed connection attempts were not purged/flushed correctly.

Please verify, whether there are any KA Zombies with the following command:

`/usr/local/sbin/setkey -D`

The output should be "No SAD entries." If there are some SA entries, then flush them with the following command:

`/usr/local/sbin/setkey -DF`

Perhaps, you might want to restart the whole VPN chain with the following command sequence:

`service mpd5 restart`
`service ipsec restart`
`service racoon restart`

Best regards

Rolf


----------



## jerome (Dec 19, 2011)

I tried. I even rebooted my computer. Nothing changed, still the same error.


----------



## Anonymous (Dec 20, 2011)

jerome said:
			
		

> I tried. I even rebooted my computer. Nothing changed, still the same error.



Please can you provide the output of the following command BEFORE and AFTER a connection trial.
`/usr/local/sbin/setkey -D`

Is the VPN server connected via a dedicated router/firewall to the internet, or are there NAT/firewall instances running on the server itself.

In the first case, please check, whether the router allows esp packets to traverse the firewall. In the second case please check your firewall settings against my proposal in part III of this review. Note, that there is no explicit rule allowing gre, esp, and icmp, but these packet types are allowed implicitely, because rules 9998 and 9999 deny tcp/udp traffic only. 

Best regards

Rolf


----------



## jerome (Dec 21, 2011)

Before and after :


```
[root@elephant ~]# /usr/local/sbin/setkey -D
No SAD entries.
[root@elephant ~]# /usr/local/sbin/setkey -D
No SAD entries.
```

I enabled dmz to make sure my router would not be a problem, but it still doesn't work.



```
2011-12-21 23:44:37: INFO: respond new phase 1 negotiation: 192.168.174.202[500]<=>90.84.146.213[53747]
2011-12-21 23:44:37: INFO: begin Identity Protection mode.
2011-12-21 23:44:37: INFO: received Vendor ID: RFC 3947
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2011-12-21 23:44:37: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-12-21 23:44:37: INFO: received Vendor ID: DPD
2011-12-21 23:44:37: [90.84.146.213] INFO: Selected NAT-T version: RFC 3947
2011-12-21 23:44:37: [192.168.174.202] INFO: Hashing 192.168.174.202[500] with algo #2 
2011-12-21 23:44:37: INFO: NAT-D payload #0 doesn't match
2011-12-21 23:44:37: [90.84.146.213] INFO: Hashing 90.84.146.213[53747] with algo #2 
2011-12-21 23:44:37: INFO: NAT-D payload #1 doesn't match
2011-12-21 23:44:37: INFO: NAT detected: ME PEER
2011-12-21 23:44:37: [90.84.146.213] INFO: Hashing 90.84.146.213[53747] with algo #2 
2011-12-21 23:44:37: [192.168.174.202] INFO: Hashing 192.168.174.202[500] with algo #2 
2011-12-21 23:44:37: INFO: Adding remote and local NAT-D payloads.
2011-12-21 23:44:38: INFO: NAT-T: ports changed to: 90.84.146.213[33990]<->192.168.174.202[4500]
2011-12-21 23:44:38: INFO: KA list add: 192.168.174.202[4500]->90.84.146.213[33990]
2011-12-21 23:45:28: ERROR: phase1 negotiation failed due to time up. 61b1265d0a172573:5c80402522cbbc63
2011-12-21 23:45:28: INFO: KA remove: 192.168.174.202[4500]->90.84.146.213[33990]
```


----------



## Anonymous (Dec 22, 2011)

jerome said:
			
		

> I enabled dmz to make sure my router would not be a problem, but it still doesn't work.



The routers that I know do have separate settings for VPN Pass-Through. A D-Link router worked well once I enabled this setting. An older SMC router did not work by no means, though.



			
				jerome said:
			
		

> ```
> ...
> 2011-12-21 23:44:38: INFO: KA list add: 192.168.174.202[4500]->90.84.146.213[33990]
> 2011-12-21 23:45:28: ERROR: phase1 negotiation failed due to time up. 61b1265d0a172573:5c80402522cbbc63
> ...



This time, everything went OK up to the time-out error. Perhaps we get a better understanding about what's going on, when you enable verbose (debug) logging of racoon.

For temporarily putting racoon into debug mode, you could do the following:

`service racoon stop`
`racoon -ddF`

This second command starts racoon in verbose mode in the foreground, and by this way you could follow up everything in the console window while it is going on. Once you examined the output and perhaps extracted interesting parts, you can stop racoon by issuing <control>-<c>, and finally start the racoon daemon again with the following command:

`service racoon start`

I am sorry that I still do not have a better answer for you.

Best regards

Rolf


----------



## tobias (Dec 28, 2011)

How do I enable authentication with system accounts? 

I have tried:

```
set auth enable system-auth
```

but it is not working.


----------



## Anonymous (Dec 29, 2011)

tobias said:
			
		

> How do I enable authentication with system accounts?
> 
> I have tried:
> 
> ...



I have never tried this. However, I can imagine, that the problem is related to the respective description about this authentication option in the "Mpd 5.6 User Manual" at page 47 (/usr/local/share/doc/mpd5/mpd.ps).



> Enables authentication against the systems password database. This options can only be used with PAP and MS-CHAP, but not with CHAP-MD5. If you intend to use this with MS-CHAP, then the passwords in the master.passwd must be NT- Hashes. You can enable this by putting asswd_format=nth: into your /etc/login.conf, but you need at least FreeBSD 5.2.



Did you try the hint about the NT-Hashes in the master.passwd file?

I am sorry, however I fear that I cannot be of any further help in this respect. Perhaps, you might want to ask your question in the following forum: http://sourceforge.net/projects/mpd/forums/forum/44693.

Best regards

Rolf


----------



## jerome (Jan 6, 2012)

Thank you very much Rolf! I think I mixed up the secret and the password in the iPhone configuration. Now it works. Just one question, is it possible to redirect all the internet traffic from the iPhone through my vpn server? I enabled the option on the iPhone, but it doesn't work.


----------



## Anonymous (Jan 6, 2012)

jerome said:
			
		

> Just one question, is it possible to redirect all the internet traffic from the iPhone through my vpn server? I enable the option on the iPhone, but it doesn't work.



How did you check, that it does not work?

I just tried it with my iPhone 4 (@iOS 5.0.1), and it simply does work:


without VPN, I entered in Safari, http://checkip.dyndns.org/, and at the page the current IP of my iPhone was displayed.
.
I connected to VPN (for all Data), and in Safari I refreshed the checkip page, and now it showed me the public IP address of my VPN server.
Best regards

Rolf


----------



## ssh2 (Jan 9, 2012)

*rolfheinrich* thanx for great howto. But i stick at applying patches. It rejected your diff code. %|


----------



## Anonymous (Jan 10, 2012)

ssh2 said:
			
		

> *rolfheinrich* thanx for great howto. But i stick at applying patches. It rejected your diff code. %|



May I ask for some more details, please? So, what exact steps resulted in what exact error messages?

In any case it is not meant, that You apply the patches manually. Provided that the patch files reside at the given location, the patches are applied automatically and without further notice when the respective port is installed. By this way, the exact patches become applied again whenever the port is upgraded.

Best regards

Rolf


----------



## ssh2 (Jan 10, 2012)

```
===>  Patching for ipsec-tools-0.8.0_2
===>  Applying extra patch files/patch8-utmp.diff
===>  Applying FreeBSD patches for ipsec-tools-0.8.0_2
2 out of 2 hunks failed--saving rejects to src/racoon/grabmyaddr.c.rej
=> Patch patch-zz-local-0.diff failed to apply cleanly.
*** Error code 1

Stop in /usr/ports/security/ipsec-tools.
*** Error code 1

Stop in /usr/ports/security/ipsec-tools.
```


```
FreeBSD *********** 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Mar 19 19:42:38 CET 2011     
root@********:/usr/obj/usr/src/sys/corequad  amd64
```


----------



## ssh2 (Jan 10, 2012)

Looks like forum engine reformatting patch code. Is it possible upload files somewhere like pastebin?

Anyway, I patch it manually and ipsec-tools installed correctly.


----------



## Anonymous (Jan 10, 2012)

ssh2 said:
			
		

> Looks like forum engine reformatting patch code. Is it possible upload files somewhere like pastebin?
> 
> Anyway, i patch it manually and ipsec-tools installed correctly.



I put the respective patches into a .zip archive, and this is attached to this message (s. below).

Before I verified that the files do work at my machine:

`cd /usr/ports/security/ipsec-tools`
`make deinstall`
`make install clean`


```
===>  License check disabled, port has not defined LICENSE
===>  Found saved configuration for ipsec-tools-0.8.0_2
===>  Extracting for ipsec-tools-0.8.0_2
=> SHA256 Checksum OK for ipsec-tools-0.8.0.tar.bz2.
===>  Patching for ipsec-tools-0.8.0_2
===>  Applying extra patch files/patch8-utmp.diff
===>  Applying FreeBSD patches for ipsec-tools-0.8.0_2
===>   ipsec-tools-0.8.0_2 depends on package: libtool>=2.4 - found
===>  Configuring for ipsec-tools-0.8.0_2
...
...
```

Installation finished without any incident.

Best regards

Rolf


----------



## ssh2 (Jan 12, 2012)

Thank you!

I have another questions on configurations.
You have this: [User somewhere in NET] -> [Modem/Router with white dynamic IP] -> [VPN Server in DMZ] -> [LAN].

Can you help me with settings for this:
1) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT for secure surfing]

2) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT] -> [LAN in office]


----------



## Anonymous (Jan 12, 2012)

ssh2 said:
			
		

> I have another questions on configurations.
> You have this: [User somewhere in NET] -> [Modem/Router with white dynamic IP] -> [VPN Server in DMZ] -> [LAN].



This is no more true, see Part III of the present Howto:



			
				rolfheinrich said:
			
		

> *4. ipfw/NAT for the L2TP/IPsec and PPTP Dial-In Services, all running on the same FreeBSD box*
> 
> Once I wrote Part I and Part II of this Howto, my FreeBSD home server was sitting in the DMZ behind a SOHO router into the internet, and firewall/NAT was managed by the router. Recently, I connected the cable modem via USB directly to the FreeBSD box, enabled ipfw and NAT, and now it plays the role of the gateway into the internet. ...



From the point of view of the FreeBSD box, the cable modem is just another network interface, therefore, the setup described in Part III can be taken as a bare two-NIC setup, one NIC into the WAN (here the cable modem ue0), and the other NIC into the LAN (here re0). In your scheme this would mean:

[User somewhere in NET] -> [dynamic IP (ue0) - ipfw/NAT - VPN (& other services) (re0)] -> [LAN]



			
				ssh2 said:
			
		

> Can you help me with settings for this:
> 1) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT for secure surfing]
> 
> 2) [User (ios/android/windows/osx) somewhere in NET but mostly behind NAT with gray IP (cafe, airports and other untrusted places)] -> [trusted VPN Server with white static IP and NAT] -> [LAN in office]



For the setup, described in Part III it is completely irrelevant that ue0 got a dynamic IP, so it would work exactly the same for said IP being static. So, I assume that the described settings should simply work for both of your usage cases.

However note, that I had no luck with Windows and L2TP/IPsec. For this reason, I have running also a PPTP-VPN server, as is mentioned in Part III and described here: http://forums.freebsd.org/showthread.php?p=137792.

Best regards

Rolf


----------



## ssh2 (Feb 14, 2012)

I don't trust that not possible use ipsec-tools on *nix with windows clients 
Because *I've* seen and test*ed* some VPN's on the internet that allow connections from windows with l2tp/ipsec enable*d*.

And *I'm* st*U*ck on this:

```
2012-02-14 10:42:25: INFO: respond new phase 1 negotiation: 88.88.88.88[500]<=>1.2.3.4[500]
2012-02-14 10:42:25: INFO: begin Identity Protection mode.
2012-02-14 10:42:25: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2012-02-14 10:42:25: INFO: received Vendor ID: RFC 3947
2012-02-14 10:42:25: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-02-14 10:42:25: INFO: received Vendor ID: FRAGMENTATION
2012-02-14 10:42:25: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947
2012-02-14 10:42:25: ERROR: invalid DH group 20.
2012-02-14 10:42:25: ERROR: invalid DH group 19.
2012-02-14 10:42:25: [88.88.88.88] INFO: Hashing 88.88.88.88[500] with algo #2
2012-02-14 10:42:25: INFO: NAT-D payload #0 verified
2012-02-14 10:42:25: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2
2012-02-14 10:42:25: INFO: NAT-D payload #1 doesn't match
2012-02-14 10:42:25: INFO: NAT detected: PEER
2012-02-14 10:42:25: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2
2012-02-14 10:42:25: [88.88.88.88] INFO: Hashing 88.88.88.88[500] with algo #2
2012-02-14 10:42:25: INFO: Adding remote and local NAT-D payloads.
2012-02-14 10:42:25: INFO: NAT-T: ports changed to: 1.2.3.4[4500]<->88.88.88.88[4500]
2012-02-14 10:42:25: INFO: KA list add: 88.88.88.88[4500]->1.2.3.4[4500]
```

When *I* try *to* connect with windows 7 behind NATed office.
But when *I* try *to* connect from some place with ipad2 connection successfully.

My configs:

```
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log info;
padding {
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}
listen {
        isakmp 88.88.88.88;
        isakmp_natt 88.88.88.88 [4500];
}
timer {
        counter 5;
        interval 20 sec;
        persend 1;
        phase1 30 sec;
        phase2 15 sec;
}
remote anonymous {
        exchange_mode main,aggressive;
        doi ipsec_doi;
        passive on;
        generate_policy off;
        proposal_check obey;
        nat_traversal on;
        ike_frag on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo anonymous {
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        pfs_group 2;
}
sainfo anonymous {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        pfs_group 2;
}
```


```
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
```


----------



## scorpizz (Feb 19, 2012)

*IKE phase 1 error..?*

Hi all,

First of all, thank you Rolf for the great work in putting this ipsec setup online  But - I have been fighting a bit with this ipsec setup on a fbsd FreeBSD. Maybe there is someone who can bring some light to the following problem: Iphone / Ipad is trying to make a tunnel to the fbsd FreeBSD server where the ipsec is running but get a "server is not responding".

IOS: version 5.0.1
fbsd FreeBSD: version 8.2, fresh updated ports before install.
racoon: version 0.8.0_3 (ipsec-tools)
psk: easy pwd without special charters.
user: super (as the admin user)

All the configuration files are as the ones published earlier in this Howto. Nothing is altered. The two .diff patches have been added as well to the installation. I started off from an external IP, but had this phase 1 problem. Moved the client the LAN to bypass the router just to make sure that it was not a lack of router configuration (udp ports 500, 1701 and 4500). But same error on the LAN. I know that this probably will give some other errors later on in phase 2, when outside and inside net is the same. But let's have phase 1 up and run first.

As it can be seen from the log below, it fails to find a way to do the authentication. A lorv-parm = 65001 (racoon not seems to be very happy with this.) But where to dig further down to find the cause for this invalid authentication method? The only thing that I can see is that it falls back down through the proposals, down to "low-end" encryption as the last one, so that part is working  But with the faulty "authentication" method on every attempt.

Best regards
Gert

This is the (long) debug from racoon:

```
2012-02-19 23:04:43: DEBUG: ===
2012-02-19 23:04:43: DEBUG: 572 bytes message received from 172.16.0.35[500] to 172.16.0.15[500]
2012-02-19 23:04:43: DEBUG: 
a32443d4 6879c6b1 00000000 00000000 01100200 00000000 0000023c 0d000124
00000001 00000001 00000118 01010008 03000024 01010000 800b0001 800c0e10
...
... [data deleted to save space] 
...
80010007 800e0100 8003fde9 80020002 80040002 03000024 02010000 800b0001
702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: DEBUG: ===
2012-02-19 23:04:43: INFO: respond new phase 1 negotiation: 172.16.0.15[500]<=>172.16.0.35[500]
2012-02-19 23:04:43: INFO: begin Identity Protection mode.
2012-02-19 23:04:43: DEBUG: begin.
2012-02-19 23:04:43: DEBUG: seen nptype=1(sa)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
...
... [8 lines of repeating debug message deleted]
...
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: seen nptype=13(vid)
2012-02-19 23:04:43: DEBUG: succeed.
2012-02-19 23:04:43: INFO: received Vendor ID: RFC 3947
2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: DEBUG: received unknown Vendor ID
2012-02-19 23:04:43: DEBUG: 
4df37928 e9fc4fd1 b3262170 d515c662
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-02-19 23:04:43: [172.16.0.35] DEBUG2: Checking remote conf "anonymous" anonymous.
2012-02-19 23:04:43: DEBUG2: enumrmconf: "anonymous" matches.
2012-02-19 23:04:43: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-02-19 23:04:43: INFO: received Vendor ID: CISCO-UNITY
2012-02-19 23:04:43: INFO: received Vendor ID: DPD
2012-02-19 23:04:43: DEBUG: remote supports DPD
2012-02-19 23:04:43: [172.16.0.35] INFO: Selected NAT-T version: RFC 3947
2012-02-19 23:04:43: DEBUG: total SA len=288
2012-02-19 23:04:43: DEBUG: 
00000001 00000001 00000118 01010008 03000024 01010000 800b0001 800c0e10
80010007 800e0100 8003fde9 80020002 80040002 03000024 02010000 800b0001
...
... [6 lines of data deleted]
...
03000020 07010000 800b0001 800c0e10 80010001 8003fde9 80020002 80040002
00000020 08010000 800b0001 800c0e10 80010001 8003fde9 80020001 80040002
2012-02-19 23:04:43: DEBUG: begin.
2012-02-19 23:04:43: DEBUG: seen nptype=2(prop)
2012-02-19 23:04:43: DEBUG: succeed.
2012-02-19 23:04:43: DEBUG: proposal #1 len=280
2012-02-19 23:04:43: DEBUG: begin.
2012-02-19 23:04:43: DEBUG: seen nptype=3(trns)
...
... [6 lines of repeating debug message deleted]
...
2012-02-19 23:04:43: DEBUG: seen nptype=3(trns)
2012-02-19 23:04:43: DEBUG: succeed.
2012-02-19 23:04:43: DEBUG: transform #1 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=256
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #2 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=128
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #3 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=256
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #4 len=36
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2012-02-19 23:04:43: DEBUG: encryption(aes)
2012-02-19 23:04:43: DEBUG: type=Key Length, flag=0x8000, lorv=128
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #5 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(3des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #6 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(3des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #7 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: DEBUG: transform #8 len=32
2012-02-19 23:04:43: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2012-02-19 23:04:43: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
2012-02-19 23:04:43: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
2012-02-19 23:04:43: DEBUG: encryption(des)
2012-02-19 23:04:43: DEBUG: type=Authentication Method, flag=0x8000, lorv=65001
2012-02-19 23:04:43: ERROR: invalid auth method 65001.
2012-02-19 23:04:43: ERROR: no Proposal found.
2012-02-19 23:04:43: [172.16.0.35] ERROR: failed to get valid proposal.
2012-02-19 23:04:43: [172.16.0.35] ERROR: failed to pre-process ph1 packet (side: 1, status 1).
2012-02-19 23:04:43: [172.16.0.35] ERROR: phase1 negotiation failed.
```


----------



## Anonymous (Feb 20, 2012)

scorpizz said:
			
		

> ...
> I have been fighting a bit with this ipsec setup on a FreeBSD. Maybe there is someone who can bring some light to the following problem: Iphone / Ipad is trying to make a tunnel to the FreeBSD server where the ipsec is running but get a "server is not responding".
> ...
> ...
> ...



There is probably a misunderstanding on your side. My Howto is not about setting up an IPsec tunnel connection between two dedicated endpoints, but about setting up a L2TP server that utilizes IPsec for establishing point-to-point connections in IPsec transport mode. Hence, you would not use the VPN-IPsec/Cisco client that is built-into iOS. Please try again using the VPN-L2TP/IPsec client. And as a side note, as already stated elsewhere, L2TP/IPsec connections within the same network won't work - so please try external connections only. 

Best regards

Rolf


----------



## scorpizz (Feb 21, 2012)

Arrg,- sorry. I have mixed up the l2TP and IPSEC and very much focused on the IPSEC part. But after hitting the "right" buttons and fired up the L2TP tunnel on the iPhone, there is beginning to happen a lot more than before. After changing the ACL on the psk.txt file to "600", Racoon is not complaining about low security either and brings up the tunnel with no problems.

I just made a small test and it seems that there is no problem in start up the tunnel with an inside IP as well. Are having access to inside and outside world with the local LAN address.

Thanks for bringing me on the right track again 

Best regards
Gert


----------



## ronjns (Mar 26, 2012)

Hello rolfheinrich,

First of all thanks for putting up this howto. I tried to compile ipsec-tools with the 2 patches and it failed. Any comment appreciated. I'm running FreeBSD 9 Rel. Thanks!


```
===>>> Returning to dependency check for security/ipsec-tools
===>>> Dependency check complete for security/ipsec-tools
===>  Cleaning for ipsec-tools-0.8.0_3

===>  Vulnerability check disabled, database not found
===>  License check disabled, port has not defined LICENSE
===>  Found saved configuration for ipsec-tools-0.8.0_3
===>  Extracting for ipsec-tools-0.8.0_3
=> SHA256 Checksum OK for ipsec-tools-0.8.0.tar.bz2.
===>  Patching for ipsec-tools-0.8.0_3
===>  Applying FreeBSD patches for ipsec-tools-0.8.0_3
2 out of 2 hunks failed--saving rejects to src/racoon/grabmyaddr.c.rej
=> Patch patch-zz-local-0.diff failed to apply cleanly.
*** Error code 1

Stop in /usr/ports/security/ipsec-tools.
*** Error code 1

Stop in /usr/ports/security/ipsec-tools.

===>>> make failed for security/ipsec-tools
===>>> Aborting update

Terminated
===>>> Installation of devel/libtool (libtool-2.4.2) complete

===>>> Deleting installed build-only dependencies


===>>> You can restart from the point of failure with this command line:
       portmaster <flags> security/ipsec-tools
```


----------



## suntzu (Mar 26, 2012)

Just modify the specific files by hand.

`cd /usr/ports/security/ipsec-tools`
`make fetch && make extract`
`cd work/ipsec-tools-0.8.0/src/racoon`

Edit grabmyaddr.c and localconf.c .


----------



## Anonymous (Mar 26, 2012)

ronjns said:
			
		

> ... I tried to compile ipsec-tools with the 2 patches and it failed. ...
> 
> 
> ```
> ...



This happened already to another fellow before, see messages #22-24 of this thread.

One solution would be indeed to patch the respective files by hand, however, in the course of the next update of security/ipsec-tools the patches will be vanished.

Perhaps there is a problem with producing the patch-files by copying/pasting from the present howto. Therefore, I added a .zip package containing the patches to message #24 of this thread. I suggest that you replace your patch-files by this ones and then try it again.

Best regards

Rolf


----------



## ronjns (Mar 27, 2012)

Many hanks Suntzu and Rolf. I edited both files manually and it compiled with no error.

But I can't connect with my ipad2; made sure PSK is correct, restarted services etc but nada. :\


```
2012-03-27 17:05:16: INFO: respond new phase 1 negotiation: a.a.a.a[500]<=>b.b.b.b[23348]
2012-03-27 17:05:16: INFO: begin Identity Protection mode.
2012-03-27 17:05:16: INFO: received Vendor ID: RFC 3947
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-03-27 17:05:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-03-27 17:05:16: INFO: received Vendor ID: DPD
2012-03-27 17:05:16: [b.b.b.b] INFO: Selected NAT-T version: RFC 3947
2012-03-27 17:05:16: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-27 17:05:16: INFO: NAT-D payload #0 doesn't match
2012-03-27 17:05:16: [b.b.b.b] INFO: Hashing b.b.b.b[23348] with algo #2
2012-03-27 17:05:16: INFO: NAT-D payload #1 doesn't match
2012-03-27 17:05:16: INFO: NAT detected: ME PEER
2012-03-27 17:05:16: [b.b.b.b] INFO: Hashing b.b.b.b[23348] with algo #2
2012-03-27 17:05:16: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-27 17:05:16: INFO: Adding remote and local NAT-D payloads.
2012-03-27 17:05:17: [b.b.b.b] ERROR: couldn't find the pskey for b.b.b.b.
2012-03-27 17:05:17: [b.b.b.b] ERROR: failed to process ph1 packet (side: 1, status: 4).
2012-03-27 17:05:17: [b.b.b.b] ERROR: phase1 negotiation failed.
```


----------



## Anonymous (Mar 27, 2012)

This looks to me like something with the Wildcard-PSK patch went wrong.

Please download the zipped patches from message #24, unzip 'em, and move them to:
/usr/ports/security/ipsec-tools/files/patch-zz-local-0.diff  and
/usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff  .

Then execute the following commands:
`cd /usr/ports/security/ipsec-tools`
`make deinstall`
`make install clean`
`shutdown -r now`

After restart, try again.

Best regards

Rolf

PS: If the file permissions of /usr/local/etc/racoon/psk.txt are too weak, then racoon would fail to load it, and racoon would report about this issue in its log file like so:

```
2012-03-27 08:01:42: ERROR: /usr/local/etc/racoon/psk.txt has weak file permission
2012-03-27 08:01:42: ERROR: failed to open pre_share_key file /usr/local/etc/racoon/psk.txt
2012-03-27 08:01:42: [xxx.xxx.xxx.xxx] ERROR: couldn't find the pskey for xxx.xxx.xxx.xxx.
2012-03-27 08:01:42: [xxx.xxx.xxx.xxx] ERROR: failed to process ph1 packet (side: 1, status: 4).
2012-03-27 08:01:42: [xxx.xxx.xxx.xxx] ERROR: phase1 negotiation failed.
```

According to your log, this is not the issue in your case. Anyway, it might be good to strip down the permissions of said file:
`chmod 600 /usr/local/etc/racoon/psk.txt`

I just added this recommendation to the Howto, and also attached the 2 .diff files also there.


----------



## ronjns (Mar 28, 2012)

Many thanks Rolf! Please bear with me, beginner here.

I did what you suggested and the PSK error disappeared, but still my ipad2 can't connect. Could it be my firewall? I'm running PF for packet filtering, NAT and port forwarding. Log and PF rules below.


```
2012-03-28 11:42:42: INFO: respond new phase 1 negotiation: a.a.a.a[500]<=>b.b.b.b[1760]
2012-03-28 11:42:42: INFO: begin Identity Protection mode.
2012-03-28 11:42:42: INFO: received Vendor ID: RFC 3947
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-03-28 11:42:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-03-28 11:42:42: INFO: received Vendor ID: DPD
2012-03-28 11:42:42: [b.b.b.b] INFO: Selected NAT-T version: RFC 3947
2012-03-28 11:42:42: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-28 11:42:42: INFO: NAT-D payload #0 doesn't match
2012-03-28 11:42:42: [b.b.b.b] INFO: Hashing b.b.b.b[1760] with algo #2
2012-03-28 11:42:42: INFO: NAT-D payload #1 doesn't match
2012-03-28 11:42:42: INFO: NAT detected: ME PEER
2012-03-28 11:42:42: [b.b.b.b] INFO: Hashing b.b.b.b[1760] with algo #2
2012-03-28 11:42:42: [a.a.a.a] INFO: Hashing a.a.a.a[500] with algo #2
2012-03-28 11:42:42: INFO: Adding remote and local NAT-D payloads.
2012-03-28 11:42:42: INFO: NAT-T: ports changed to: b.b.b.b[28453]<->a.a.a.a[4500]
2012-03-28 11:42:42: INFO: KA list add: a.a.a.a[4500]->b.b.b.b[28453]
2012-03-28 11:43:32: ERROR: phase1 negotiation failed due to time up. ee2076b60744fea5:8df9d5f6768cb634
2012-03-28 11:43:32: INFO: KA remove: a.a.a.a[4500]->b.b.b.b[28453]
```


```
# MACROS
wan="tun0"
vpn="tun1"
lan="em1"
localsubnet=$lan:network
fw="{a.a.a.a/32, b.b.b.b/32}"

# PACKET NORMALIZATION
scrub in all

# TRANSLATION
nat on $wan from $localsubnet to any -> ($wan)

# REDIRECTION
rdr log on $wan proto tcp from any to ($wan) port 1723 -> 192.168.2.254
rdr log on $wan proto udp from any to ($wan) port 1701 -> 192.168.2.254
rdr log on $wan proto udp from any to ($wan) port 500 -> 192.168.2.254
rdr log on $wan proto udp from any to ($wan) port 4500 -> 192.168.2.254

# PACKET FILTERING
antispoof log quick for ($wan)                                          # Enable anti-spoof for WAN
block in log on $wan from any to any                                    # Block all incoming traffic to WAN
pass in log on $lan from $localsubnet to any keep state                 # Pass all incoming traffic to LAN w/ source of local subnet
pass in log on $wan proto tcp from $pacnetfw to ($wan) port 22          # Pass ssh traffic from * firewall to WAN
pass in log on $wan proto tcp from $pacnetfw to ($wan) port 5222        # Pass openvpn traffic from * firewall to WAN
pass out log on $wan from ($wan) to any keep state                      # Pass all outgoing traffic to WAN w/ source of WAN interface

pass in log on $wan from any to $localsubnet
pass in log on $wan from $localsubnet to any

pass in log on $wan proto esp from any to ($wan)
pass in log on $wan proto ipencap from any to ($wan)
pass in log on $wan proto udp from any to ($wan) port isakmp
pass in log on $wan proto udp from any to ($wan) port 4500
```


----------



## Anonymous (Mar 28, 2012)

ronjns said:
			
		

> ... Could it be my firewall? I'm running PF for packet filtering, NAT and port forwarding. Log and PF rules below...



The timeout error means that the peer did not respond in time, and it might well be that this happened because the response has been catched by the firewall. However, here you catched me too, since about PF, I now only that it exist.

Few things to check.

- my IPFW setup contains two nat rules, one for incoming and another one for outgoing traffic.
- is the PF rdr rule really a nat redirection rule?
- you opened udp ports 500 and 4500, but not udp port 1701

I am sorry that I do not have a better answer for you. I am an IPFW guy, which does not mean that PF is bad, it only means that I have no idea about PF

Best regards

Rolf


----------



## suntzu (Mar 28, 2012)

```
rdr pass log on $wan proto tcp ...
```


----------



## ronjns (Mar 29, 2012)

Thanks again Rolf and Suntzu! I tried different PF rules including those suggested but nada. :\

From racoon debug I see 'invalid packet payload'. I can be wrong, but seems like client is talking to server vice versa?


```
2012-03-29 11:01:51: DEBUG: begin.
2012-03-29 11:01:51: DEBUG: seen nptype=5(id)
2012-03-29 11:01:51: DEBUG: invalid length of payload
2012-03-29 11:01:52: DEBUG: ===
2012-03-29 11:01:52: DEBUG: 108 bytes message received from x.x.x.x[4500] to 192.168.y.y[4500]
2012-03-29 11:01:52: DEBUG:
43244935 f8cddf04 a062018f fbdf14e2 05100201 00000000 0000006c 0f0ab042
0ddab8d5 d2b63839 fbe20ba1 1409f703 7b42c597 43891166 ccee8c59 4030703c
c275fe61 1781bdda 38aecbaa 5e3c63db 631f7610 3f2ea4fd 59952a37 cb2f3f8d
1569375a d24dd7d5 ba9cd403
2012-03-29 11:01:52: DEBUG: begin decryption.
2012-03-29 11:01:52: DEBUG: encryption(aes)
2012-03-29 11:01:52: DEBUG: IV was saved for next processing:
2012-03-29 11:01:52: DEBUG:
cb2f3f8d 1569375a d24dd7d5 ba9cd403
2012-03-29 11:01:52: DEBUG: encryption(aes)
2012-03-29 11:01:52: DEBUG: with key:
2012-03-29 11:01:52: DEBUG:
1f582951 0446d90d 690e76b2 4a14c352 96995602 c782b01e 8d244190 a0951302
2012-03-29 11:01:52: DEBUG: decrypted payload by IV:
2012-03-29 11:01:52: DEBUG:
8ad743dc cfc6f556 4d44d67c 21a3f8e2
2012-03-29 11:01:52: DEBUG: decrypted payload, but not trimed.
2012-03-29 11:01:52: DEBUG:
a6a1dae6 9003b90d 79afff1e da5eff3b a642f43c 04561222 67f02e6e 5bb8bb51
61b16ac0 80bf504e 72e8dbf7 a144ea13 6e9b0acd a23528bb 8748c57f a2ee1c59
b2c008eb 7a2b139a 793d6e54 407ac6b3
2012-03-29 11:01:52: DEBUG: padding len=180
2012-03-29 11:01:52: DEBUG: skip to trim padding.
2012-03-29 11:01:52: DEBUG: decrypted.
2012-03-29 11:01:52: DEBUG:
43244935 f8cddf04 a062018f fbdf14e2 05100201 00000000 0000006c a6a1dae6
9003b90d 79afff1e da5eff3b a642f43c 04561222 67f02e6e 5bb8bb51 61b16ac0
80bf504e 72e8dbf7 a144ea13 6e9b0acd a23528bb 8748c57f a2ee1c59 b2c008eb
7a2b139a 793d6e54 407ac6b3
2012-03-29 11:01:52: DEBUG: begin.
2012-03-29 11:01:52: DEBUG: seen nptype=5(id)
2012-03-29 11:01:52: DEBUG: invalid length of payload
2012-03-29 11:02:01: DEBUG: 232 bytes from 192.168.y.y[4500] to x.x.x.x[4500]
2012-03-29 11:02:01: DEBUG: sockname 192.168.y.y[4500]
2012-03-29 11:02:01: DEBUG: send packet from 192.168.y.y[4500]
2012-03-29 11:02:01: DEBUG: send packet to x.x.x.x[4500]
2012-03-29 11:02:01: DEBUG: 1 times of 232 bytes message will be sent to x.x.x.x[4500]
2012-03-29 11:02:01: DEBUG:
00000000 43244935 f8cddf04 a062018f fbdf14e2 04100200 00000000 000000e4
0a000084 96d62fbe e0f871e6 255a89b4 c65ca8fc 8979d9b6 bdf1a5de 7bdb6b89
e0043dbb cfb03694 7222d5fb 0d089470 e0126b15 110ea8ad 0f07314f b5698a42
22d57f0f 1126ec0e 905ab022 38745cfa dad7bf77 c4a7e5a8 d9abd136 1a40d69d
394d4231 42f794f8 bbcbd7c5 0a433ea1 1e2686b5 b2bfcad8 c89d6dd4 512abf82
0e8335d7 14000014 bf23b485 d861d33f 7169da31 b618ede5 14000018 3e237c4b
25cd28a4 e134e1af d054a7a3 44cc1143 00000018 b5cb011f 1c3e8691 b72374ee
50437584 e0cbec33
2012-03-29 11:02:01: DEBUG: resend phase1 packet 43244935f8cddf04:a062018ffbdf14e2
2012-03-29 11:02:03: DEBUG: KA: 192.168.y.y[4500]->x.x.x.x[4500]
2012-03-29 11:02:03: DEBUG: sockname 192.168.y.y[4500]
2012-03-29 11:02:03: DEBUG: send packet from 192.168.y.y[4500]
2012-03-29 11:02:03: DEBUG: send packet to x.x.x.x[4500]
2012-03-29 11:02:03: DEBUG: 1 times of 1 bytes message will be sent to x.x.x.x[4500]
2012-03-29 11:02:03: DEBUG:
ff
2012-03-29 11:02:11: DEBUG: 232 bytes from 192.168.y.y[4500] to x.x.x.x[4500]
2012-03-29 11:02:11: DEBUG: sockname 192.168.y.y[4500]
2012-03-29 11:02:11: DEBUG: send packet from 192.168.y.y[4500]
2012-03-29 11:02:11: DEBUG: send packet to x.x.x.x[4500]
2012-03-29 11:02:11: DEBUG: 1 times of 232 bytes message will be sent to x.x.x.x[4500]
2012-03-29 11:02:11: DEBUG:
00000000 43244935 f8cddf04 a062018f fbdf14e2 04100200 00000000 000000e4
0a000084 96d62fbe e0f871e6 255a89b4 c65ca8fc 8979d9b6 bdf1a5de 7bdb6b89
e0043dbb cfb03694 7222d5fb 0d089470 e0126b15 110ea8ad 0f07314f b5698a42
22d57f0f 1126ec0e 905ab022 38745cfa dad7bf77 c4a7e5a8 d9abd136 1a40d69d
394d4231 42f794f8 bbcbd7c5 0a433ea1 1e2686b5 b2bfcad8 c89d6dd4 512abf82
0e8335d7 14000014 bf23b485 d861d33f 7169da31 b618ede5 14000018 3e237c4b
25cd28a4 e134e1af d054a7a3 44cc1143 00000018 b5cb011f 1c3e8691 b72374ee
50437584 e0cbec33
2012-03-29 11:02:11: DEBUG: resend phase1 packet 43244935f8cddf04:a062018ffbdf14e2
2012-03-29 11:02:21: ERROR: phase1 negotiation failed due to time up. 43244935f8cddf04:a062018ffbdf14e2
2012-03-29 11:02:21: INFO: KA remove: 192.168.y.y[4500]->x.x.x.x[4500]
2012-03-29 11:02:21: DEBUG: KA tree dump: 192.168.y.y[4500]->x.x.x.x[4500] (in_use=1)
2012-03-29 11:02:21: DEBUG: KA removing this one...
2012-03-29 11:02:21: DEBUG: IV freed
^C2012-03-29 11:02:26: INFO: caught signal 2
2012-03-29 11:02:26: DEBUG2: flushing all ph2 handlers...
2012-03-29 11:02:26: INFO: racoon process 4390 shutdown
```


----------



## val (Apr 20, 2012)

Thanks Rolf for your great work!

With iPhone (iOS 5.1) VPN PSK works perfectly, but I can't to achieve the same result with android device (samsung galaxy s2). It's seems mpd5 doesn't receive anything from racoon and IPsec session expiring

```
IPsec-SA established: ESP/Transport XX.XX.XX.XX[500] -> YY.YY.YY.YY[500] spi=aabbccdd
```
After that only connection timeout on device


----------



## Anonymous (Apr 20, 2012)

val said:
			
		

> ... With iPhone (iOS 5.1) VPN PSK works perfectly, but I can't to achieve the same result with android device (samsung galaxy s2). It's seems mpd5 doesn't receive anything from racoon and IPsec session expiring
> 
> ```
> IPsec-SA established: ESP/Transport XX.XX.XX.XX[500] -> YY.YY.YY.YY[500] spi=aabbccdd
> ...



I saw an  Android screenshot in the net that exhibits the possibility to enable and set the L2TP secret, i.e. the login password for mpd5. This is different from the PSK. Perhaps, you forgot to enable/set this password, and for this reason the VPN client of Android is trying its luck directly with racoon.

I never got Windows to work with L2TP/IPsec, and for this reason, I have running also a PPTP-VPN server, as is mentioned in Part III of the present Howto and described in the following forum message: http://forums.freebsd.org/showthread.php?p=137792. If you cannot get Android to working with L2TP/IPsec, then perhaps you might want to give PPTP a try.

Best regards

Rolf


----------



## val (Apr 20, 2012)

Rolf, thank you for your quick reply.

Connection session for iPhone and android looks similar one to other. It's only one difference in iPhone: after line in racoon.log

```
IPsec-SA established: ESP/Transport XX.XX.XX.XX[500] -> YY.YY.YY.YY[500] spi=aabbccdd
```
in mpd.log exist following line:

```
Incoming L2TP packet from XX.XX.XX.XX 1701
```

L2TP secret field doesn't used in this process (or don't have effect)

And pptp works fine too.

Here full log from ipsec session:


```
2012-04-20 16:02:18: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[28420]
2012-04-20 16:02:18: INFO: begin Identity Protection mode.
2012-04-20 16:02:18: INFO: received Vendor ID: RFC 3947
2012-04-20 16:02:18: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-04-20 16:02:18: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-04-20 16:02:18: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2012-04-20 16:02:18: INFO: received broken Microsoft ID: FRAGMENTATION
2012-04-20 16:02:18: INFO: received Vendor ID: DPD
2012-04-20 16:02:18: [YY.YY.YY.YY] INFO: Selected NAT-T version: RFC 3947
2012-04-20 16:02:19: [XX.XX.XX.XX] INFO: Hashing XX.XX.XX.XX[500] with algo #2
2012-04-20 16:02:19: INFO: NAT-D payload #0 verified
2012-04-20 16:02:19: [YY.YY.YY.YY] INFO: Hashing YY.YY.YY.YY[28420] with algo #2
2012-04-20 16:02:19: INFO: NAT-D payload #1 doesn't match
2012-04-20 16:02:19: INFO: NAT detected: PEER
2012-04-20 16:02:19: [YY.YY.YY.YY] INFO: Hashing YY.YY.YY.YY[28420] with algo #2
2012-04-20 16:02:19: [XX.XX.XX.XX] INFO: Hashing XX.XX.XX.XX[500] with algo #2
2012-04-20 16:02:19: INFO: Adding remote and local NAT-D payloads.
2012-04-20 16:02:20: INFO: NAT-T: ports changed to: YY.YY.YY.YY[57300]<->XX.XX.XX.XX[4500]
2012-04-20 16:02:20: INFO: KA list add: XX.XX.XX.XX[4500]->YY.YY.YY.YY[57300]
2012-04-20 16:02:20: INFO: ISAKMP-SA established XX.XX.XX.XX[4500]-YY.YY.YY.YY[57300] spi:202593a6552a8869:6a6ddfa017cbd33a
2012-04-20 16:02:20: [YY.YY.YY.YY] INFO: received INITIAL-CONTACT
2012-04-20 16:02:21: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[4500]<=>YY.YY.YY.YY[57300]
2012-04-20 16:02:21: INFO: Update the generated policy : 10.91.146.15/32[0] XX.XX.XX.XX/32[1701] proto=udp dir=in
2012-04-20 16:02:21: INFO: Adjusting my encmode UDP-Transport->Transport
2012-04-20 16:02:21: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2012-04-20 16:02:22: INFO: IPsec-SA established: ESP/Transport XX.XX.XX.XX[500]->YY.YY.YY.YY[500] spi=230013636(0xdb5bac4)
2012-04-20 16:02:22: INFO: IPsec-SA established: ESP/Transport XX.XX.XX.XX[500]->YY.YY.YY.YY[500] spi=160977102(0x99850ce)
2012-04-20 16:03:47: [YY.YY.YY.YY] INFO: DPD: remote (ISAKMP-SA spi=202593a6552a8869:6a6ddfa017cbd33a) seems to be dead.
2012-04-20 16:03:47: INFO: purging ISAKMP-SA spi=202593a6552a8869:6a6ddfa017cbd33a.
2012-04-20 16:03:47: INFO: deleting a generated policy.
2012-04-20 16:03:47: INFO: purged IPsec-SA spi=230013636.
2012-04-20 16:03:47: INFO: purged ISAKMP-SA spi=202593a6552a8869:6a6ddfa017cbd33a.
2012-04-20 16:03:47: INFO: ISAKMP-SA deleted XX.XX.XX.XX[4500]-YY.YY.YY.YY[57300] spi:202593a6552a8869:6a6ddfa017cbd33a
2012-04-20 16:03:47: INFO: ISAKMP-SA deleted XX.XX.XX.XX[4500]-YY.YY.YY.YY[57300] spi:202593a6552a8869:6a6ddfa017cbd33a
2012-04-20 16:03:47: INFO: KA remove: XX.XX.XX.XX[4500]->YY.YY.YY.YY[57300]
```


----------



## Anonymous (Apr 20, 2012)

val,

After googling a little bit, I found the following thread on the issue:

http://code.google.com/p/android/issues/detail?id=23124.

Seems, that I cannot be of any help here, but the android team has to get their act together.

For the time being, at least PPTP is confirmed to work. I am sorry, that I do not have a better answer for you.

Best regards

Rolf


----------



## val (Apr 23, 2012)

Thank you Rolf,
I agree  that this is bug in android.


----------



## jr (May 2, 2012)

*PPP over L2TP Issue*

Hey Rolf,

Slightly off the topic of IPSec here but I'm hoping you can assist given your experience with MPD. It seems that the mailing list for MPD on SourceForge was removed quite some time back and I'm struggling to find any other mailing lists or user groups that seem to be active on this stuff.

We're looking for some insights on an error message we're getting from MPD and the only reference we found to this error message in Google was on a Russian site even then it was hard to tell if there was anything by way of constructive input/feedback.

So you have some background, what we're trying to do is use OpenL2TP to generate some PPP over L2TP traffic such that we can test using MPD to do tunnel switching. The intent here is to use MPD to get around a problem with one of our carrier partners whereby we need to terminate multiple L2TP tunnels from them (for multiple wholesale clients) but they don't seem willing or able to provide a different tunnel name for each client. So we're planning to use MPD to switch the PPP traffic to a new tunnel and hand it off to our Cisco LNSs.

We're running OpenL2TP 1.8 with PPP 2.4.5 on CentOS 6.2 64-Bit. Open L2TP and PPP were both compiled from source. They seem to be operating correctly (OpenL2TP tests as per the doco work fine) however when we point the L2TP at the MPD instance we strike problems with the following output/error:


```
Incoming L2TP packet from 27.121.90.5 51937
L2TP: Control connection 0x801c90e10 27.121.90.1 1701 <-> 27.121.90.5 51937 connected
L2TP: Incoming call #1 via connection 0x801c90e10 received
[LNS1-3] L2TP: Incoming call #1 via control connection 0x801c90e10 accepted
[LNS1-3] Link: Matched action 'forward "LAC1"'
[R-LNS1-3] Rep: INCOMING event from LNS1-3 (0)
L2TP: Initiating control connection 0x801c91110 27.121.90.4 0 <-> 27.121.90.8 1701
[LNS1-3] L2TP: Call #1 connected
L2TP: Control connection 0x801c91110 27.121.90.4 46904 <-> 27.121.90.8 1701 connected
ppp_l2tp_initiate: Operation not supported
[R-LNS1-3] Rep: DOWN event from LAC1-4 (1)
[LNS1-3] L2TP: Call #1 terminated locally
[R-LNS1-3] Rep: DOWN event from LNS1-3 (0)
[R-LNS1-3] Rep: Shutdown
[LAC1-4] Link: SHUTDOWN event
[LAC1-4] Link: Shutdown
[LNS1-3] Link: SHUTDOWN event
[LNS1-3] Link: Shutdown
L2TP: Control connection 0x801c91110 terminated: 0 (No application/session timer expired)
L2TP: Control connection 0x801c90e10 terminated: 0 (no more sessions exist in this tunnel)
L2TP: Control connection 0x801c91110 destroyed
L2TP: Control connection 0x801c90e10 destroyed
```

MPD is running on FreeBSD 8.2 amd64 as this seemed to be about the best supported platform for it. Initially testing looked good but once we fire up the PPP over L2TP traffic we hit this error.

We have an urgent need to get this working and would appreciate any assistance you can offer. There doesn't seem to be much available in terms of doco / insights and it doesn't look like there are a lot of options for this sort of thing in a software based platform.

Cheers,

Jules


----------



## Anonymous (May 2, 2012)

jr said:
			
		

> ... I'm struggling to find any other mailing lists or user groups that seem to be active on this stuff.



The MPD-Forum on sourceforge is quite active.



			
				jr said:
			
		

> ... Weâ€™re looking for some insights on an error message weâ€™re getting from MPD and the only reference we found to this error message in Google was on a Russian site even then it was hard to tell if there was anything by way of constructive input/feedback.



I found that thread also, and Alexander Motin, who responded at that time, and who is one of the developers and also a quite active responder on said forum, gave some advises, i.e. searching the net for LAC / LNS or at least have a look into the mpd manual. I have to admit, that I have never dealt with access concentration into a LNS. I can tell you that Alexander helped me in the other forum to get me L2TP/IPsec to working, and the advise to consult the manual, even if it sounds harsh somehow - note, he did not say RTFM - is a good one. The mpd manual is really worth a thorough reading, I was able to clarify almost all my doubts by the way of reading the respective chapters.



			
				jr said:
			
		

> ... Weâ€™re running OpenL2TP 1.8 with PPP 2.4.5 on CentOS 6.2 64-Bit. Open L2TP and PPP were both compiled from source. They seem to be operating correctly (OpenL2TP tests as per the doco work fine) however whe we point the L2TP at the MPD instance we strike problems with the following output/error:
> 
> 
> ```
> ...



Seems as if OpenL2TP is trying to initiate something in a way that is not supported by net/mpd5. OpenL2TP claims to be the most complete L2TP client/server, which would mean that the other systems in the crowd are not that complete. Perhaps it might be possible to configure OpenL2TP down to this crowd level.

Best regards

Rolf


----------



## jr (May 3, 2012)

Hey Rolf,

Many thanks for the quick reply mate.

I appreciate you pointing out the current SourceForge forum for MPD. We hadn't found that one yet in our travels and you're right, it seems to be pretty active/current.

Actually, as luck would have it, we seem to have worked out our problem. We were trying to bind a couple of LNS IP's from our upstream carrier to a single instance of mpd and this was the cause of the issues. Initially we dropped it back to one and then massaged the config to get it workign with both.

Now it's working nicely with OpenL2TP in our test environment and we've also been able to test it with a real end client. We're just about to add some more end clients so we can start to load it up but it was performing nicely with 8-10 Mbps running over it and there was very little latency added as traffic traversed our MPD instance. I'm keen to see how the CPU utilisation scales. I had yet to install VMware Tools into FreeBSD and will do this and see if I can enable on of the accelerated network adapter types. I trust that will give us more efficiency in terms of the ratio b/w traffic and CPU utilisation.

Happy to share more of the details if it's of interest.

Best Regards,

Jules


----------



## Anonymous (May 3, 2012)

Hallo Jules!



			
				jr said:
			
		

> ...
> Actually, as luck would have it, we seem to have worked out our problem.
> ...
> Happy to share more of the details if it's of interest.



Glad to hear, that you were able to solve the problem. I am sure, that many people (me included) would appreciate a detailed writing-up, i.e. sort of _Howto setup a LAC/LNS architecture using mpd5 on FreeBSD_.

Best regards

Rolf


----------



## fuhdan (Jun 24, 2012)

Hi all

I did. the installation without NAT and firewall. Everything seems to work. I can connect. I can ping my internal webserver (Apache 2.2). But if I try to connect with a browser, it times out.
My design:


```
Host A ----> Router (NAT) ----> Internet ----> Router ----> Firewall ----> VPN Server ----> Host B
```

*What is working:*

ping from Host A to Host B
ping from Host B to Host A
SSH from Host A to the VPN Server (internal Interface)
SSH from the VPN Server (internal Interface) to Host A
SSH from the VPN Server (internal Interface) to Host B
SSH from Host B to the VPN Server (internal Interface)
*What is NOT working:*

SSH from Host A to Host B
SSH from Host B to Host A
The same with a web server; http/https is not working but ping is working both ways.

Thanks for your help.


----------



## Anonymous (Jun 24, 2012)

Things to check:


Network addresses of Host A and Host B need to be different, for example 192.168.*65*.0/24 for Host A and 192.168.*66*.0/24 for Host B.
.
In /usr/local/etc/mpd5/mpd.conf on the VPN server, proxy-arp needs to be enabled:

```
...
set iface enable proxy-arp
...
```

In /etc/sysctl.conf on the VPN server, ip-forwarding needs to be enabled:

```
...
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
...
```


In addition, perhaps you might want to post your configuration files of the VPN server and an excerpt of /var/log/racoon.log exhibiting some details of an example session.

Best regards

Rolf


----------



## fuhdan (Jun 25, 2012)

Host A has the IP 192.168.10.50
Host B has the IP 10.253.24.150

/usr/local/etc/mpd5/mpd.conf

```
startup:
        # configure mpd users
        set user super superpw admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.10.50 192.168.10.100

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.10.0/24 ippool pool_l2tp
        set ipcp dns 10.253.24.150
```


/etc/sysctl.conf

```
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
```

/var/log/racoon.log (xxx.xxx.xxx.xxx is the IP of the VPN server; yyy.yyy.yyy.yyy is the NAT'ed IP of the client) 

```
2012-06-25 10:01:31: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>yyy.yyy.yyy.yyy[500]
2012-06-25 10:01:31: INFO: begin Identity Protection mode.
2012-06-25 10:01:31: INFO: received Vendor ID: RFC 3947
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-25 10:01:31: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
*beep*
2012-06-25 10:01:31: INFO: received Vendor ID: DPD
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
2012-06-25 10:01:31: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
2012-06-25 10:01:31: INFO: NAT-D payload #0 verified
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2
2012-06-25 10:01:31: INFO: NAT-D payload #1 doesn't match
2012-06-25 10:01:31: INFO: NAT detected: PEER
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: Hashing yyy.yyy.yyy.yyy[500] with algo #2
2012-06-25 10:01:31: [xxx.xxx.xxx.xxx] INFO: Hashing xxx.xxx.xxx.xxx[500] with algo #2
2012-06-25 10:01:31: INFO: Adding remote and local NAT-D payloads.
2012-06-25 10:01:31: INFO: NAT-T: ports changed to: yyy.yyy.yyy.yyy[4500]<->xxx.xxx.xxx.xxx[4500]
2012-06-25 10:01:31: INFO: KA list add: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]
2012-06-25 10:01:31: [yyy.yyy.yyy.yyy] INFO: received INITIAL-CONTACT
2012-06-25 10:01:31: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:6a18e0234313c7d4:dbbad31af7a253a3
2012-06-25 10:01:32: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[4500]<=>yyy.yyy.yyy.yyy[4500]
2012-06-25 10:01:32: INFO: Adjusting my encmode UDP-Transport->Transport
2012-06-25 10:01:32: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2012-06-25 10:01:32: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[500]->yyy.yyy.yyy.yyy[500] spi=135798551(0x8181f17)
2012-06-25 10:01:32: INFO: IPsec-SA established: ESP/Transport xxx.xxx.xxx.xxx[500]->yyy.yyy.yyy.yyy[500] spi=195887997(0xbad037d)
*beep*
*beep*
*beep*
2012-06-25 10:02:47: INFO: purged IPsec-SA proto_id=ESP spi=195887997.
2012-06-25 10:02:47: INFO: purging ISAKMP-SA spi=6a18e0234313c7d4:dbbad31af7a253a3.
2012-06-25 10:02:47: INFO: purged IPsec-SA spi=135798551.
2012-06-25 10:02:47: INFO: purged ISAKMP-SA spi=6a18e0234313c7d4:dbbad31af7a253a3.
2012-06-25 10:02:47: INFO: ISAKMP-SA deleted xxx.xxx.xxx.xxx[4500]-yyy.yyy.yyy.yyy[4500] spi:6a18e0234313c7d4:dbbad31af7a253a3
2012-06-25 10:02:47: INFO: KA remove: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500]
2012-06-25 10:02:47: ERROR: no configuration found for yyy.yyy.yyy.yyy.
2012-06-25 10:02:47: ERROR: failed to begin ipsec sa negotiation.
```

I solved it. It was a firewall problem. I found it, while I enabled all loggings on the firewall. The guy who is respons*i*ble for the firewall didn't see it. Sorry. 
Thanks for your help. Have a nice day.

Cheers Daniel


----------



## mix_room (Jul 18, 2012)

Has anyone had any luck connecting with Windows 7 or Android? 

I keep getting the following in my log files 


```
*** IP1: External IP 1
 *** IP2: External IP 2
2012-07-18 17:06:05: INFO: respond new phase 1 negotiation: IP1[500]<=> IP2[500]
2012-07-18 17:06:05: INFO: begin Identity Protection mode.
2012-07-18 17:06:05: INFO: received Vendor ID: RFC 3947
2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2012-07-18 17:06:05: INFO: received broken Microsoft ID: FRAGMENTATION
2012-07-18 17:06:05: [IP2] INFO: Selected NAT-T version: RFC 3947
2012-07-18 17:06:05: [IP1] INFO: Hashing IP1[500] with algo #2
2012-07-18 17:06:05: INFO: NAT-D payload #0 verified
2012-07-18 17:06:05: [IP2] INFO: Hashing IP2[500] with algo #2
2012-07-18 17:06:05: INFO: NAT-D payload #1 verified
2012-07-18 17:06:05: INFO: NAT not detected
2012-07-18 17:06:05: [IP2] INFO: Hashing IP2[500] with algo #2
2012-07-18 17:06:05: [IP1] INFO: Hashing IP1[500] with algo #2
2012-07-18 17:06:05: INFO: Adding remote and local NAT-D payloads.
2012-07-18 17:06:05: INFO: ISAKMP-SA established IP1[500]-IP2[500] spi:66eebb5ffd4c7792:4d0fe1bb470a9d52
2012-07-18 17:06:05: [IP2] INFO: received INITIAL-CONTACT
2012-07-18 17:06:06: INFO: respond new phase 2 negotiation: IP1[500]<=>IP2[500]
2012-07-18 17:06:06: INFO: IPsec-SA established: ESP/Transport IP1[500]->IP2[500] spi=201111091(0xbfcb633)
2012-07-18 17:06:06: INFO: IPsec-SA established: ESP/Transport IP1[500]->IP2[500] spi=233175(0x38ed7)
 *** NOTHING MORE HAPPENS HERE ***
```

It seems as though I am getting the mentioned problem that Android and Windows seem to speak directly with mpd instead of going via racoon.


----------



## iamalittlepepper (Jul 24, 2012)

*Alternate way of patching racoon?*

Hi Rolf

I used your patch.zip is there any surefire way to see if the patches are applied correctly? Because I only the follow message:


```
===>  Vulnerability check disabled, database not found
===>  License check disabled, port has not defined LICENSE
===>  Found saved configuration for ipsec-tools-0.8.0_2
=> ipsec-tools-0.8.0.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://heanet.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/ipsec-tools-0.8.0.tar.bz2
ipsec-tools-0.8.0.tar.bz2                     100% of  790 kB  188 kBps
===>  Extracting for ipsec-tools-0.8.0_2
=> SHA256 Checksum OK for ipsec-tools-0.8.0.tar.bz2.
===>  Patching for ipsec-tools-0.8.0_2
===>  Applying FreeBSD patches for ipsec-tools-0.8.0_2
===>   ipsec-tools-0.8.0_2 depends on package: libtool>=2.4 - not found
===>    Verifying install for libtool>=2.4 in /usr/ports/devel/libtool
===>  Vulnerability check disabled, database not found
===>  License GPLv2 accepted by the user
=> libtool-2.4.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://ftp.gnu.org/gnu/libtool/libtool-2.4.tar.gz
libtool-2.4.tar.gz                            100% of 2519 kB  423 kBps
===>  Extracting for libtool-2.4_1
=> SHA256 Checksum OK for libtool-2.4.tar.gz.
===>  Patching for libtool-2.4_1
===>  Applying FreeBSD patches for libtool-2.4_1
===>  Configuring for libtool-2.4_1
## ----------------------- ##
## Configuring libtool 2.4 ##
## ----------------------- ##
```

The patch files are:


```
-rw-r--r--  1 root  wheel   618 Jan 10  2012 files/patch-zz-local-0.diff
-rw-r--r--  1 root  wheel   507 Jan 10  2012 files/patch-zz-local-1.diff
-rw-r--r--  1 root  wheel  1713 Mar 23  2011 files/patch8-utmp.diff
```


----------



## iamalittlepepper (Jul 24, 2012)

Never mind.. I've found that the source files in the directory _work/ipsec-tools-0.8.0/src/racoon_ have been changed as per the diff files. So a footnote for those who are wondering that's where the source files reside in the port system.


----------



## dkorzhevin (Aug 12, 2012)

Hello, i configured FreeBSD 9.0 release using this tutorial. I am able to connect to server from mac os x, but i have 2 problems:

1. Internet is not working
2. I am not able to make more than 1 connection from one IP, even with separate usernames.

Here is my information:

*sysctl.conf*


```
dkorzhevin# cat /etc/sysctl.conf
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about
processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.fw.one_pass=1
net.key.prefered_oldsa=0
net.key.blockacq_count=0
dkorzhevin#
```

*kernel compiled with options:*


```
options         IPSEC
options         IPSEC_NAT_T
device          crypto
options         IPSEC_FILTERTUNNEL
device          enc
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         LIBALIAS
options         IPDIVERT
```

patch /usr/ports/security/ipsec-tools/files/patch-zz-local-1.diff
applied to ipsec-tools

*racoon.conf*

dkorzhevin# cat /usr/local/etc/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";


```
listen
{
# REPLACE w.x.y.z with the IP address racoon will listen on (if NAT
translated, this is the INSIDE IP)
        isakmp           MYIP [500];
        isakmp_natt      MYIP [4500];
# NOTE, you can specify multiple IPs to listen on
#       isakmp           p.q.r.s [500];
#       isakmp_natt      p.q.r.s [4500];
#       strict_address;
}

remote anonymous
{
        exchange_mode    main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        20;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}
dkorzhevin#
```

*setkey.conf*


```
dkorzhevin# cat setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
dkorzhevin#
```

*psk.txt*


```
dkorzhevin# cat psk.txt
* MYPASS
MYIP MYPASS
dkorzhevin#
```


```
dkorzhevin# ls -la
total 20
drwxr-xr-x  2 root  wheel   512 Aug 10 15:02 .
drwxr-xr-x  8 root  wheel   512 Aug 10 09:16 ..
-rw-------  1 root  wheel    30 Aug 10 11:34 psk.txt
-rw-r--r--  1 root  wheel  1308 Aug 10 14:42 racoon.conf
-rw-r--r--  1 root  wheel   171 Aug 10 14:18 setkey.conf
dkorzhevin#
```

*mpd.conf*


```
dkorzhevin# cat /usr/local/etc/mpd5/mpd.conf
startup:
        # configure mpd users
        set user super pwSuper admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/24 ippool pool_l2tp
        set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
        set l2tp self MYIP
        set l2tp enable length
# Allow to accept calls
        set link enable incoming
dkorzhevin#
```

*/etc/rc.conf*


```
dkorzhevin# cat /etc/rc.conf
hostname="dkorzhevin.mirohost.net"
ifconfig_nfe0=" inet MYIP netmask 255.255.254.0"
defaultrouter="GATEWAYIP"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"

firewall_enable="YES"
firewall_nat_enable="YES"
firewall_type="/etc/firewall"
gateway_enable="YES"

natd_enable="YES"
natd_interface="nfe0"
natd_flags=""
dkorzhevin#
```

Please, help investigate this problem


----------



## martinsm (Aug 12, 2012)

I am also not able to connect more than one client to the server; even after disconnecting the first client, other clients are unable to connect. Connecting with the first client again will still work. 

Flushing the SAD entries with 'setkey -F' will allow a different client to connect, but then the previous one won't be able to. I've been searching for hours for a solution to this, but without luck. My configuration is almost identical to the above. I would appreciate if anyone could point me in the right direction.


----------



## Sunsun (Aug 13, 2012)

martinsm, I have this problem too. Same issue.


----------



## Anonymous (Aug 13, 2012)

dkorzhevin said:
			
		

> Hello, i configured FreeBSD 9.0 release using this tutorial. I am able to connect to server from mac os x, but i have 2 problems:
> 
> 1. Internet is not working
> 2. I am not able to make more than 1 connection from one IP, even with separate usernames.



1. Examine your firewall rules, perhaps by comparing it with my rules.

2. Some time ago, I spent almost one week for resolving this issue to no avail. The issue is, that for two connections from the same public IP even having two different public port numbers - let's say port1 and port2 - the system somehow mixes up the respective SAs whereby SA[in] becomes combined with SA[out] and vice versa.

I no more remember all the bloody details, but for me it seemed that SA management within racoon was correct, and the confusion happened in the kernel. I spent another day exploring key handling in the kernel, and then I gave up.

A work around may be, to let one client do the VPN connection, and let it do "Internet Sharing" for the others.

Best regards

Rolf


----------



## xtaz (Nov 26, 2012)

I have read through this tutorial and it has been very useful for getting this working on my server to my iphone, however I'm having to keep PPTP support in MPD as well because it doesn't work with Windows 7. This is clearly a known issue as it's mentioned in several places where it doesn't appear that Windows tries to talk to MPD. Has anybody ever got this working since the tutorial was written?

Somebody says on this thread that apparently Windows "directly connects to Racoon and bypasses MPD". Reading up on how L2TP works seems to suggest that this is actually how it's meant to work. This is quite interesting: http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol#L2TP.2FIPsec and suggests that connecting directly to Racoon is the correct way of doing it, but then Windows is just failing to set up a ppp connection over that secure channel.

Doing a bit of research shows that it seems to work on Linux though via Racoon: http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server. They speak about PSK and certificates and show config for either. The only real difference I can see between that and the config that is on this forum is the FQDN address. But I don't quite understand what they are saying underneath the example config for PSK.

Basically wondering if they can apparently get it to work, then it's got to be possible on FreeBSD surely!


----------



## Anonymous (Nov 28, 2012)

xtaz said:
			
		

> I have read through this tutorial and it has been very useful for getting this working on my server to my iphone, however I'm having to keep PPTP support in MPD as well because it doesn't work with Windows 7. This is clearly a known issue as it's mentioned in several places where it doesn't appear that Windows tries to talk to MPD. Has anybody ever got this working since the tutorial was written?



People (including me) are able to make connections if neither the server nor the client are behind NAT - perhaps you saw already this thread: ipsec + mpd5 with windows 7/8 clients behind nat. Using the registry patch mentioned in said thread, apparently it is possible to connect to a server behind NAT, but this still does not work with server and client behind NAT.  



> Somebody says on this thread that apparently Windows "directly connects to Racoon and bypasses MPD". Reading up on how L2TP works seems to suggest that this is actually how it's meant to work.



This was me, and you're right this was a mis-conception at my side at that time.



> Doing a bit of research shows that it seems to work on Linux though via Racoon: http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server. They speak about PSK and certificates and show config for either. The only real difference I can see between that and the config that is on this forum is the FQDN address. But I don't quite understand what they are saying underneath the example config for PSK.



I guess this is about the "Main mode FQDN identity" issue of Windows XP. There has been a patch around for quite some time, and without the patch you would see in the racoon log an error message something like:

```
<timestamp> racoon: ERROR: Expecting IP address type in main mode, but FQDN.
```

I never saw this error message with Windows 7, and if behind NAT, Windows 7 does not connect, neither with nor without the patch. On the other hand, if there is no NAT involved, Windows 7 can connect without the patch, so I would rule this out for further trouble shooting.

Windows 7 connects smoothly to a L2TP/IPSec server setup with net/mpd5+security/ipsec-tools if there is no NAT involved. Windows 7 clearly has issues when there is NAT involved. I read several problem reports on the internet about similar Windows-NAT-[NAT]-L2TP/IPSec connection issues with many different server side setups. So, I tend to assume that there is not so much we can do at the server side. Perhaps somebody knows a third-party L2TP/IPSec client for Windows that would work.


----------



## gkontos (Nov 28, 2012)

@rolfheinrich,

I have used your guide and tried to improvise in order to make Windows clients and Android phones to connect. Unfortunately this was impossible.

An installation in Ubuntu 12.04 using openswan & xl2tpd works fine with all clients behind NAT. It has been tested with Lion, Windows7, Windows8 & Android2.3 
The only problem is that sometimes after a user disconnects he can not connect back without restarting xl2tpd.

So, I think this is a raccoon issue in regards to FreeBSD. I have yet to test it with strongswan which I believe that it also has some limitations in FreeBSD.


----------



## xtaz (Nov 29, 2012)

Interesting. Yes unfortunately both my server and clients will be behind NAT. For now I'll keep PPTP for my windows clients and use L2TP for my iphone. MPD happily supports running both simultaneously so this is OK for now but hopefully someone with more knowledge than me can figure this one out in the future!


----------



## Anonymous (Nov 29, 2012)

After applying kernel and racoon patches from the following two sources ...:

http://www.freebsd.org/cgi/query-pr.cgi?pr=146190
http://lists.freebsd.org/pipermail/freebsd-stable/2012-May/067416.html

..., I was able to resolve the persisting problems:

dial-in of more than 1 client behind the same NAT
Windows 7 connectivity

This worked out for me for FreeBSD 9.1-RC3 and FreeBSD 8.3-RELEASE.

Important notes:

use the latest patches (links at the very end of kern/146190), i.e. ipsec_natt.v4.diff and ipsec_tools.context.v2.diff.
for FreeBSD 9.1-RC3 remove the diff entry for sys/netipsec/ipsec.c from ipsec_natt.v4.diff since this has been already addressed.
the kernel patch adds the new sysctl net.inet.esp.esp_ignore_natt_cksum, and this *MUST* be set to one, or any NATT connection will be dropped.


----------



## carp (Jan 8, 2013)

*Connection to mpd with iOS fails while Mac machine works fin*

Great article, Rolf, thanks for the good work!

Your write-up got got me a working L2TP+IPsec connection from my Mac but it fails when connecting from my iOS device (tested only with an iPhone 4S running iOS 6.0). You explicitly state that it's working with iOS, so I must be missing something. 

I can get through the IKE/SA phase, it just won't connect to mpd5. Apparently there is no authentication protocol the two parties can agree upon:


```
L2TP: waiting for connection on 192.168.1.23 1701
[L_l2tp] Incoming L2TP packet from 192.168.1.84 50549
L2TP: Control connection 0x802bf6610 192.168.1.23 1701 <-> 192.168.1.84 50549 connected
L2TP: Incoming call #1 via connection 0x802bf6610 received
[L_l2tp-1] L2TP: Incoming call #1 via control connection 0x802bf6610 accepted
[L_l2tp-1] Link: OPEN event
[L_l2tp-1] LCP: Open event
[L_l2tp-1] LCP: state change Initial --> Starting
[L_l2tp-1] LCP: LayerStart
[L_l2tp-1] L2TP: Call #1 connected
[L_l2tp-1] Link: UP event
[L_l2tp-1] LCP: Up event
[L_l2tp-1] LCP: state change Starting --> Req-Sent
[L_l2tp-1] LCP: SendConfigReq #1
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1]   MP MRRU 2048
[L_l2tp-1]   MP SHORTSEQ
[L_l2tp-1]   ENDPOINTDISC [802.1] 00 1f c6 dc 1f 8c
[L_l2tp-1] LCP: rec'd Configure Request #1 (Req-Sent)
[L_l2tp-1]   ACCMAP 0x00000000
[L_l2tp-1]   MAGICNUM 0e3ec017
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   ACFCOMP
[L_l2tp-1] LCP: SendConfigAck #1
[L_l2tp-1]   ACCMAP 0x00000000
[L_l2tp-1]   MAGICNUM 0e3ec017
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   ACFCOMP
[L_l2tp-1] LCP: state change Req-Sent --> Ack-Sent
[L_l2tp-1] LCP: SendConfigReq #2
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1]   MP MRRU 2048
[L_l2tp-1]   MP SHORTSEQ
[L_l2tp-1]   ENDPOINTDISC [802.1] 00 1f c6 dc 1f 8c
[L_l2tp-1] LCP: rec'd Configure Reject #2 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1]   MP MRRU 2048
[L_l2tp-1]   MP SHORTSEQ
[L_l2tp-1] LCP: SendConfigReq #3
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #3 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #4
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #4 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #5
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #5 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #6
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #6 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #7
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #7 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #8
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #8 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #9
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #9 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: SendConfigReq #10
[L_l2tp-1]   ACFCOMP
[L_l2tp-1]   PROTOCOMP
[L_l2tp-1]   MRU 1500
[L_l2tp-1]   MAGICNUM b7e27f7f
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: rec'd Configure Reject #10 (Ack-Sent)
[L_l2tp-1]   AUTHPROTO CHAP MSOFTv2
[L_l2tp-1] LCP: not converging
[L_l2tp-1] LCP: parameter negotiation failed
[L_l2tp-1] LCP: state change Ack-Sent --> Stopped
[L_l2tp-1] LCP: LayerFinish
[L_l2tp-1] L2TP: Call #1 terminated locally
[L_l2tp-1] Link: DOWN event
[L_l2tp-1] LCP: Close event
[L_l2tp-1] LCP: state change Stopped --> Closed
[L_l2tp-1] LCP: Down event
[L_l2tp-1] LCP: state change Closed --> Initial
[L_l2tp-1] Link: SHUTDOWN event
[L_l2tp-1] Link: Shutdown
```

The mpd.conf in use contains nothing but the example code you provided in your Howto, modified only to reflect the local IP configuration. You may notice that it's running in an RFC1918 net but *mpd* distributes a different IP pool for its VPN clients. Also, there is no NAT involved.

As said, it works with my Mac. Any help is much appreciated.


----------



## Anonymous (Jan 8, 2013)

carp said:
			
		

> ... Your write-up got got me a working L2TP+IPsec connection from my Mac but it fails when connecting from my iOS device (tested only with an iPhone 4S running iOS 6.0).



Note, on iOS you need to use the L2TP client and not the IPsec client (which is in fact a Cisco client). Please try again using the VPN-L2TP (IPsec) client.

Best regards

Rolf


----------



## carp (Jan 9, 2013)

rolfheinrich said:
			
		

> Note, on iOS you need to use the L2TP client and not the IPsec client (which is in fact a Cisco client). Please try again using the VPN-L2TP (IPsec) client.
> 
> Best regards
> 
> Rolf



Yes, yes - I'm using the L2TP client (ie. the first tab in the VPN settings).


----------



## Anonymous (Jan 9, 2013)

carp said:
			
		

> ... You may notice that it's running in an RFC1918 net but *mpd* distributes a different IP pool for its VPN clients. Also, there is no NAT involved.
> 
> As said, it works with my Mac. Any help is much appreciated.



Sorry, it didn't jump directly into my mind, that client and server are in the same local network.

I have to admit, that neither my Mac nor my iPhone would connect to my VPN server sitting in the same local network. In my setup, these kind of connection attempts are already failing in racoon. I just tried it again from my Mac:


```
2013-01-09 10:11:22: INFO: respond new phase 1 negotiation: 192.168.1.35[500]<=>192.168.1.5[500]
2013-01-09 10:11:22: INFO: begin Identity Protection mode.
2013-01-09 10:11:22: INFO: received Vendor ID: RFC 3947
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-01-09 10:11:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-01-09 10:11:22: INFO: received Vendor ID: DPD
2013-01-09 10:11:22: [192.168.1.5] INFO: Selected NAT-T version: RFC 3947
2013-01-09 10:11:22: [192.168.1.35] INFO: Hashing 192.168.1.35[500] with algo #2 
2013-01-09 10:11:22: INFO: NAT-D payload #0 verified
2013-01-09 10:11:22: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #2 
2013-01-09 10:11:22: INFO: NAT-D payload #1 verified
2013-01-09 10:11:22: INFO: NAT not detected 
2013-01-09 10:11:22: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #2 
2013-01-09 10:11:22: [192.168.1.35] INFO: Hashing 192.168.1.35[500] with algo #2 
2013-01-09 10:11:22: INFO: Adding remote and local NAT-D payloads.
2013-01-09 10:11:22: [192.168.1.5] INFO: received INITIAL-CONTACT
2013-01-09 10:11:22: INFO: ISAKMP-SA established 192.168.1.35[500]-192.168.1.5[500] spi:d3ef6ddca54798b4:64b2c9272120cba1
2013-01-09 10:11:25: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:11:28: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:11:31: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:11:43: NOTIFY: the packet is retransmitted by 192.168.1.5[500] (1).
2013-01-09 10:12:07: [192.168.1.5] INFO: DPD: remote (ISAKMP-SA spi=d3ef6ddca54798b4:64b2c9272120cba1) seems to be dead.
2013-01-09 10:12:07: INFO: purging ISAKMP-SA spi=d3ef6ddca54798b4:64b2c9272120cba1.
2013-01-09 10:12:07: INFO: purged ISAKMP-SA spi=d3ef6ddca54798b4:64b2c9272120cba1.
2013-01-09 10:12:07: INFO: ISAKMP-SA deleted 192.168.1.35[500]-192.168.1.5[500] spi:d3ef6ddca54798b4:64b2c9272120cba1
```

Although, others are claiming that this should work, I never put much effort into this, because a VPN in a LAN seems to be not too useful for me.

Anyway, could you please post your racoon.log as well as your racoon.conf and mpd5.conf. I would compare it against mine.

Best regards

Rolf


----------



## carp (Jan 9, 2013)

[SOLVED]

Hej,

I got it working by deleting the VPN settings on the iOS device and re-creating them from scratch. Only the Ghost in the Greate Machine knows what misconfigured artefacts lingered in the background. :\  Sorry, I could have tried this before posting.



			
				rolfheinrich said:
			
		

> Sorry, it didn't jump directly into my mind, that client and server are in the same local network.
> 
> I have to admit, that neither my Mac nor my iPhone would connect to my VPN server sitting in the same local network. In my setup, these kind of connection attempts are already failing in racoon. I just tried it again from my Mac:
> 
> ...



Yes, I was able to connect from the same network. My guess is the problems arise when mpd distributes an IP address pool from the same net, which it wasn't in my case: it listened on 192.168.*1*.23:1701 and distributed IP addresses from 192.168.*0*/24.

I agree that a VPN in a LAN does not seem to be too useful (except for a Wifi connection), but I was happy to have had direct access so as to eliminate all problems originating from NAT, bad routing and the like.

Cheers for your help!
-Carsten


----------



## jmartinez (Jan 15, 2013)

I am trying to configure an VPN server based on L2TP over IPsec. I tried to do it on Debian but I couldn't. So, I was reading a lot about it and I heard that it would be easier with BSD.

I decided to try it with a Xen-based VM, following this guide: http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD. But I can't do it make works at all. I am always getting this error if I try to connect from OSX: 


```
ERROR: no configuration found for 46.232.124.12.
    ERROR: failed to begin ipsec sa negotication.
```
If I try to connect from my iPhone it stacks on:


```
INFO: received Vendor ID: DPD
    [46.232.124.12] INFO: Selected NAT-T version: RFC 3947
    NOTIFY: the packet is retransmitted by 46.232.124.12[500] (1).
    NOTIFY: the packet is retransmitted by 46.232.124.12[500] (1).
    NOTIFY: the packet is retransmitted by 46.232.124.12[500] (1).
    ERROR: phase1 negotiation failed due to time up. cc9f6dd769f9aa0d:b02b5a31612f199b
```
#Configuration files: 


```
94.28.23.24 --------> Dom0 public Internet ip
    172.69.0.1 ----------> Dom0 private LAN ip
    172.69.0.11 ---------> DomU private LAN ip
    46.232.124.12 ---> My home public Internet ip
```
/usr/local/etc/racoon/racoon.conf

```
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
    
    listen
    {
            isakmp           172.69.0.11 [500];
            isakmp_natt      172.69.0.11 [4500];
            strict_address;
    }
    
    remote anonymous
    {
            exchange_mode    main;
            passive          on;
            proposal_check   obey;
            support_proxy    on;
            nat_traversal    on;
            ike_frag         on;
            dpd_delay        20;
    
            proposal
            {
                    encryption_algorithm  aes;
                    hash_algorithm        sha1;
                    authentication_method pre_shared_key;
                    dh_group              modp1024;
            }
    
            proposal
            {
                    encryption_algorithm  3des;
                    hash_algorithm        sha1;
                    authentication_method pre_shared_key;
                    dh_group              modp1024;
            }
    }
    
    sainfo anonymous
    {
            encryption_algorithm     aes,3des;
            authentication_algorithm hmac_sha1;
            compression_algorithm    deflate;
            pfs_group                modp1024;
    }
```
/usr/local/etc/racoon/setkey.conf

```
flush;
    spdflush;
    spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
    spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
```

/usr/local/etc/mpd5/mpd.conf

```
startup:
            # configure mpd users
            set user super pwSuper admin
            # configure the console
            set console self 127.0.0.1 5005
            set console open
            # configure the web server
            set web self 0.0.0.0 5006
            set web open
    
    default:
            load l2tp_server
    
    l2tp_server:
    # Define dynamic IP address pool - these are the IP addresses which will be
    # allocated to our remote clients when they join the LAN
            set ippool add pool_l2tp 172.69.0.120.from 172.69.0.130
    
    # Create clonable bundle template named B_l2tp
            create bundle template B_l2tp
            set iface enable proxy-arp
            set iface enable tcpmssfix
            set ipcp yes vjcomp
    # Specify IP address pool for dynamic assigment.
            set ipcp ranges 172.69.0.11/24 ippool pool_l2tp
           # an accessible DNS server for clients to use
            set ipcp dns 172.69.0.2
    
    # Create clonable link template named L_l2tp
            create link template L_l2tp l2tp
    # Set bundle template to use
            set link action bundle B_l2tp
    # Multilink adds some overhead, but gives full 1500 MTU.
            set link enable multilink
            set link no pap chap eap
            set link enable chap
            set link keep-alive 0 0
    # We reducing link mtu to avoid ESP packet fragmentation.
            set link mtu 1280
    # Configure L2TP
            set l2tp self 172.69.0.11
            set l2tp enable length
    # Allow to accept calls
            set link enable incoming
```
/usr/local/etc/mpd5/mpd.secret

```
javi      "pwTest"
```

As I said, this FreeBSD is running as DomU. So, I have a shorewall in Dom0 for all VM's. This is the rules corresponding to that VM:

```
## L2TP IPSEC
    DNAT            inet                               road:172.69.0.11                tcp     1701    -       94.28.23.24
    DNAT            inet                               road:172.69.0.11                udp     1701    -       94.28.23.24
    DNAT            inet                               road:172.69.0.11                udp     4500    -       94.28.23.24
    DNAT            inet                               road:172.69.0.11                udp     500     -       94.28.23.24
```


----------



## Anonymous (Jan 15, 2013)

The errors look to me like something with NAT/Firewall is wrong. However, I cannot be of any help here, because I never heard of Xen, Dom0, DomU, shorewall, etc. I am sorry for not having a better answer for you.


----------



## jmartinez (Jan 16, 2013)

This log is not telling you anything?


```
ERROR: fatal parse failure (1 errors)
INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
INFO: @(#)This product linked OpenSSL 0.9.8x 10 May 2012 (http://www.openssl.org/)
INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
INFO: 172.69.0.11[4500] used for NAT-T
INFO: 172.69.0.11[4500] used as isakmp port (fd=4)
INFO: 172.69.0.11[500] used for NAT-T
INFO: 172.69.0.11[500] used as isakmp port (fd=5)
ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[0] 0.0.0.0/0[1701] proto=udp dir=in
ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[1701] 0.0.0.0/0[0] proto=udp dir=out
```

Thanks you anyway


----------



## Anonymous (Jan 16, 2013)

jmartinez said:
			
		

> This log is not telling you anything?
> 
> 
> ```
> ...



OK, let's analyze it:


I am missing the timestamps.
I guess, the first error is from a previous launch of racoon, you changed its configuration and made a mistake, that you corrected for the next launch
I saw already a lot of errors in racoon.log, but never (2) and (3), and I guess that your changes to racoon.conf still didn't work out, so you need to change it once again. Best would be, to reset it to the working configuration of others.
Please try (in the given sequence):

`# service ipsec restart`
`# service racoon restart`
`# service mpd5 restart`

Then start another VPN connection trial from your Mac and send us the complete racoon.log.

I would also like to suggest, that you configure a test http server at the same machine and open and NAT-redirect the port 80 in your shorewall. Before, spending any more work into the VPN setup, I would make sure that a simple http connection from outside works.


----------



## jmartinez (Jan 16, 2013)

I tried last night to compile and configure it from scratch in Debian and I was succes. Anyway thanks you and thanks for your time. Appreciate.


----------



## Vovka (Jan 22, 2013)

Hello all!
Rolf, thank you for howto



			
				rolfheinrich said:
			
		

> After applying kernel and racoon patches from the following two sources ...:
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=146190
> http://lists.freebsd.org/pipermail/freebsd-stable/2012-May/067416.html
> ...



My design:

```
[FreeBSD 8.3 stable l2tp/ipsec server] <-> [internet] <-> [my provider] <-> [my NAT device] <-> [LAN]
```
It works!
But, if *I* try to connect from my LAN a second device, it can't establish a connection. You wrote "dial-in of more than 1 client behind the same NAT" You can connect more than one client simultaneously behind the same NAT?


----------



## Anonymous (Jan 23, 2013)

Vovka said:
			
		

> ...
> My design:
> 
> ```
> ...



Yes, I tried it with up to 4 clients behind the same NAT, among these, one Windows 7 in a VirtualBox.

Did you apply all the kernel patches and did you re-build and re-install the kernel?
Did you apply the other racoon patches, and re-install racoon?

Then, in /usr/local/etc/racoon/racoon.conf change the setting generate_policy:


```
...
        generate_policy  unique;
...
```

In addition in /usr/local/etc/racoon/setkey.conf remove or comment-out the spdadd directives, because with generate_policy  unique, racoon will create unique spd's on each connection request:


```
flush;
spdflush;
#spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
#spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
```

Do not forget, to set sysctl net.inet.esp.esp_ignore_natt_cksum=1.


----------



## srivo (Feb 5, 2013)

Rolf,

Thanks for this great How-to! I still have one small issue. Even if I'm able to see and connect on all machine on my remote network. I can't connect to those machine using their name. I need to connect to them using the IP adress. So time machine doesn't recognize 192.168.2.23 as is original Time Capsule drive. Any idea to solve that?

Him using your first type of configuration. My VPN server is in the DMZ of the router.

Thanks,

Serge


----------



## Anonymous (Feb 5, 2013)

srivo said:
			
		

> ... Even if I'm able to see and connect on all machine on my remote network. I can't connect to those machine using their name. I need to connect to them using the IP adress. So time machine doesn't recognize 192.168.2.23 as is original Time Capsule drive. Any idea to solve that. ...



I do not own a Time Capsule, however, I assume, that it announces its services to the local network by multicast DNS, i.e. Bonjour. Mulitcast packages are limited to the LAN, and net/mpd5 does not forward them, so the VPN clients cannot take notice of the announced service names.

If you want to connect to the local machines from a remote VPN client by name, then you could setup a local name server on your FreeBSD machine that hosts the VPN server, and make the client use this name server.

Another possible option would be to edit the file /etc/hosts on your Mac, and put a name/IP pair for your Time Capsule in there.

Finally, are you sure, that Time Capsule does not accept access by IP? I setup a Time Machine volume on my FreeBSD server using net/netatalk and I can use this by IP address (and also Bonjour from within the LAN).


----------



## srivo (Feb 6, 2013)

Rolf,

I was trying to avoid using IP because I think for time machine it will be a different drive and I will loose my actual backup. Adding IP/name in /etc/hosts look to be the best solution so far.

But even if I see the Time Capsule and Time Machine detect it, It as not been able to connect to the drive. I will need to investigate further on that!

Thanks


----------



## Anonymous (Feb 6, 2013)

srivo said:
			
		

> ... I was trying to avoid using IP because I think for time machine it will be a different drive and I will loose my actual backup. ...



I can access my Time Machine volume on my FreeBSD server either by IP or by name, and in each case the Mac client recognizes and accepts its designated backup. My understanding is, that on backup-store-creation the drive UUID of the client is stored into the backup store, and as long as this doesn't change, the client will connect to the backup by either way. I cannot talk for Time Capsule, however, I would be very surprised if it works differently in this respect.  



			
				srivo said:
			
		

> But even if I see the Time Capsule and Time Machine detect it, It as not been able to connect to the drive. ...



Can you connect to other AFP volumes via VPN?


----------



## srivo (Feb 7, 2013)

It work when I use my FreeBSD for time machine but I didn't suceded  using Time Capsule. I will need to try again!


----------



## jef (Jul 25, 2013)

PR 146190 seems to still be open, but the patches linked in http://www.freebsd.org/cgi/query-pr.cgi?pr=146190#reply2 are on a URI that apparently no longer has DNS providing an address.

Are these patches still required for 9.1-STABLE to have multiple clients of the VPN with NAT?

If so, is there another source for the patches?

Thanks!

Jeff


----------



## Anonymous (Jul 28, 2013)

jef said:
			
		

> PR kern/146190 seems to still be open, but the patches linked in http://www.freebsd.org/cgi/query-pr.cgi?pr=146190#reply2 are on a URI that apparently no longer has DNS providing an address.



Yes, it seems they have gone.



> Are these patches still required for 9.1-STABLE to have multiple clients of the VPN with NAT?



I cannot tell anything on 9.1-STABLE, I am working with 9.1-RELEASE.



> If so, is there another source for the patches?



The patches that were present at the link you have given were quite old, however, I could still apply them to /usr/src/sys and security/ipsec-tools. Only ipsec_natt.v4.diff generated a lot of warnings about "offset lines". In addition I added also the changes suggested on http://lists.freebsd.org/pipermail/freebsd-stable/2012-May/067416.html. So at that time, I decided to generate a clean new patch which contains all changes in one .diff-file and which can be applied to /usr/src/sys without warnings. I attached this file named ipsec-patches.diff to this message.

Make a backup, then:
`# cd /usr/src`
`# patch -p1 < /path/to/ipsec-patches.diff`

Then rebuild the kernel.

I attached to this message also the complete set (including the already known ones) of the patches for the security/ipsec-tools in one .zip-archive. The content of this archive has to be added into /usr/ports/security/ipsec-tools/files/.

Then rebuild security/ipsec-tools.

Please report back your experience with 9.1-STABLE.


----------



## katta (Aug 16, 2013)

Thank you so much, @rolfheinrich!


----------



## dkorzhevin (Aug 16, 2013)

Hi!

Can anyone please tell if these patches have already been included upstream?


----------



## Anonymous (Aug 16, 2013)

dkorzhevin said:
			
		

> Can anyone please tell if these patches have already been included upstream?



Experiment:

`$ mkdir -p head-base/sys`
`$ cd head-base`
`$ svn co [url=http://svn0.us-east.freebsd.org/base/head/sys/netinet]http://svn0.us-east.freebsd.org/base/head/sys/netinet[/url] sys/netinet`
`$ svn co [url=http://svn0.us-east.freebsd.org/base/head/sys/netipsec]http://svn0.us-east.freebsd.org/base/head/sys/netipsec[/url] sys/netipsec`
`$ patch -p1 < /path/to/ipsec-patches.diff`

Result:

```
patching file sys/netinet/tcp_input.c
Hunk #1 succeeded at 695 (offset -10 lines).
patching file sys/netipsec/esp_var.h
Hunk #1 FAILED at 77.
1 out of 1 hunk FAILED -- saving rejects to file sys/netipsec/esp_var.h.rej
patching file sys/netipsec/ipsec_input.c
patching file sys/netipsec/key.c
Hunk #2 succeeded at 1314 (offset -1 lines).
Hunk #3 succeeded at 2958 (offset -6 lines).
Hunk #4 succeeded at 3084 (offset -6 lines).
Hunk #5 succeeded at 3507 (offset -6 lines).
Hunk #6 succeeded at 3789 (offset -17 lines).
Hunk #7 FAILED at 4111.
Hunk #8 succeeded at 4709 (offset -18 lines).
Hunk #9 succeeded at 4800 (offset -18 lines).
Hunk #10 succeeded at 5148 (offset -18 lines).
Hunk #11 succeeded at 5250 (offset -18 lines).
Hunk #12 succeeded at 5466 (offset -18 lines).
Hunk #13 succeeded at 5531 (offset -18 lines).
1 out of 13 hunks FAILED -- saving rejects to file sys/netipsec/key.c.rej
patching file sys/netipsec/keydb.h
patching file sys/netipsec/xform_esp.c
Hunk #1 FAILED at 78.
1 out of 1 hunk FAILED -- saving rejects to file sys/netipsec/xform_esp.c.rej
```

Conclusion:

The majority, i.e. 12 out of 15 hunks of the patch can be still applied to the latest sources. The offsets indicate only that the respective source file was changed at other (perhaps unrelated) places. I examined the 3 rejects, and they are caused by some differences in the context lines of the hunks. This only means, that these changes need to be done manually.

If anything of the patch would have been applied already to the sources, then those hunks would have failed with the message "Reversed (or previously applied) patch detected!".

Short answer:

Nothing of the patches is included upstream.


----------



## Anonymous (Sep 2, 2013)

In a PM, @brehtacz wrote me:



> I've conected Windows 7 to FreeBSD box (9.1 and 9.2-RC3).
> 
> Problem is that afrer disconnection I have to wait ~10 min before I succesfuly conect again. What is/could be a problem, is there are any cimers to set in config? Sysctl tuning?



I could reproduce the problem. When a Windows client disconnects, for some reason only the SA for the outgoing connection is removed, and the SA for the incoming connection turns to stale, and prevents the client from connecting again. The workaround is to tear down any stale SA's by a script:

`nano /usr/local/etc/racoon/tear_down.sh`

```
#!/bin/sh

REMOTE_NAT="`echo $REMOTE_ADDR | /usr/bin/sed "s/\./\\\\\./g"`\[$REMOTE_PORT\]"
REMOTE_SPI="`/usr/local/sbin/setkey -D | /usr/bin/sed -n "N;/.*$REMOTE_NAT.*spi=/{s///;s/(.*//;p;}"`"

while [ "$REMOTE_SPI" != "" ] ; do

   echo "tear down SA: delete $REMOTE_ADDR[$REMOTE_PORT] $LOCAL_ADDR[$LOCAL_PORT] esp-udp $REMOTE_SPI;" >> /var/log/racoon.log
   echo "delete $REMOTE_ADDR[$REMOTE_PORT] $LOCAL_ADDR[$LOCAL_PORT] esp-udp $REMOTE_SPI;" | /usr/local/sbin/setkey -c
 
   REMOTE_SPI="`/usr/local/sbin/setkey -D | /usr/bin/sed -n "N;/.*$REMOTE_NAT.*spi=/{s///;s/(.*//;p;}"`"

done
```
`chmod ugo+x /usr/local/etc/racoon/tear_down.sh`

Then in /usr/local/etc/racoon/racoon.conf add two script entries. For the record, here comes my whole racoon.conf:

```
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate    "/usr/local/etc/racoon/certs";

listen
{
	isakmp		 192.168.x.y [500];
	isakmp_natt	 192.168.x.y [4500];
	strict_address;
}

remote anonymous
{
	exchange_mode    main;
	certificate_type x509 "service.crt" "service.key";
	ca_type          x509 "ca.crt";
	verify_cert      off;
	my_identifier    asn1dn;
	passive          on;
	generate_policy	 unique;
	proposal_check   obey;
	support_proxy    on;
	nat_traversal    on;
	ike_frag         on;
	dpd_delay        10;
	dpd_retry         2;
	dpd_maxfail       2;
	script           "/usr/local/etc/racoon/tear_down.sh" phase1_down;
	script           "/usr/local/etc/racoon/tear_down.sh" phase1_dead;

	proposal
	{
		encryption_algorithm  aes;
		hash_algorithm        sha1;
		authentication_method pre_shared_key;
		dh_group	      modp1024;
	}

	proposal
	{
		encryption_algorithm  3des;
		hash_algorithm        sha1;
		authentication_method pre_shared_key;
		dh_group	      modp1024;
	}

	proposal
	{
		encryption_algorithm  aes;
		hash_algorithm        sha1;
		authentication_method rsasig;
		dh_group	      modp1024;
	}

        proposal
	{
		encryption_algorithm  3des;
		hash_algorithm        sha1;
		authentication_method rsasig;
		dh_group	      modp1024;
	}
}

sainfo anonymous
{
	encryption_algorithm     aes,3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm    deflate;
	pfs_group		 modp1024;
}
```

Perhaps you need to remove the certificate stuff and the proposals for RSA signature authentication.


----------



## brehtacz (Sep 3, 2013)

Thank you @rolfheinrich for tips about IPsec etc..

What I managed: Windows 7 (behind NAT) connects to FreeBSD 9.2-RC3. For FreeBSD I've used patches from post http://forums.freebsd.org/showthread.php?p=228384#post228384

For Windows 7 I've added and changed in the Registry the AssumeUDPEncapsulationContextOnSendRule key (set to 2).

I used your script (post http://forums.freebsd.org/showpost.php?p=231620&postcount=86).

Everything works, but why in my racoon.log I can see something like this:

```
Start VPN Connection
2013-09-03 13:40:07: INFO: respond new phase 1 negotiation: xx.xx.xx.53[500]<=>xx.xx.xx.50[57229]
2013-09-03 13:40:07: INFO: begin Identity Protection mode.
2013-09-03 13:40:07: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2013-09-03 13:40:07: INFO: received Vendor ID: RFC 3947
2013-09-03 13:40:07: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-09-03 13:40:07: INFO: received Vendor ID: FRAGMENTATION
2013-09-03 13:40:07: [xx.xx.xx.50] INFO: Selected NAT-T version: RFC 3947
2013-09-03 13:40:07: ERROR: invalid DH group 20.
2013-09-03 13:40:07: ERROR: invalid DH group 19.
2013-09-03 13:40:07: [xx.xx.xx.53] INFO: Hashing xx.xx.xx.53[500] with algo #2
2013-09-03 13:40:07: INFO: NAT-D payload #0 verified
2013-09-03 13:40:07: [xx.xx.xx.50] INFO: Hashing xx.xx.xx.50[57229] with algo #2
2013-09-03 13:40:07: INFO: NAT-D payload #1 doesn't match
2013-09-03 13:40:07: INFO: NAT detected: PEER
2013-09-03 13:40:07: [xx.xx.xx.50] INFO: Hashing xx.xx.xx.50[57229] with algo #2
2013-09-03 13:40:07: [xx.xx.xx.53] INFO: Hashing xx.xx.xx.53[500] with algo #2
2013-09-03 13:40:07: INFO: Adding remote and local NAT-D payloads.
2013-09-03 13:40:07: INFO: NAT-T: ports changed to: xx.xx.xx.50[50706]<->xx.xx.xx.53[4500]
2013-09-03 13:40:07: INFO: KA list add: xx.xx.xx.53[4500]->xx.xx.xx.50[50706]
2013-09-03 13:40:07: INFO: ISAKMP-SA established xx.xx.xx.53[4500]-xx.xx.xx.50[50706] spi:4337188e650fd11a:1aeab936af7b4376
2013-09-03 13:40:07: INFO: respond new phase 2 negotiation: xx.xx.xx.53[4500]<=>xx.xx.xx.50[50706]
2013-09-03 13:40:07: INFO: Update the generated policy : xx.xx.xx.50/32[1701] xx.xx.xx.53/32[1701] proto=udp dir=in
2013-09-03 13:40:07: INFO: Adjusting my encmode UDP-Transport->Transport
2013-09-03 13:40:07: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2013-09-03 13:40:07: INFO: IPsec-SA established: ESP/Transport xx.xx.xx.53[500]->xx.xx.xx.50[500] spi=160493464(0x990ef98)
2013-09-03 13:40:07: INFO: IPsec-SA established: ESP/Transport xx.xx.xx.53[500]->xx.xx.xx.50[500] spi=233019322(0xde397ba)
-----------------------------------------------------

Stop VPN Connection
2013-09-03 13:41:03: INFO: deleting a generated policy.
2013-09-03 13:41:03: INFO: purged IPsec-SA proto_id=ESP spi=233019322.
2013-09-03 13:41:03: ERROR: pfkey X_SPDDELETE failed: Invalid argument
2013-09-03 13:41:03: ERROR: pfkey X_SPDDELETE failed: Invalid argument
2013-09-03 13:41:03: INFO: ISAKMP-SA expired xx.xx.xx.53[4500]-xx.xx.xx.50[50706] spi:4337188e650fd11a:1aeab936af7b4376
2013-09-03 13:41:03: INFO: ISAKMP-SA deleted xx.xx.xx.53[4500]-xx.xx.xx.50[50706] spi:4337188e650fd11a:1aeab936af7b4376
2013-09-03 13:41:03: INFO: KA remove: xx.xx.xx.53[4500]->xx.xx.xx.50[50706]
tear down SA: delete xx.xx.xx.50[50706] xx.xx.xx.53[4500] esp-udp 160493464;
2013-09-03 13:41:03: INFO: unsupported PF_KEY message REGISTER
2013-09-03 13:41:03: ERROR: no iph2 found: ESP xx.xx.xx.50[500]->xx.xx.xx.53[500] spi=160493464(0x990ef98)
-----------------------------------------------------
```

Questions:

 Why 
	
	



```
2013-09-03 13:40:07: INFO: NAT-D payload #1 doesn't match
```
 if there is a password defined in psk.txt? Password is defined (* - patched IPSec, and for specific IP).


```
2013-09-03 13:41:03: ERROR: pfkey X_SPDDELETE failed: Invalid argument
```
 What does it mean? What's wrong?


```
2013-09-03 13:40:07: ERROR: invalid DH group 20 (19)
```


Thanks,
Tomas.


----------



## Anonymous (Sep 3, 2013)

brehtacz said:
			
		

> ...
> Everything works, but why in my racoon.log I can see something like this:
> 
> ```
> ...



Well, the tear down script is working as it should. I see the final error "... no iph2 found ...", on my VPN server as well in the course of deleting the stale SA, and my best educated guess is, that this ESP link has been removed just before in the course of the regular disconnection sequence. So, I tend to simply ignore this error message. 



			
				brehtacz said:
			
		

> Questions:
> 1. Why
> 
> 
> ...



I see this as well, even when connecting with iOS or Mac OS X clients. Only in these cases payloads #0 doesn't match and payloads #1 are verified. I guess, that this is simply sort of a log of the negotiation sequence between clients and server.



			
				brehtacz said:
			
		

> 2.
> 
> 
> 
> ...



I see this as well, and this started to occur after I applied the kernel patches. There seems to be a mismatch now between the key management in the kernel and its accessors in the ipsec-tools. Actually because of this, the uniquely created SPD's are not removed in the course of the disconnection sequence. This is not exactly nice, but also not that mission critical, since the SPD's are removed automatically after life-time expiration of 3600 s.

I didn't come to investigate this further.



			
				brehtacz said:
			
		

> 3. What does it mean? What's wrong?
> 
> 
> 
> ...



This is not a big deal. The maximum Diffie-Hellmann group that the racoon knows is 18. Windows starts trying with 20, then 19, and negotiates on 18, i.e. the DH group that both know.


----------



## sukosevato (Sep 7, 2013)

For those wondering, it is perfectly possible to connect to a FreeBSD machine with a windows client using this howto. I've got it working with Mpd5 + Racoon on Freebsd 9.1 by using roughly this guide. I can connect with windows clients by using the shrewsoft vpn client. Works perfectly. All clients connect from behind a NAT. The FreeBSD server is also behind a NAT.


----------



## Anonymous (Sep 7, 2013)

sukosevato said:
			
		

> For those wondering, it is perfectly possible to connect to a FreeBSD machine with a windows client using this howto. I've got it working with Mpd5 + Racoon on Freebsd 9.1 by using roughly this guide.



Are you referring to the mere howto (posts #1-3 only) of this thread, or did you apply the complete set of ipsec-tool and kernel patches revealed in post #82?



			
				sukosevato said:
			
		

> I can connect with windows clients by using the shrewsoft vpn client. Works perfectly. All clients connect from behind a NAT. The FreeBSD server is also behind a NAT.



Note, with the complete set of patches applied, Windows 7 clients can connect from behind NAT utilizing its built-in VPN software, so there is no need to switch to a commercial one. These patches resolve also another issue with all sorts of clients, namely, finally many clients may concurrently connect from behind the same NAT to the VPN server. This was impossible without the kernel patches, because the standard ipsec key management in the kernel did not honour remote port numbers and became confused by more than one connections from the same remote IP.


----------



## sukosevato (Sep 7, 2013)

rolfheinrich said:
			
		

> Are you referring to the mere howto (posts #1-3 only) of this thread, or did you apply the complete set of ipsec-tool and kernel patches revealed in post #82?



I'm referring to the Howto and the first two patches, so patch-zz-local-0.diff and patch-zz-local-1.diff. Those other patches weren't available yet when I configured it in the beginning of July. The reason I replied that I got it working with shrewsoft was because of this in the beginning of the Howto:



			
				rolfheinrich said:
			
		

> I was not able to establish a connection with a Windows 7 client, since Windows seems to directly establish connections to racoon on ports 500 and 4500 and by this bypassing mpd5, which is waiting for incoming calls at port 1701.



Might want to change that if it does work now with the additional patches 

Good to see that patches have been created so it works natively as well. Any chance these patches will get added to the ports / included in racoon?

Thanks a lot for the Howto BTW!


----------



## ronjns (Oct 1, 2013)

*Works with PF and DDNS too, no shell script needed*

Supplementing Rolf's excellent guide :stud -Thank You again Rolf! -, there's one other article that details how to make this work if you use PF instead of IPFW to filter out the curious . Link: http://wiki.stocksy.co.uk/wiki/L2TP_VPN_in_FreeBSD

Based on these two astounding articles, I'd like to share my experience setting up my SOHO FreeBSD router/ firewall and make it work with PF, No-IP and dynamic public IP without any shell script.

First and foremost my FreeBSD router/ firewall box (this is important, my proven working configuration may not work with your box's hardware setup):

Runs FreeBSD 9.1-RELEASE-p7 #0, PF and NO-IP versions from the latest ports collection
Three NICs: 1st runs PPPoE with the ISP (Dynamic IP), 2nd setup for MTU 9000 private subnet (i.e. a.a.a.0/24), 3rd setup for MTU 1500 private subnet (i.e. b.b.b.0/24)
Routing/ forwarding is done by FreeBSD (net.inet.ip.forwarding: 1), NAT is done by PF
DHCP is done by dhcpd toward both private subnets, version from the latest ports collection

Steps:

If you don't already have it; register with No-IP, choose a free public domain hostname (i.e. ironman.no-ip.org) and install No-IP daemon from the ports collection
I followed Rolf's Part I through II guide (i.e. steps 1 through 3.3) but removed the following section in step 3.1 (this will make racoon to listen to all network interfaces):

```
listen
{
        isakmp           192.168.0.1 [500];
        isakmp_natt      192.168.0.1 [4500];
        strict_address;
}
```

Also in Rolf's step 3.2 in 'l2tp_server:' section, I modified the following entry:

```
# Define dynamic IP address pool.
        set ippool add pool_l2tp a.a.a.ax a.a.a.ay
```
where a.a.a.ax through a.a.a.ay (in my case) is the range within one of my private subnets that will be assigned to my VPN clients BUT ones that I will not assign to any of my DHCP clients nor my static private IP address servers.

And for the following entry I modified to this:

```
# Specify IP address pool for dynamic assigment.
        set ipcp ranges a.a.a.az/24 ippool pool_l2tp
        set ipcp dns c.c.c.c
        set ipcp dns d.d.d.d
```

Where a.a.a.az will be the IP address of my router/ firewall/ VPN server box end for tunnels established with VPN clients. It's a unique IP address within one of my private subnets range that's not gonna be assigned to my VPN client nor my DHCP client nor my static IP address servers. c.c.c.c and d.d.d.d are my ISP's DNS servers.

Lastly the following entry:

```
# Configure L2TP
        set l2tp self ironman.no-ip.org
```

Where ironman.no-ip.org is the free public domain hostname I got from No-IP i.e. the network interface that's running PPPoE with my ISP and getting dynamic public IP address.

Once done, every time my ISP assign a new dynamic public IP address racoon will automatically refresh the IP address it is listening to and racoon.log will show the following:

```
2013-09-30 20:42:41: INFO: mac:mac::mac:mac:mac:mac[500] used as isakmp port (fd=21)
2013-09-30 20:42:41: INFO: mac:mac::mac:mac:mac:mac[4500] used as isakmp port (fd=22)
2013-09-30 20:42:44: INFO: e.e.e.e[500] used for NAT-T
2013-09-30 20:42:44: INFO: e.e.e.e[500] used as isakmp port (fd=21)
2013-09-30 20:42:44: INFO: e.e.e.e[4500] used for NAT-T
2013-09-30 20:42:44: INFO: e.e.e.e[4500] used as isakmp port (fd=22)
```

Where e.e.e.e is the newly assigned dynamic public IP address from my ISP.

My pf.conf:

```
# MACROS
wan="tun0"

lan1="em0"
lan2="em1"

localsubnet1=$lan1:network
localsubnet2=$lan2:network

# PACKET NORMALIZATION
scrub in all

# TRANSLATION
nat on $wan from $localsubnet1 to any -> ($wan)
nat on $wan from $localsubnet2 to any -> ($wan)

# REDIRECTION

# PACKET FILTERING
antispoof log quick for ($wan)
block in log on $wan from any to any
pass in log on $lan1 from $localsubnet1 to any keep state
pass in log on $lan2 from $localsubnet2 to any keep state
pass out log on $wan from ($wan) to any keep state
pass in log on $wan proto udp from any to ($wan) port {1701, 500, 4500} keep state
pass in log on $wan proto esp from any to ($wan) keep state
pass quick log on ng0 all
pass quick log on ng1 all
pass quick log on ng2 all
```


----------



## ilemur (Oct 25, 2013)

Can somebody please post a short guide on steps necessary to patch for NAT-T under 9.2-RELEASE?


----------



## Anonymous (Oct 25, 2013)

ilemur said:
			
		

> Can somebody please post a short guide on steps necessary to patch for NAT-T under 9.2-RELEASE?



I am still on 9.1-RELEASE, and therefore I cannot tell whether the canonical procedure works on 9.2-RELEASE.

*Step 0:* Backup
Before patching the kernel make a backup of the affected sources - here I show the usage of clone(1)() (sysutils/clone) for backing-up and rolling-back:
`# clone /usr/src/sys/netinet   ~/netinet.back`
`# clone /usr/src/sys/netipsec ~/netipsec.back`

*Step 1:* Patch and re-build the kernel
`# fetch -o ~/ipsec-patches.diff "http://forums.freebsd.org/attachment.php?attachmentid=1925&d=1375044887"`
`# openssl dgst -sha256 ~/ipsec-patches.diff`

```
SHA256(/root/ipsec-patches.diff)= 55a39ef4289de4276985553493bdb57ef80302afa876e9d7f4f41ecdefd970f5
```
`# cd /usr/src`
`# patch -p1 < ~/ipsec-patches.diff`

If the patch command succeeded, then re-build the kernel, and after this continue with step  3 below.

*Step 2:* Rolling-back (only if something went wrong)
If the patch command showed errors (not every warning is an error), then roll-back the sources, adapt the ~/ipsec-patches.diff hinted by the error messages, and then try it with the adapted .diff again. For rolling-back, you can use:
`# clone -dy ~/netinet.back /usr/src/sys/netinet`
`# clone -dy ~/netipsec.back /usr/src/sys/netipsec`

*Step 3:* Place the ipsec-tools-patches into secrurity/ipsec-tools and rebuild the ipsec-tools
`# fetch -o ~/ipsec-tools-patches.zip "http://forums.freebsd.org/attachment.php?attachmentid=1926&d=1375045090"`
`# unzip -jd /usr/ports/security/ipsec-tools/files ~/ipsec-tools-patches.zip`
`# openssl dgst -sha256 ~/ipsec-tools-patches.zip`

```
SHA256(/root/ipsec-tools-patches.zip)= 3045756e7999d5e6895af9559bcec022ef0a1c0a3c5664887257e2646f4619fd
```
`# cd /usr/ports/security/ipsec-tools`
`# make deinstall`
`# make install clean`

If you want to connect Windows clients, then you need to set the following sysctl to 1:

```
net.inet.esp.esp_ignore_natt_cksum=1
```

In addition, if both the server and the client are behind NAT, you need to hack the Windows 7 registry -- MS KB article 947234.

Furthermore, for some reasons racoon fails to completely tear down the security associations when a doubly NATTed Windows client disconnects. In this case install the tear down script that I already described here.

Some Android clients seem to have yet another problem with L2TP/IPsec.


----------



## ilemur (Nov 1, 2013)

rolfheinrich said:
			
		

> I am still on 9.1-RELEASE, and therefore I cannot tell whether the canonical procedure works on 9.2-RELEASE.



You provide great support. Thanks! Really appreciating it.
Well on 9.2-RELEASE everything goes smoothly - now testing ipsec-tools part

```
patch -p1 < ~/ipsec-patches.diff
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -rup src/sys/netinet/tcp_input.c sru/sys/netinet/tcp_input.c
|--- src/sys/netinet/tcp_input.c        2012-11-04 14:26:51.000000000 -0200
|+++ sru/sys/netinet/tcp_input.c        2012-11-28 18:53:56.000000000 -0200
--------------------------
Patching file sys/netinet/tcp_input.c using Plan A...
Hunk #1 succeeded at 700 (offset -5 lines).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -rup src/sys/netipsec/esp_var.h sru/sys/netipsec/esp_var.h
|--- src/sys/netipsec/esp_var.h 2012-11-04 14:26:53.000000000 -0200
|+++ sru/sys/netipsec/esp_var.h 2012-11-28 18:53:56.000000000 -0200
--------------------------
Patching file sys/netipsec/esp_var.h using Plan A...
Hunk #1 succeeded at 79 with fuzz 1 (offset 2 lines).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -rup src/sys/netipsec/ipsec_input.c sru/sys/netipsec/ipsec_input.c
|--- src/sys/netipsec/ipsec_input.c     2012-11-04 14:26:53.000000000 -0200
|+++ sru/sys/netipsec/ipsec_input.c     2012-11-29 20:45:42.000000000 -0200
--------------------------
Patching file sys/netipsec/ipsec_input.c using Plan A...
Hunk #1 succeeded at 76.
Hunk #2 succeeded at 352 (offset -2 lines).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -rup src/sys/netipsec/key.c sru/sys/netipsec/key.c
|--- src/sys/netipsec/key.c     2012-11-04 14:26:53.000000000 -0200
|+++ sru/sys/netipsec/key.c     2012-11-29 18:40:34.000000000 -0200
--------------------------
Patching file sys/netipsec/key.c using Plan A...
Hunk #1 succeeded at 460.
Hunk #2 succeeded at 1315.
Hunk #3 succeeded at 2964.
Hunk #4 succeeded at 3090.
Hunk #5 succeeded at 3513.
Hunk #6 succeeded at 3806.
Hunk #7 succeeded at 4128.
Hunk #8 succeeded at 4727.
Hunk #9 succeeded at 4818.
Hunk #10 succeeded at 5166.
Hunk #11 succeeded at 5268.
Hunk #12 succeeded at 5484.
Hunk #13 succeeded at 5549.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -rup src/sys/netipsec/keydb.h sru/sys/netipsec/keydb.h
|--- src/sys/netipsec/keydb.h   2012-11-04 14:26:53.000000000 -0200
|+++ sru/sys/netipsec/keydb.h   2012-11-28 18:53:56.000000000 -0200
--------------------------
Patching file sys/netipsec/keydb.h using Plan A...
Hunk #1 succeeded at 163.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff -rup src/sys/netipsec/xform_esp.c sru/sys/netipsec/xform_esp.c
|--- src/sys/netipsec/xform_esp.c       2012-11-04 14:26:53.000000000 -0200
|+++ sru/sys/netipsec/xform_esp.c       2012-11-28 18:53:56.000000000 -0200
--------------------------
Patching file sys/netipsec/xform_esp.c using Plan A...
Hunk #1 succeeded at 78.
done
```


----------



## ilemur (Nov 5, 2013)

Well all ipsec-tools patches also went without a hitch.
So the patches are applicable to the FreeBSD 9.2 system. Although my networking part is completely broken. Clients cannot connect to the internet or access local resources. Ping pass but from what i can tell by watching tcpdump output there is something misunderstnading between NAT-T and pf NAT.
PPTP connection using same config works flawlessly.

on ng0 is ee packets coming to server - but none to the vpn client (172.16.5.200)

```
172.16.5.200.35506 > some1.my.servers.microsoft-ds: Flags [S], cksum 0x28a0 (correct), seq 2667378455, win 13600, options [mss 1332,sackOK,TS val 2385198 ecr 0,nop,wscale 5], length 0
11:36:29.698760 IP (tos 0x0, ttl 64, id 37434, offset 0, flags [DF], proto TCP (6), length 60)
```

and on the external interface i see something like this


```
tcpdump: listening on dc0, link-type EN10MB (Ethernet), capture size 65535 bytes
    broadband.myserver.com.60782 > 89.222.207.137.http: Flags [S], cksum 0x3ebf (correct), seq 319505738, win 13600, options [mss 1332,sackOK,TS val 2490227 ecr 0,nop,wscale 5], length 0
    broadband.myserver.com.60782 > 89.222.207.137.http: Flags [S], cksum 0x3e5b (correct), seq 319505738, win 13600, options [mss 1332,sackOK,TS val 2490327 ecr 0,nop,wscale 5], length 0
    89.222.207.137.http > broadband.myserver.com.60782: Flags [S.], cksum 0x8817 (correct), seq 2695984557, ack 319505739, win 14480, options [mss 1460,sackOK,TS val 3367818120 ecr 2490227,nop,wscale 7], length 0
    172.16.5.200.40850 > 89.222.207.137.http: Flags [R.], cksum 0x5bb6 (correct), seq 334730228, ack 3371067425, win 0, length 0
    broadband.myserver.com > 89.222.207.137: ICMP host broadband.myserver.com unreachable, length 68
    89.222.207.137.http > broadband.myserver.com.60782: Flags [S.], cksum 0x1f68 (incorrect -> 0x3886), seq 2695984557, ack 334730228, win 14480, options [mss 1460,sackOK,TS val 3367818120 ecr 2490227,nop,wscale 7], length 0
    broadband.myserver.com.54139 > 89.222.207.137.http: Flags [S], cksum 0xe9a0 (correct), seq 4048142987, win 13600, options [mss 1332,sackOK,TS val 2490484 ecr 0,nop,wscale 5], length 0
    89.222.207.137.http > broadband.myserver.com.54139: Flags [S.], cksum 0xbf25 (correct), seq 1629502203, ack 4048142988, win 14480, options [mss 1460,sackOK,TS val 3367819690 ecr 2489081,nop,wscale 7], length 0
    broadband.myserver.com.59401 > 89.222.207.137.http: Flags [S], cksum 0x6424 (correct), seq 1080648153, win 13600, options [mss 1332,sackOK,TS val 2490508 ecr 0,nop,wscale 5], length 0
    89.222.207.137.http > broadband.myserver.com.59401: Flags [S.], cksum 0x9ed2 (correct), seq 1059944766, ack 1080648154, win 14480, options [mss 1460,sackOK,TS val 3367819929 ecr 2489106,nop,wscale 7], length 0
    broadband.myserver.com.60782 > 89.222.207.137.http: Flags [S], cksum 0x5842 (correct), seq 319505738, win 13600, options [mss 1332,sackOK,TS val 2490527 ecr 0,nop,wscale 5], length 0
    89.222.207.137.http > broadband.myserver.com.60782: Flags [S.], cksum 0xb43d (correct), seq 2742697419, ack 319505739, win 14480, options [mss 1460,sackOK,TS val 3367820111 ecr 2490527,nop,wscale 7], length 0
    172.16.5.200.40850 > 89.222.207.137.http: Flags [R.], cksum 0x90cf (correct), seq 0, ack 46712863, win 0, length 0
    broadband.myserver.com > 89.222.207.137: ICMP host broadband.myserver.com unreachable, length 68
    89.222.207.137.http > broadband.myserver.com.60782: Flags [S.], cksum 0x4b8e (incorrect -> 0x64ac), seq 2742697419, ack 334730228, win 14480, options [mss 1460,sackOK,TS val 3367820111 ecr 2490527,nop,wscale 7], length 0
    broadband.myserver.com.60782 > 89.222.207.137.http: Flags [S], cksum 0x56b1 (correct), seq 319505738, win 13600, options [mss 1332,sackOK,TS val 2490928 ecr 0,nop,wscale 5], length 0
```

So i'm not sure they work together. I have posted the problem in the Networking section of the forum.

UPDATE 10|11|2013

Well switching to IPFW _ IPFW NAT as stated on the first page worke flawlessly. So i have to confirem some BUG issue between NAT_T and PF NAT


----------



## Anonymous (Nov 16, 2013)

*MPD5 problem with FreeBSD 9.2-RELEASE-p1*

Please read the update in the next message, the following information is outdated.



> Finally, I upgraded from 9.1 RELEASE-p7 to 9.2-RELEASE-p1, using freebsd-update.
> 
> After this, my server behaved strange after a L2TP/IPsec-VPN connection had been established. The VPN client can access resources on the server, but not in the LAN and WAN, as it could on 9.1. Even more bugging is, that LAN clients cannot access the internet anymore, once a VPN connection was made, and the problem persists even after the VPN was disconnected, and persists after the net/mpd5, racoon were killed, and any dangling SA and SPD had been flushed. netstat -nr and sockstat -4 show nothing strange.
> 
> ...


----------



## Anonymous (Nov 17, 2013)

Update:

net/mpd5 is working for me again. Instead of 
	
	



```
gateway_enable="YES"
```
 in /etc/rc.conf, I had directly adjusted the related sysctl settings 
	
	



```
net.inet.ip.forwarding=1
```
 and 
	
	



```
net.inet6.ip.forwarding=1
```
 in /etc/sysctl.conf. On the freebsd-net mailing list I was informed that this shortcut doesn't work reliable anymore in FreeBSD 9.2. I removed the respective sysctl assignments and set 
	
	



```
gateway_enable="YES"
```
 and the VPN server works as before.

IMHO, net/mpd5 is much more versatile than net/sl2tps, and I continue using mpd5.


----------



## kpa (Nov 17, 2013)

The gateway_enable setting has always been the IPv4 forwarding option and does nothing for IPv6. For IPv6 you have to use ipv6_gateway_enable.


----------



## Anonymous (Nov 17, 2013)

kpa said:
			
		

> The gateway_enable setting has always been the IPv4 forwarding option and does nothing for IPv6. For IPv6 you have to use ipv6_gateway_enable.



Yes, I forgot to mention it. I don't use IPv6 on my setup, and therefore, I left it disabled. Those, who need IPv6 need to set 
	
	



```
ipv6_gateway_enable="YES"
```
 of course.

The full story on what happened has been revealed on the freebsd-net mailing on end of October 2013: MPD PPTP seting 0 on net.inet.ip.forwarding.

It seems to be a collateral damage of changes to the devd(8)() system. As has been suggested, I disabled devd on my server by setting 
	
	



```
devd_enable="NO"
```
 in /etc/rc.conf. My understanding is that devd is of limited use for servers anyway, and perhaps of some use on desktops.


----------



## Anonymous (Nov 18, 2013)

*L2TP/IPsec with NAT-Traversal optimal MTU setting*

I ran some tests to verify the MTU setting, that I suggested in [POST="149202"]Part II[/POST] of this thread, namely 1280, which is the recommended choice for L2TP without NAT-Traversal.

In order to check this, I established a L2TP/IPsec connection from my iPhone (iOS 7.0.4) via 3G to my VPN server behind a NAT, and sent a ping(8) from the server to the internal VPN address of the iPhone.
`# ping -D -c1 -s1252 192.168.0.150`

-D is the don't fragment flag
-c1 means, send only 1 ping
-snnnn is the payload size in bytes of the ping (without the headers)

The payload size of 1252 bytes corresponds to a MTU of 1280, since the size of the IP header (20 bytes) and of the ICMP header (8 bytes) has to be added. Anyway, the iPhone did not respond.

The iPhone began responding to pings with payload sizes less or equal than 1202, i.e. the MTU for this kind of connection shall be 1230. The WAN-link of the server got a MTU of 1500. Of course, the final result might differ, if the raw MTU is already less than 1500. You might want to repeat the tests with you connection. For the tests remove the MTU setting from /usr/local/etc/mpd5/mpd.conf 

During these tests, it turned out that the multilink option in /usr/local/etc/mpd5/mpd.conf had no effect, so I removed this. Without multilink, it is not necessary to add sequential information, and therefore, I removed the l2tp option length and disabled the l2tp option dataseq. Finally, the iPhone supports header compressions, and I enabled the link options acfcomp protocomp.

For the record, here comes the improved file /usr/local/etc/mpd5/mpd.conf:

```
startup:
# configure mpd users
        set user super pwSuper admin

# configure the console
        set console self 127.0.0.1 5005
        set console open

# configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
        set ippool add pool_l2tp 192.168.0.150 192.168.0.199

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
        set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
        set link action bundle B_l2tp
        set link mtu 1230
        set link keep-alive 0 0
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap

# Configure L2TP
        set l2tp self 192.168.0.1
        set l2tp disable dataseq

# Allow to accept calls
        set link enable incoming
```

I updated [POST="149202"]Part II[/POST] of this thread with these improvements.


----------



## sukosevato (Nov 30, 2013)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Is it still necessary to include the two patches on FreeBSD 10 systems?

I currently have FreeBSD 10.0-BETA3 running and when trying to install ipsec-tools with the two patches I get:

```
root@Secretum:/usr/ports/security/ipsec-tools # make install clean
===>  Patching for ipsec-tools-0.8.1_3
===>  Applying FreeBSD patches for ipsec-tools-0.8.1_3
2 out of 2 hunks failed--saving rejects to src/racoon/grabmyaddr.c.rej
=> Patch patch-zz-local-0.diff failed to apply cleanly.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/ipsec-tools
*** Error code 1

Stop.
make: stopped in /usr/ports/security/ipsec-tools
```


----------



## Haga (Dec 3, 2013)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

I can not see two patch files that are attached to the end of the kern/PR 146190, is has become a broken link. Does anyone have a copy?

http://www.freebsd.org/cgi/query-pr.cgi?pr=146190
ipsec_natt.v4.diff
ipsec_tools.context.v2.diff


----------



## sukosevato (Dec 3, 2013)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

@Haga, I meant the two patches supplied in the topic start.


----------



## Haga (Dec 4, 2013)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Hi @sukosevato,

Sorry, not related to your post. I posted simply. I wanted kernel patches.

http://www.freebsd.org/cgi/query-pr.cgi?pr=146190
ipsec_natt.v4.diff
ipsec_tools.context.v2.diff

Someone, do you not have a copy?


----------



## ernix (Dec 16, 2013)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Hello, @rolfheinrich.  I really appreciate you helping me.

Could you post ipsec-patches.diff again please? The patch you attached before on http://forums.freebsd.org/viewtopic.php ... 84#p228384 became a dead link due to some reason.


----------



## sukosevato (Jan 5, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

Hey @ernix, the patches attached to that post are still downloadable, if you look at the bottom of the post you linked to you will find this link: http://forums.freebsd.org/download/file.php?id=1926


----------



## ernix (Jan 6, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Hello @sukosevato,

I'm looking forward to the kernel patch labeled ipsec-patches.diff that @rolfheinrich mentioned in the middle of the post, not the zip archive.  This archive just contains patches only for racoon and ipsec-tools. The kernel patch should be applied to sys/netinet and sys/netipsec as he said, is linked to http://forums.freebsd.org/attachment.ph ... 1375044889. It seems like the FreeBSD Forum has changed its URL routing after he gave the patch, leaving URLs as plain texts. Does anybody have a copy of that?


----------



## BreakArms (Jan 27, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

I'm having an issue connecting with my Droid or a remote Windows host. Here is my racoon.log file from the connection attempt from my Droid (4.3) configured as a IPSec/L2TP with preshared keys. PUBLIC_IP is the IP address of my Droid. 192.168.11.7 is the IP address of the freebsd FreeBSD interface. I have NAT and firewall rules configured on my outside firewall and it does indeed start the connection but it never finishes. Can anyone tell by looking at this log file what is wrong? I've gone through the guide a few times and *I* can't find anything wrong. I configured the configuration files to be tailored to my local private network (192.168.11.0/24) so *I*'m at a loss at this point.

EDIT: also, this is FreeBSD 10 amd64 running on Hyper-V. No packet filter is running. My border firewall is a Cisco ASA 5505 and as far as I know I've allowed 500, 1701 and 4500 through the outside interface and configured NAT to translate these ports to 192.168.11.7. The Cisco logs do not show any kind of denies during the connection attempt either so i'm fairly certain it's not my border firewall. The firewall on the Hyper-V host is disabled completely.

```
2014-01-26 18:58:04: INFO: received Vendor ID: DPD
2014-01-26 18:58:04: [PUBLIC_IP] INFO: Selected NAT-T version: RFC 3947
2014-01-26 18:58:04: [192.168.11.7] INFO: Hashing 192.168.11.7[500] with algo #2 
2014-01-26 18:58:04: INFO: NAT-D payload #0 doesn't match
2014-01-26 18:58:04: [PUBLIC_IP] INFO: Hashing PUBLIC_IP[5428] with algo #2 
2014-01-26 18:58:04: INFO: NAT-D payload #1 doesn't match
2014-01-26 18:58:04: INFO: NAT detected: ME PEER
2014-01-26 18:58:04: [PUBLIC_IP] INFO: Hashing PUBLIC_IP[5428] with algo #2 
2014-01-26 18:58:04: [192.168.11.7] INFO: Hashing 192.168.11.7[500] with algo #2 
2014-01-26 18:58:04: INFO: Adding remote and local NAT-D payloads.
2014-01-26 18:58:05: INFO: NAT-T: ports changed to: PUBLIC_IP[5430]<->192.168.11.7[4500]
2014-01-26 18:58:05: INFO: KA list add: 192.168.11.7[4500]->PUBLIC_IP[5430]
2014-01-26 18:58:05: INFO: ISAKMP-SA established 192.168.11.7[4500]-PUBLIC_IP[5430] spi:01ee99f8f332f3c6:c170a2f30265fe5b
2014-01-26 18:58:05: [PUBLIC_IP] INFO: received INITIAL-CONTACT
2014-01-26 18:58:06: INFO: respond new phase 2 negotiation: 192.168.11.7[4500]<=>PUBLIC_IP[5430]
2014-01-26 18:58:06: INFO: Adjusting my encmode UDP-Transport->Transport
2014-01-26 18:58:06: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
2014-01-26 18:58:06: INFO: IPsec-SA established: ESP/Transport 192.168.11.7[500]->PUBLIC_IP[500] spi=8914154(0x8804ea)
2014-01-26 18:58:06: INFO: IPsec-SA established: ESP/Transport 192.168.11.7[500]->PUBLIC_IP[500] spi=48277957(0x2e0a9c5)
2014-01-26 18:59:31: [PUBLIC_IP] INFO: DPD: remote (ISAKMP-SA spi=01ee99f8f332f3c6:c170a2f30265fe5b) seems to be dead.
2014-01-26 18:59:31: INFO: purging ISAKMP-SA spi=01ee99f8f332f3c6:c170a2f30265fe5b.
2014-01-26 18:59:31: INFO: purged IPsec-SA spi=48277957.
2014-01-26 18:59:31: INFO: purged IPsec-SA spi=8914154.
2014-01-26 18:59:31: INFO: purged ISAKMP-SA spi=01ee99f8f332f3c6:c170a2f30265fe5b.
2014-01-26 18:59:31: INFO: ISAKMP-SA deleted 192.168.11.7[4500]-PUBLIC_IP[5430] spi:01ee99f8f332f3c6:c170a2f30265fe5b
2014-01-26 18:59:31: INFO: KA remove: 192.168.11.7[4500]->PUBLIC_IP[5430]
```


----------



## Senya88 (Jan 27, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Hi, friends! I have FreeBSD 10.0-RELEASE, mpd5 with L2TP  and last ipsec-tools from ports. I applied the patches from the link http://forums.freebsd.org/download/file.php?id=1926 successfully. Then I applied the patch (look at attachment), but it was with 3 rejects. It was due to the difference in the source code FreeBSD 10.0 lines. I manually corrected this two reject (_thi_rd did not have to fix because the default source code file was correct) and recompiled mu  custom kernel. 

`sysctl net.inet.esp.esp_ignore_natt_cksum=1` it's works
`net.inet.esp.esp_ignore_natt_cksum: 0 -> 1` (if set to "0", connecting *W*indows client will be reject_ed_) tunnel works, but tcpdump said: packets that come out of the tunnel does not fall under the ipfw NAT rules (*W*indows *XP* client from NAT). This configuration was working on FreeBSD 9.X, but on 10.0-RELEASE it does not work.

Part of kernel configuration:

```
# IPSec
options         IPSEC
options         IPSEC_FILTERTUNNEL
options         IPSEC_NAT_T
options         IPSEC_DEBUG
device crypto
device enc
```
Is there a working solution for FreeBSD 10.0-RELEASE?


----------



## Senya88 (Jan 27, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				ernix said:
			
		

> Hello @sukosevato,
> I'm looking forward to the kernel patch labeled ipsec-patches.diff that @rolfheinrich mentioned in the middle of the post, not the zip archive.  This archive just contains patches only for racoon and ipsec-tools. The kernel patch should be applied to sys/netinet and sys/netipsec as he said, is linked to http://forums.freebsd.org/attachment.ph ... 1375044889. It seems like the FreeBSD Forum has changed its URL routing after he gave the patch, leaving URLs as plain texts. Does anybody have a copy of that?



Please read my previous post.


----------



## IntelliSUN (Jan 27, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

Hello !

I've made some changes to ipsec patches to match kernel 10.0.

Best regards


----------



## Senya88 (Jan 29, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				IntelliSUN said:
			
		

> Hello !
> 
> I've made some changes to ipsec patches to match kernel 10.0.
> 
> Best regards



Thank you very much! Now I will test, the results of write here...
Results:
ping from Windows XP client from NAT, tcpdump said:


```
tcpdump -i ng0 -n 'host 62.33.98.20'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
11:08:48.625277 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 11264, length 40
11:08:53.646349 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 11520, length 40
11:08:58.660931 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 11776, length 40
11:09:03.690800 IP 10.1.1.100 > 62.33.98.20: ICMP echo request, id 1280, seq 12032, length 40
```

Where is:  
10.1.1.100 - tunnel address Windows XP client, who connected from NAT
ng0 - external interface (my extrnal ip address)
ng1 - interface on which tunnel client


```
server# ipfw nat 123 config ip (there is my external ip) log
ipfw nat 123 config ip (there is my external ip) log

server# ipfw list
00850 nat 123 ip from 10.1.1.0/24 to any
00900 nat 123 ip from any to (there is my external ip)
65535 allow ip from any to any
```

Why packets that come out of the tunnel do not fall under the ipfw NAT rules?


----------



## IntelliSUN (Jan 30, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

Hello,

It seems that there is a bug in FreeBSD 10 RELEASE.

http://www.freebsd.org/cgi/query-pr.cgi?pr=185876&cat=

Best regards


----------



## Senya88 (Jan 30, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

Hi, All! A similar problem.

https://forums.freebsd.org/viewtopic.php?f=44&t=44414


----------



## Senya88 (Mar 13, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

Problem fixed:
http://www.freebsd.org/cgi/query-pr.cgi?pr=185876&cat=


----------



## balgaa (May 3, 2014)

*Re:*

Where can I find information on need to hack the Windows 7 registry link?
Where can I find information on seem to have yet another problem link?


----------



## obsigna (May 3, 2014)

*Broken Links*

The message indices are still valid, the URLs need to be rewritten though:
http://forums.freebsd.org/viewtopic.php?p=189135#p189135
http://forums.freebsd.org/viewtopic.php?p=174551#p174551


----------



## balgaa (May 3, 2014)

*Re: Broken Links*

Thank you very much.

I configured pptp/l2tp on FreeBSD-9.2-stable+ipsec-tools-0.8.1+mpd5.7 working fine with MacOS 10.9, iPhone 7.1/7.1.1.

Problem with Android 4.2.2, 4.4.2 and Windows 7 clients.


----------



## obsigna (May 3, 2014)

*More details please!*



			
				balgaa said:
			
		

> Problem with Android 4.2.2, 4.4.2 and Windows 7 clients...



What does not work with Windows 7 -- PPTP, L2TP/IPsec, or both?
What does not work with Android 4.x -- PPTP, L2TP/IPsec, or both?
Are the clients running behind NAT?
Is the VPN server operating behind NAT?
Did you patch security/ipsec-tools? With which patches -- the initial set or the full set of patches?
Did you patch and recompile the kernel?
Did you set AssumeUDPEncapsulationContextOnSendRule in the Windows 7 registry to 2?
Did you set net.inet.esp.esp_ignore_natt_cksum to 1 in the file /ect/sysctl.conf of the FreeBSD machine?
What is the error message on Windows, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?
What is the error message on Android, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?


----------



## balgaa (May 3, 2014)

*Re: More details please!*



			
				obsigna said:
			
		

> balgaa said:
> 
> 
> 
> > Problem with Android 4.2.2, 4.4.2 and Windows 7 clients...





> What does not work with Windows 7 -- PPTP, L2TP/IPsec, or both?
> What does not work with Android 4.x -- PPTP, L2TP/IPsec, or both?


PPTP working fine both, L2TP *I* am following instruction earlier this forum.



> [*]Are the clients running behind NAT?


Yes, it is with dynamic IP address.



> [*]Is the VPN server operating behind NAT?


No, with public IP address.



> [*]Did you patch security/ipsec-tools? With which patches -- the initial set or the full set of patches?


Can you point me both initial and full set of patches?



> [*]Did you patch and recompile the kernel?


Not yet.



> [*]Did you set AssumeUDPEncapsulationContextOnSendRule in the Windows 7 registry to 2?


Already done.



> [*]Did you set net.inet.esp.esp_ignore_natt_cksum to 1 in the file /ect/sysctl.conf of the FreeBSD machine?


Yes, did it.



> [*]What is the error message on Windows, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?
> [*]What is the error message on Android, and how does this relate to which entries in the logs of mpd5(8) and/or racoon(8)?


When I try to connect both Windows/Android client only request goes to racoon, not to mpd5.


----------



## obsigna (May 3, 2014)

*Re: More details please!*



			
				balgaa said:
			
		

> obsigna said:
> 
> 
> 
> ...


For L2TP/IPsec working with Windows, you need the full set of patches. Because of the FreeBSD Forums switched from a different system in November last year, most of the intra-forum links are broken. Therefore, I attach the patches to this message. Place the contents of the respective archive, i.e. the files without the enclosing directory, into /usr/ports/security/ipsec-tools/files/ and re-build security/ipsec-tools.



			
				balgaa said:
			
		

> > Did you patch and recompile the kernel?
> 
> 
> Not yet.


Without patching the Kernel, Windows clients won't be able to connect via L2TP/IPsec from behind a NAT. The Kernel patches for FreeBSD 9.2 are attached to this message. The instructions on how to apply them are here.

Regarding Android, I have no experience, and I don't own an Android device, and I cannot be of any help with that.


----------



## balgaa (May 4, 2014)

*Re: More details please!*

After applied all patches everything works fine now with Windows 7 and Android...

My configuration FreeBSD-9.2-stable+mpd5.7+racoon-0.8.1+pf

Thank you...


----------



## b0ba (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Hi all!

My configuration is very similar, or lets say identical, to FreeBSD-9.2-STABLE + mpd5.7 + racoon-0.8.1 + pf. Patches ipsec-9.2-kernel-patches.diff.zip and ipsec-tools-patches.zip were applied. I can connect to the VPN host from MAC, IOS, Android and Windows 7, but I have strange issues. I can access only VPN host. I can not reach any other PC in the network. Seems PF blocks packets outside of the VPN server, but not. What can be the reason? Thanks in advance for the help.


----------



## obsigna (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				b0ba said:
			
		

> ... I can not reach any other PC in the network. Seems PF blocks packets outside of the VPN server, but
> not. What can be the reason ?



Is the IPsec server listening on the WAN interface, i.e. before NAT? In this case, consider to put it behind NAT.

Check whether net/mpd5 is configured for proxy-arp:

```
...
	set iface enable proxy-arp
...
```

Check whether the firewall allows any traffic on the ng* interfaces. I have no experience with pf, I use ipfw(8), and the respective rule for this is:

```
...
/sbin/ipfw -q add 50 allow ip from any to any via ng*
...
```


----------



## b0ba (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				obsigna said:
			
		

> b0ba said:
> 
> 
> 
> ...



I have:


```
# There is a better way to do this with ifconfig groups - you're welcome to try getting
# mpd5 to do that!
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
pass quick on ng4 all
pass quick on ng5 all
```

I have tried disable PF at all, the same result, may be only a little bit other lines in tcpdump. With pf enabled I have:


```
16:04:39.409825 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:39.409857 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 2764170047, win 0, length 0
16:04:40.000318 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:40.000349 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:40.574235 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,nop,sackOK], length 0
16:04:40.574258 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:47.608413 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:47.608450 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1881090482, win 0, length 0
16:04:48.187196 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:48.187219 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:48.768865 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,nop,sackOK], length 0
16:04:48.768887 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1, win 0, length 0
```

where 192.168.221.31 is IP from mpd5 and 192.168.221.5 other linux server in the same LAN.


----------



## obsigna (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				b0ba said:
			
		

> obsigna said:
> 
> 
> 
> ...


Well, this way it works for me. I established  NAT port redirection for the 2 UDP ports 500 and 4500 from the WAN interface to the LAN interface, and the Proxy ARP mechanism of mpd5 takes care of the internal routing automatically. Since my setup is running on a dynamic WAN IP, the additional advantage is that nothing needs to be changed, once the dynamic IP changes, the IPsec server continues working without reconfiguration and without restart. Anyway, I never tried IPsec before the NAT, and I cannot tell whether this would work with internal clients or not. I can only tell, that with L2TP/IPsec behind the NAT I can address all internal clients (ssh, web, vnc, etc.) without any problems.



			
				b0ba said:
			
		

> obsigna said:
> 
> 
> 
> ...


OK, this is important only, if  L2TP (port 1701) is listening behind the NAT.



			
				b0ba said:
			
		

> obsigna said:
> 
> 
> 
> ...


OK!



			
				b0ba said:
			
		

> I have tried disable PF at all, the same result, may be only a little bit other lines in tcpdump.


I would not expect this to work, since you need NAT in any case, and once you disable pf you disable NAT as well.



			
				b0ba said:
			
		

> With pf enabled I have:
> 
> 
> ```
> ...


I would try to setup some NAT rules.


----------



## b0ba (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				obsigna said:
			
		

> I would try to setup some NAT rules.


Do you think it make sense if both IP adresses are in the same network ? If yes, can you please write example according IPFW and I will try to make the same with PF.


----------



## obsigna (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				b0ba said:
			
		

> obsigna said:
> 
> 
> 
> ...



With both IP addresses, do you mean an IP address from the dynamic IP pool for the ng* interfaces and an IP address in your LAN? In this case, NAT won't make sense for this.

I was thinking about the NAT rules of net/mpd5 -- 4.14. Network Address Translation (NAT). I never tried this, because in my setup I don't need internal NAT, and perhaps, before playing around with NAT, you want to compare your mpd5 settings with my working ones. Perhaps something is wrong with your ippool and/or the ippc ranges. Note also how my L2TP server is listening on the local IP address (l2tp self 192.168.0.1), this would be the only difference from your setup, however I cannot tell, if this is the crucial one.


```
l2tp_server:
# Define dynamic IP address pool.
	set ippool add pool_l2tp 192.168.0.201 192.168.0.250

# Create clonable bundle template named B_l2tp
	create bundle template B_l2tp
	set iface enable proxy-arp
	set iface enable tcpmssfix
	set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
	set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
	set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
	create link template L_l2tp l2tp
	set link action bundle B_l2tp
	set link mtu 1230
	set link keep-alive 0 0
	set link yes acfcomp protocomp
	set link no pap chap eap
	set link enable chap

# Configure L2TP
	set l2tp self 192.168.0.1
	set l2tp disable dataseq

# Allow to accept calls
	set link enable incoming
```


----------



## b0ba (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

I found only 2 diff from my setup:
1) I have mask 24 here, you have 32 (set ipcp ranges 192.168.0.1/32 ippool pool_l2tp)
2) I have external WAN IP here : set l2tp self 192.168.0.1


----------



## obsigna (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				b0ba said:
			
		

> I found only 2 diff from my setup:
> 1) I have mask 24 here, you have 32 (set ipcp ranges 192.168.0.1/32 ippool pool_l2tp)
> 2) I have external WAN IP here : set l2tp self 192.168.0.1



A mask of 24 means that the local IP address of your L2TP server is negotiable, and it may end up in the range from 192.168.0.1 - 255 and it may even overlap with the remote IP pool and perhaps with your local LAN address ranges. IMHO, there is no need for the local address range being that flexible, and therefore, I nailed it down to the desired address. I suggest to you doing the same, see: 4.7. IPCP layer.


----------



## b0ba (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

With mask 32 I have the same result. I can reach only 192.168.221.31 (ng0) and 192.168.221.254 (em1)
I think now about kernel option "options IPSEC_NAT_T". May be if my IPSec server is listening em0 - WAN, I don't need it and it is the reason. Also I found https://forums.freebsd.org/viewtopic.php?t=45691 It is not issue I have, but may be my problem has relation to it too.


----------



## obsigna (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				b0ba said:
			
		

> With mask 32 I have the same result. I can reach only 192.168.221.31 (ng0) and 192.168.221.254 (em1)
> I think now about kernel option "options IPSEC_NAT_T". ...



My IPsec related kernel options are:

```
# Options for IPsec
options  IPSEC
options  IPSEC_FILTERTUNNEL
options  IPSEC_NAT_T
device   crypto
device   enc
```



			
				b0ba said:
			
		

> ... Also I found https://forums.freebsd.org/viewtopic.php?t=45691 It is not issue I have, but may be my problem has relation to it too.



That problem is related to a flaw introduced in FreeBSD 10. Since you are running on FreeBSD 9.2 as I do, that shouldn't affect you.


----------



## b0ba (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

I have the same kernel options for the IPSec. I will try tomorrow exactly your setup with IPSec server behind the NAT and let you know. Thank you very much for your help.


----------



## obsigna (Jun 26, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*



			
				b0ba said:
			
		

> I have the same kernel options for the IPSec. I will try tomorrow exactly your setup with IPSec server behind the NAT and let you know. Thank you very much for your help.



For your reference, here come my ipfw(8) configuration:

In /etc/rc.conf:

```
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.conf"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
```

My ipfw script file /etc/ipfw.conf contains:

```
#!/bin/sh

/sbin/ipfw -q flush
/sbin/ipfw -q nat 1 config if em0 unreg_only reset \
                           redirect_port udp 192.168.0.1:500   500 \
                           redirect_port udp 192.168.0.1:4500 4500

# Allow anything within the LAN -- the interface with the heaviest traffic shall come first
/sbin/ipfw -q add 10 allow ip from any to any via em1
/sbin/ipfw -q add 20 allow ip from any to any via lo0
/sbin/ipfw -q add 30 allow ip from any to any via ng*

# Catch spoofing from outside
/sbin/ipfw -q add 90 deny ip from any to any not antispoof in

# NAT rule for incomming packets
/sbin/ipfw -q add 100 nat 1 ip from any to any via em0 in
/sbin/ipfw -q add 101 check-state

# Rules for allowing dial-in calls to the IPsec VPN server listening on a LAN interface behind the NAT
/sbin/ipfw -q add 201 skipto 10000 udp from any to any  500 via em0 in keep-state
/sbin/ipfw -q add 202 skipto 10000 udp from any to any 4500 via em0 in keep-state

# Rules for outgoing traffic -- allow everything that is not explicitely denied
/sbin/ipfw -q add 1000 deny ip from not me to any 25,53 via em0 out
# Allow all other outgoing connections
/sbin/ipfw -q add 2000 skipto 10000 tcp from any to any via em0 out setup keep-state
/sbin/ipfw -q add 2010 skipto 10000 udp from any to any via em0 out keep-state

# Rules for incomming traffic -- deny everything that is not explicitely allowed
/sbin/ipfw -q add 5000 allow tcp from any to me 22,25,80,443,587,993,995 via em0 in setup keep-state
# Deny all other tcp/udp packets, but don't touch gre, esp, icmp traffic
/sbin/ipfw -q add 9998 deny tcp from any to any via em0
/sbin/ipfw -q add 9999 deny udp from any to any via em0

# NAT rule for outgoing packets
/sbin/ipfw -q add 10000 nat 1 ip from any to any via em0 out

# Allow anything else -- just in case ipfw has not been configured as open firewall
/sbin/ipfw -q add 65534 allow ip from any to any
```

In file /etc/sysctl.conf:

```
net.inet.ip.fastforwarding=1
net.inet.ip.fw.one_pass=0
net.inet.ipsec.filtertunnel=0
net.inet6.ipsec6.filtertunnel=0
net.inet.esp.esp_ignore_natt_cksum=1
```


----------



## Senya88 (Aug 27, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Hello! I recently learned that the problem described here:
https://www.freebsd.org/cgi/query-pr.cgi?pr=185876&cat=kern
was solved in FreeBSD10-STABLE and -HEAD. I downloaded the source code FreeBSD10-STABLE from svn and applied this patch:
https://forums.freebsd.org/download/file.php?id=2047
I rebuilded my kernel, but not a world. I did not get the expected result. I decided to repeat my experiment described here:
http://forums.freebsd.org/viewtopic...e69c08685ba8819e73535107d84&start=100#p248323
85.113.221.175 - external ip.
Ping from client(10.1.1.100) to 62.33.98.20 unsuccessfull (doesn`t work anywhere)

tcpdump from server:

```
# tcpdump -i ng0 -n 'host 62.33.98.20'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
13:30:49.962631 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 19, length 40
13:30:50.086722 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 19, length 40
13:30:54.482136 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 20, length 40
13:30:54.606151 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 20, length 40
13:30:59.481821 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 21, length 40
13:30:59.606052 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 21, length 40
13:31:04.480702 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 22, length 40
13:31:04.604815 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 22, length 40
```

Ping from client (10.1.1.100) to server (10.1.1.1) doesn`t work too.
Ping to external server ip (85.113.221.175) is successful! 
Ping from server (10.1.1.1) to client (10.1.1.100) doesn`t work. This is tcpdump output on the server (ng1 - interface to client 10.1.1.100):

```
# tcpdump -i ng1 -n 'host 10.1.1.100'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng1, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
14:08:18.474498 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 16, length 64
14:08:18.507610 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 16, length 64
14:08:18.558783 IP 10.1.1.100.137 > 10.1.1.1.137: NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST
14:08:19.476525 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 17, length 64
14:08:19.509476 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 17, length 64
14:08:20.485218 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 18, length 64
14:08:20.518695 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 18, length 64
14:08:21.497361 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 19, length 64
14:08:21.530536 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 19, length 64
114:08:22.509121 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 20, length 64
14:08:22.543820 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 20, length 64
```


It is very strange because this is worked on FreeBSD-10.0 RELEASE:

```
This is a reversion of the 254519 on 10.0-STABLE:

Index: netinet/ip_var.h
===================================================================
--- netinet/ip_var.h    (revision 262459)
+++ netinet/ip_var.h    (working copy)
@@ -163,12 +163,10 @@
 #define IP_ALLOWBROADCAST    SO_BROADCAST    /* 0x20 can send broadcast packets */
 
 /*
- * IPv4 protocol layer specific mbuf flags.
+ * mbuf flag used by ip_fastfwd
  */
 #define    M_FASTFWD_OURS        M_PROTO1    /* changed dst to local */
 #define    M_IP_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IP6 */
 #define    M_IP_FRAG        M_PROTO4    /* fragment reassembly */
 
 #ifdef __NO_STRICT_ALIGNMENT
Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h    (revision 262459)
+++ netinet6/ip6_var.h    (working copy)
@@ -293,12 +293,7 @@
 #define    IPV6_FORWARDING        0x02    /* most of IPv6 header exists */
 #define    IPV6_MINMTU        0x04    /* use minimum MTU (IPV6_USE_MIN_MTU) */
 
-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define    M_IP6_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IPv4 */
+#define    M_IP6_NEXTHOP        M_PROTO7    /* explicit ip nexthop */
 
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP6_HDR_ALIGNED_P(ip)    1
Index: sys/mbuf.h
===================================================================
--- sys/mbuf.h    (revision 262459)
+++ sys/mbuf.h    (working copy)
@@ -235,7 +235,7 @@
 #define    M_PROTO9    0x00100000 /* protocol-specific */
 #define    M_PROTO10    0x00200000 /* protocol-specific */
 #define    M_PROTO11    0x00400000 /* protocol-specific */
-#define    M_PROTO12    0x00800000 /* protocol-specific */
+#define    M_SKIP_FIREWALL    0x00800000
 
 /*
  * Flags to purge when crossing layers.
@@ -242,13 +242,13 @@
  */
 #define    M_PROTOFLAGS \
     (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|M_PROTO7|M_PROTO8|\
-     M_PROTO9|M_PROTO10|M_PROTO11|M_PROTO12)
+     M_PROTO9|M_PROTO10|M_PROTO11)
 
 /*
  * Flags preserved when copying m_pkthdr.
  */
 #define M_COPYFLAGS \
-    (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
+    (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
      M_PROTOFLAGS)
 
 /*
@@ -255,12 +255,12 @@
  * Mbuf flag description for use with printf(9) %b identifier.
  */
 #define    M_FLAG_BITS \
-    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \
-    "\7M_PROMISC\10M_VLANTAG\11M_FLOWID"
+    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_SKIP_FIREWALL\6M_BCAST\7M_MCAST" \
+    "\8M_PROMISC\10M_VLANTAG\11M_FLOWID"
 #define    M_FLAG_PROTOBITS \
     "\15M_PROTO1\16M_PROTO2\17M_PROTO3\20M_PROTO4\21M_PROTO5" \
     "\22M_PROTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \
-    "\27M_PROTO11\30M_PROTO12"
+    "\27M_PROTO11"
 #define    M_FLAG_PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)
 
 /*
```

But this isn`t works on FreeBSD-10 STABLE:

```
Modified: stable/10/sys/netinet/ip_input.c
==============================================================================
--- stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:56:05 2014	(r263307)
@@ -707,6 +707,7 @@ ours:
* ip_reass() will return a different mbuf.
*/
if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) {
+	/* XXXGL: shouldn't we save & set m_flags? */
m = ip_reass(m);
if (m == NULL)
return;
@@ -799,6 +800,8 @@ SYSCTL_PROC(_net_inet_ip, OID_AUTO, maxf
NULL, 0, sysctl_maxnipq, "I",
"Maximum number of IPv4 fragment reassembly queue entries");

+#define	M_IP_FRAG	M_PROTO9
+
/*
* Take incoming datagram fragment and try to reassemble it into
* whole datagram. If the argument is the first fragment or one

Modified: stable/10/sys/netinet/ip_var.h
==============================================================================
--- stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -162,15 +162,6 @@ void	kmod_ipstat_dec(int statnum);
#define IP_ROUTETOIF	SO_DONTROUTE	/* 0x10 bypass routing tables */
#define IP_ALLOWBROADCAST	SO_BROADCAST	/* 0x20 can send broadcast packets */

-/*
- * IPv4 protocol layer specific mbuf flags.
- */
-#define	M_FASTFWD_OURS	M_PROTO1	/* changed dst to local */
-#define	M_IP_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL	M_PROTO3	/* skip firewall processing,
-	keep in sync with IP6 */
-#define	M_IP_FRAG	M_PROTO4	/* fragment reassembly */
-
#ifdef __NO_STRICT_ALIGNMENT
#define IP_HDR_ALIGNED_P(ip)	1
#else

Modified: stable/10/sys/netinet6/in6.h
==============================================================================
--- stable/10/sys/netinet6/in6.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet6/in6.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -622,13 +622,18 @@ struct ip6_mtuinfo {
#endif /* __BSD_VISIBLE */

/*
- * Redefinition of mbuf flags
+ * Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
+ * the protocol specific mbuf flags are shared between them.
*/
-#define	M_AUTHIPHDR	M_PROTO2
-#define	M_DECRYPTED	M_PROTO3
-#define	M_LOOP	M_PROTO4
-#define	M_AUTHIPDGM	M_PROTO5
-#define	M_RTALERT_MLD	M_PROTO6
+#define	M_FASTFWD_OURS	M_PROTO1	/* changed dst to local */
+#define	M_IP6_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
+#define	M_IP_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
+#define	M_SKIP_FIREWALL	M_PROTO3	/* skip firewall processing */
+#define	M_AUTHIPHDR	M_PROTO4
+#define	M_DECRYPTED	M_PROTO5
+#define	M_LOOP	M_PROTO6
+#define	M_AUTHIPDGM	M_PROTO7
+#define	M_RTALERT_MLD	M_PROTO8

#ifdef _KERNEL
struct cmsghdr;

Modified: stable/10/sys/netinet6/ip6_var.h
==============================================================================
--- stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -293,13 +293,6 @@ struct ip6aux {
#define	IPV6_FORWARDING	0x02	/* most of IPv6 header exists */
#define	IPV6_MINMTU	0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */

-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define	M_IP6_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL	M_PROTO3	/* skip firewall processing,
-	keep in sync with IPv4 */
-
#ifdef __NO_STRICT_ALIGNMENT
#define IP6_HDR_ALIGNED_P(ip)	1
#else
```


----------



## gamanakis (Aug 27, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

@Senya88, the patch described in https://www.freebsd.org/cgi/query-pr.cgi?pr=185876&cat=kern has already been applied to FreeBSD 10-STABLE. A fresh compiled FreeBSD 10-STABLE kernel should work out of the box.


----------



## Senya88 (Aug 28, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

@gamanakis, all right, the patch described in https://www.freebsd.org/cgi/query-pr.cgi?pr=185876&cat=kern work out of the box. Maybe the problem is something else. 
Problem: do IPSEC/L2TP tunnels for users who are behind NAT

Solution:
Apply patches to racoon (5 patches)
Get source code FreeBSD-10 STABLE
Apply patch for NAT-T to kernel (net.inet.esp.esp_ignore_natt_cksum=1)
Compile and install kernel (not a world)

IPFW rules:

```
00900 nat 123 ip from 10.1.1.0/24 to any
00901 nat 123 ip from any to 85.113.221.175
```

Latest tests:
Ping from server 10.1.1.1 to client 10.1.1.100 is successful.
Ping from client to server failed.
tcpdump from server (ng1 tunnel interface for client 10.1.1.100):

```
# tcpdump -i ng1 -n 'host 10.1.1.1'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng1, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
12:56:48.768038 IP 10.1.1.100 > 10.1.1.1: ICMP echo request, id 1, seq 45, length 40
12:56:48.768147 IP 10.1.1.1 > 10.1.1.100: ICMP echo reply, id 1, seq 45, length 40
12:56:53.502041 IP 10.1.1.100 > 10.1.1.1: ICMP echo request, id 1, seq 46, length 40
12:56:53.502146 IP 10.1.1.1 > 10.1.1.100: ICMP echo reply, id 1, seq 46, length 40
12:56:58.502026 IP 10.1.1.100 > 10.1.1.1: ICMP echo request, id 1, seq 47, length 40
12:56:58.502137 IP 10.1.1.1 > 10.1.1.100: ICMP echo reply, id 1, seq 47, length 40
```
As if all is well, but on the client the ping failed. Firewall client is disabled. Now I do a dump of the traffic, but has not yet found the cause.


----------



## Senya88 (Aug 28, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

While established one fact, this situation even without IPSEC. If you are using PPTP situation is similar.


----------



## Senya88 (Aug 28, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

Maybe the problem is on the client.


----------



## Senya88 (Aug 29, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to*

During the test I got some very interesting results! 
I had built into the kernel and set in mpd5 MPPC and MPPE, as follows: 


```
set bundle enable crypt-reqd 
         set ccp yes mppc 
         set mppc yes compress e40 e56 e128 stateless
```

After I removed compress, everything was working! Obtained FreeBSD-10 STABLE (PRERELEASE) does not work MPPC.

PS Also works if you remove MPPC in PPP in the connection properties!


----------



## obsigna (Sep 6, 2014)

*Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to *

Applying patches to security/ipsec-tools, and patches to an IPsec enabled kernel, the L2TP/IPsec VPN Dial-In Server works for me with and without NAT for a number of clients, and with respect to the clients out of the box, i.e. no special software needs to be installed:

Mac OS X 10.5 - 10.9
iOS 6 - 7.1
Windows XP and Windows 7
For the patching procedure see http://forums.freebsd.org/viewtopic.php?p=237778, and for new links to the patches see http://forums.freebsd.org/viewtopic.php?p=258710.

Please, may I ask to complete the list of compatible Client Operating Systems of the L2TP/IPsec VPN Dial-In Server, which is the subject of the given thread (PPTP, OpenVPN, etc., are different animals).

Does Windows 8.x work?
Which Android versions do work?
What about *nix-Clients?
Please indicate, if the respective client OS works out of the box, or whether special software (which?) need to be installed for access to the given L2TP/IPsec Dial-In Server.


----------



## helicopter (Dec 5, 2014)

Do I need to apply the kernel patches when the server has a white IP but clients connect through NAT?


----------



## helicopter (Dec 24, 2014)

I use FreeBSD 10.1 and I applied all patches for kernel and racoon and it works if all clients have different IP. Nevertheless I have a problem when more than one clients are placed behind the same NAT. The first client connects fine but when the second one trying to connect - the connection couldn't be established. Moreover it breaks the first connection. Could somebody help me with this problem ?

racoon.conf

```
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" affects "include" directives.  "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "@sysconfdir_x@/racoon";
#include "remote.conf";

# the file should contain key ID/key pairs, for pre-shared key authentication.
#path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "@sysconfdir_x@/cert";
#path certificate "/usr/local/etc/racoon/cert";

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;
#log debug;
#log info;

# "padding" defines some padding parameters.  You should not touch these.
padding
{
  maximum_length 20;  # maximum padding length.
  randomize off;  # enable randomize length.
  strict_check off;  # enable strict check.
  exclusive_tail off;  # extract last one octet.
}

# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
  isakmp 1.2.3.4 [500];
  isakmp_natt 1.2.3.4 [4500];
  strict_address;
}

# Specify various default timers.
timer
{
  # These value can be changed per remote node.
  counter 5;  # maximum trying count to send.
  interval 20 sec;  # maximum interval to resend.
  persend 1;  # the number of packets per send.

  # maximum time to wait for completing each phase.
  iphase1 30 sec;
  phase2 15 sec;
}

remote anonymous
{
  exchange_mode aggressive,main;
  generate_policy on;
  passive on;
  verify_cert off;
  ike_frag on;
  my_identifier address;

  proposal_check obey;
  support_proxy on;
  nat_traversal on;
  lifetime time 2 min;
  dpd_delay 20;

  doi ipsec_doi;

  proposal {
  encryption_algorithm aes;
  hash_algorithm sha1;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }

  proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  #authentication_method rsasig;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }

  proposal {
  encryption_algorithm aes;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }

  proposal {
  encryption_algorithm 3des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }
}


sainfo anonymous
{
  pfs_group modp1024;
  encryption_algorithm 3des;
  authentication_algorithm hmac_sha1;
  lifetime time 1 hour;
  compression_algorithm deflate;
}


sainfo anonymous

{
  pfs_group modp1024;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  lifetime time 1 hour;
  compression_algorithm deflate;
}
```

mpd.conf

```
#################################################################
#
#  MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. Lines without padding are labels. Lines
# starting with a "#" are comments.
#
# $Id: mpd.conf.sample,v 1.45 2007/11/26 20:41:37 amotin Exp $
#
#################################################################

startup:
  log +ALL
  # configure mpd users
  set user [...]
  ## configure the console
  # set console self 127.0.0.1 5005
  # set console open
  ## configure the web server
  # set web self 0.0.0.0 5006
  # set web open

#
# Default configuration is "dialup"

default:
  load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
  set ippool add pool 172.16.2.100 172.16.2.250
# Create clonable bundle template named Bl
  create bundle template Bl
  set iface enable proxy-arp
  #set iface idle 1800
  set iface enable tcpmssfix
  set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
  set ipcp ranges 172.16.2.1/32 ippool pool
  set ipcp dns 172.16.2.1
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
  set bundle enable compression
  set ccp yes mppc
  set mppc yes e40
  set mppc yes e128
  set mppc yes stateless
# Create clonable link template named Ll
  create link template Ll l2tp
# Set bundle template to use
  set link action bundle Bl
# Multilink adds some overhead, but gives full 1500 MTU.
  set link enable multilink
  set link yes acfcomp protocomp
  set link no pap chap eap
  set link enable chap-msv2
  set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation
  set link mtu 1460
# Configure l2tp
  set l2tp self 1.2.3.4
  set l2tp enable length
# Allow to accept calls
  set link enable incoming
```

setkey.conf

```
flush;
spdflush;

spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] any -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] any -P out ipsec esp/transport//require;
```


----------



## Senya88 (Feb 10, 2015)

Hello All!

I recently upgraded from 10.1-PRERELEASE to 10.1-STABLE.
When I had 10.1-PRERELEASE it worked fine. I applied the patch (see attachment), so IPSEK + L2TP worked. Now it does not work, see the log:



```
Feb 10 11:55:07 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000021
Feb 10 11:55:07 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000012
2015-02-10 11:55:07: INFO: ISAKMP-SA deleted 85.113.221.175[4500]-195.239.236.30[34049] spi:ee20073889d64f8d:9ed345652af7285b
2015-02-10 11:55:07: INFO: KA remove: 85.113.221.175[4500]->195.239.236.30[34049]
2015-02-10 11:55:07: ERROR: pfkey X_SPDDELETE failed: Invalid argument
2015-02-10 11:55:07: ERROR: pfkey X_SPDDELETE failed: Invalid argument
tear down SA: delete 195.239.236.30[34049] 85.113.221.175[4500] esp-udp 236912057;
2015-02-10 11:55:08: INFO: unsupported PF_KEY message REGISTER
2015-02-10 11:55:09: ERROR: no iph2 found: ESP 195.239.236.30[500]->85.113.221.175[500] spi=236912057(0xe1efdb9)
2015-02-10 12:01:14: ERROR: Invalid exchange type 243 from 77.70.0.98[500].
2015-02-10 12:16:40: INFO: respond new phase 1 negotiation: 85.113.221.175[500]<=>195.239.236.30[500]
2015-02-10 12:16:40: INFO: begin Identity Protection mode.
2015-02-10 12:16:40: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2015-02-10 12:16:40: INFO: received Vendor ID: RFC 3947
2015-02-10 12:16:40: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2015-02-10 12:16:40: INFO: received Vendor ID: FRAGMENTATION
2015-02-10 12:16:40: [195.239.236.30] INFO: Selected NAT-T version: RFC 3947
2015-02-10 12:16:40: ERROR: invalid DH group 20.
2015-02-10 12:16:40: ERROR: invalid DH group 19.
2015-02-10 12:16:40: [85.113.221.175] INFO: Hashing 85.113.221.175[500] with algo #2
2015-02-10 12:16:40: INFO: NAT-D payload #0 verified
2015-02-10 12:16:40: [195.239.236.30] INFO: Hashing 195.239.236.30[500] with algo #2
2015-02-10 12:16:40: INFO: NAT-D payload #1 doesn't match
2015-02-10 12:16:40: INFO: NAT detected: PEER
2015-02-10 12:16:40: [195.239.236.30] INFO: Hashing 195.239.236.30[500] with algo #2
2015-02-10 12:16:40: [85.113.221.175] INFO: Hashing 85.113.221.175[500] with algo #2
2015-02-10 12:16:40: INFO: Adding remote and local NAT-D payloads.
Feb 10 12:16:40 server racoon: phase1(ident R msg1): 0.000825
Feb 10 12:16:40 server racoon: oakley_dh_generate(MODP1024): 0.008891
Feb 10 12:16:40 server racoon: oakley_dh_compute(MODP1024): 0.009156
2015-02-10 12:16:40: INFO: NAT-T: ports changed to: 195.239.236.30[28705]<->85.113.221.175[4500]
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=64): 0.000029
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000010
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000008
Feb 10 12:16:40 server racoon: phase1(ident R msg2): 0.300523
2015-02-10 12:16:40: INFO: KA list add: 85.113.221.175[4500]->195.239.236.30[28705]
Feb 10 12:16:40 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000028
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=488): 0.000027
Feb 10 12:16:40 server racoon: oakley_validate_auth(pre-shared key): 0.000157
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=488): 0.000084
Feb 10 12:16:40 server racoon: alg_oakley_encdef_encrypt(3des klen=192 size=40): 0.000025
Feb 10 12:16:40 server racoon: phase1(ident R msg3): 0.001025
Feb 10 12:16:40 server racoon: phase1(Identity Protection): 0.335384
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000011
Feb 10 12:16:40 server racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000023
2015-02-10 12:16:40: INFO: ISAKMP-SA established 85.113.221.175[4500]-195.239.236.30[28705] spi:b95f4a159532e23f:ac9d1f938d145a3a
2015-02-10 12:16:40: INFO: respond new phase 2 negotiation: 85.113.221.175[4500]<=>195.239.236.30[28705]
Feb 10 12:16:40 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=304): 0.000040
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=276): 0.000024
2015-02-10 12:16:40: INFO: Update the generated policy : 195.239.236.30/32[1701] 85.113.221.175/32[1701] proto=udp dir=in
2015-02-10 12:16:40: INFO: Adjusting my encmode UDP-Transport->Transport
2015-02-10 12:16:40: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Feb 10 12:16:40 server racoon: phase2(???): 0.000853
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=188): 0.000012
Feb 10 12:16:40 server racoon: alg_oakley_encdef_encrypt(3des klen=192 size=168): 0.000029
Feb 10 12:16:40 server racoon: phase2(quick R msg1): 0.000454
2015-02-10 12:16:40: INFO: IPsec-SA established: ESP 85.113.221.175[500]->195.239.236.30[500] spi=178702525(0xaa6c8bd)
Feb 10 12:16:40 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=32): 0.000021
2015-02-10 12:16:40: INFO: IPsec-SA established: ESP 85.113.221.175[500]->195.239.236.30[500] spi=26977002(0x19ba2ea)
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=69): 0.000028
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=69): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000008
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=69): 0.000008
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000008
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000008
Feb 10 12:16:40 server racoon: phase2(???): 0.001156
Feb 10 12:16:40 server racoon: phase2(quick): 1423559800.612272
Feb 10 12:17:15 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=48): 0.000024
Feb 10 12:17:15 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000019
Feb 10 12:17:15 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000025
Feb 10 12:17:15 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000020
2015-02-10 12:17:15: INFO: ISAKMP-SA expired 85.113.221.175[4500]-195.239.236.30[28705] spi:b95f4a159532e23f:ac9d1f938d145a3a
2015-02-10 12:17:15: INFO: deleting a generated policy.
2015-02-10 12:17:15: INFO: ISAKMP-SA deleted 85.113.221.175[4500]-195.239.236.30[28705] spi:b95f4a159532e23f:ac9d1f938d145a3a
2015-02-10 12:17:15: INFO: KA remove: 85.113.221.175[4500]->195.239.236.30[28705]
2015-02-10 12:17:15: ERROR: pfkey X_SPDDELETE failed: Invalid argument
2015-02-10 12:17:15: ERROR: pfkey X_SPDDELETE failed: Invalid argument
tear down SA: delete 195.239.236.30[28705] 85.113.221.175[4500] esp-udp 178702525;
2015-02-10 12:17:16: INFO: unsupported PF_KEY message REGISTER
2015-02-10 12:17:16: ERROR: no iph2 found: ESP 195.239.236.30[500]->85.113.221.175[500] spi=178702525(0xaa6c8bd)
```

FreeBSD 10.1-STABLE has broken IPSEC+NAT-T ?


----------



## sbh01 (Mar 13, 2015)

mix_room said:


> Has anyone had any luck connecting with Windows 7 or Android?
> 
> I keep getting the following in my log files
> 
> ...



I got the same.
Did you find out what is the problem?


----------



## tauri (Mar 14, 2015)

10.1-RELEASE-p6 FreeBSD 10.1-RELEASE-p6 #1 r279985M
+
	
	



```
Index: sys/netipsec/ipsec_input.c
===================================================================
--- sys/netipsec/ipsec_input.c  (revision 279985)
+++ sys/netipsec/ipsec_input.c  (working copy)
@@ -349,6 +349,16 @@
  }
  prot = ip->ip_p;

+#ifdef IPSEC_NAT_T
+  if (saidx->mode == IPSEC_MODE_TRANSPORT && sproto == IPPROTO_ESP) {
+  if (prot == IPPROTO_TCP || prot == IPPROTO_UDP) {
+  /* Ignore checksum of packet protected by ESP.  */
+  m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
+  m->m_pkthdr.csum_data = 0xffff;
+  }
+  }
+#endif
+
 #ifdef notyet
  /* IP-in-IP encapsulation */
  if (prot == IPPROTO_IPIP) {
```
ipsec-tools-0.8.2 from ports, without additional patches.

works, but only one client behind a nat


----------



## obsigna (Mar 14, 2015)

tauri said:


> 10.1-RELEASE-p6 FreeBSD 10.1-RELEASE-p6 #1 r279985M
> +
> 
> 
> ...



I switched from security/ipsec-tools to security/strongswan. Only strongswan enables Multi-NATT without problems. For Windows connectivity, I have a similar patch in place as your above one. And the important point is that only this one must be applied, that means all the other patches that were discussed at various posts in this thread must be removed.

NOTE: I am the original author of this HOWTO (that time my login name was rolfheinrich). I suggest to everybody to switch from security/ipsec-tools to security/strongswan - for the various settings see: http://blog.obsigna.net/?p=520. Nothing needs to be changed on a working net/mpd5 setup.

If Windows connectivity is important via L2TP/IPsec then you need to apply the above patch of tauri -- IMPORTANT, only this one, nothing else. Another option is to use IKEv2/IPsec for Windows.

My strongswan settings follow.
/usr/local/etc/strongswan.conf:

```
charon
{
   load_modular = yes
   plugins
   {
      include strongswan.d/charon/*.conf
   }

   install_virtual_ip_on = re0
   install_virtual_ip = yes
   install_routes = no
   process_route = no

   syslog
   {
      identifier = ipsec
      daemon
      {
         ike_name = yes
      }
   }
}
```

/usr/local/etc/ipsec.conf

```
conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   leftauth = psk
   rightauth = psk
   left = %defaultroute
   right = %any
   auto = add

conn L2TP/IPsec-RSA
   keyexchange = ikev1
   type = transport
   leftcert = ipsec-service-cert.pem
   rightcert = ipsec-clients-cert.pem
   left = %defaultroute
   right = %any
   auto = add

conn IKEv2
   keyexchange = ikev2
   leftcert = ipsec-service-cert.pem
   rightcert = ipsec-clients-cert.pem
   left = %defaultroute
   leftsubnet = 0.0.0.0/0
   right = %any
   rightdns = 192.168.1.1
   rightsourceip = 192.168.1.176/28
   auto = add
```

/usr/local/etc/ipsec.secrets

```
: PSK "Dp5GU42F7omBhMVLiJi5V6Em3JWTyJ1"
: RSA ipsec-service-key.pem
```


----------



## docds (Mar 22, 2015)

obsigna said:


> Only strongswan enables Multi-NATT without problems. For Windows connectivity, I have a similar patch in place as your above one.


I would be very grateful if you would post your patch for windows.


----------



## obsigna (Mar 22, 2015)

docds said:


> I would be very grateful if you would post your patch for windows.


Here it comes:

```
--- sys/netipsec/ipsec_input.c.orig    2014-11-19 08:49:47.000000000 -0200
+++ sys/netipsec/ipsec_input.c    2015-01-14 20:45:39.000000000 -0300
@@ -349,6 +349,14 @@ ipsec4_common_input_cb(struct mbuf *m, s
    }
    prot = ip->ip_p;

+#ifdef IPSEC_NAT_T
+    if (saidx->mode == IPSEC_MODE_TRANSPORT && sproto == IPPROTO_ESP && prot == IPPROTO_UDP) {
+        /* Ignore UDP checksum of packet protected by ESP.  */
+        m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
+        m->m_pkthdr.csum_data = 0xffff;
+    }
+#endif
+
#ifdef notyet
    /* IP-in-IP encapsulation */
    if (prot == IPPROTO_IPIP) {
```
This one differs form the patch of tauri by that it disables checksumming for the UDP protocol only (no changes for TCP). Note, that in the case of IPv4, the UDP checksum is optional, while the TCP checksum is required. In the present case, ESP does already its own integrity checks, making the checksum of UDP somewhat redundant, and for this reason in the case of mode == IPSEC_MODE_TRANSPORT && sproto == IPPROTO_ESP && prot == IPPROTO_UDP we may simply ignore it.

In order to apply above patch, login as root and save it to ~/ipsec-ignore-esp+udp-checksum.patch, then use the following command sequence:
`cd /usr/src`
`patch < ~/ipsec-ignore-esp+udp-checksum.patch`

Finally you need to recompile the kernel.


----------



## docds (Mar 22, 2015)

Thanks for your reply. But, I still have few misunderstandings.
I can't got my installation work properly with NAT-T, without NAT on my ADSL connections everything work fine, but when I go through my Wi-Fi with NAT it won't work.
I apply patch.
System rebuild with world:

```
FreeBSD test 10.1-STABLE FreeBSD 10.1-STABLE #6 r280344M: Sun Mar 22 21:24:06 EET 2015     root@test:/usr/obj/usr/src/sys/current  amd64
```
My kernel additional options:

```
options><------>IPSEC
options><------>IPSEC_DEBUG
device<><------>crypto
options><------>IPSEC_NAT_T
device<><------>enc

device<><------>pf
device<><------>pflog
device<><------>pfsync
options><------>ALTQ
options><------>ALTQ_CBQ # Class Bases Queuing (CBQ)
options><------>ALTQ_RED # Random Early Detection (RED)
options><------>ALTQ_RIO # RED In/Out
options><------>ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options><------>ALTQ_PRIQ # Priority Queuing (PRIQ)
options><------>ALTQ_CDNR
options><------>ALTQ_NOPCC # Required for SMP build
options><------>NETGRAPH
options><------>NETGRAPH_ETHER
options><------>NETGRAPH_SOCKET
options><------>NETGRAPH_TEE
options><------>NETGRAPH_MPPC_ENCRYPTION
options><------>NETGRAPH_MPPC_COMPRESSION
options><------>NETGRAPH_BPF
options><------>NETGRAPH_IFACE
options><------>NETGRAPH_KSOCKET
options><------>NETGRAPH_PPP
options><------>NETGRAPH_PPTPGRE
options><------>NETGRAPH_TCPMSS
options><------>NETGRAPH_VJC
options><------>NETGRAPH_ONE2MANY
options><------>NETGRAPH_RFC1490
options><------>NETGRAPH_TEE
options><------>NETGRAPH_TTY
options><------>NETGRAPH_UI
```


```
Mar 22 17:50:37 14[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
Mar 22 17:50:37 14[CFG] <1> looking for pre-shared key peer configs matching x.x.x.x...y.y.y.y[192.168.1.20]
Mar 22 17:50:37 14[CFG] <1> selected peer config "L2TP/IPsec-PSK"
Mar 22 17:50:37 14[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between x.x.x.x[x.x.x.x]...y.y.y.y[192.168.1.20]
Mar 22 17:50:37 14[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 10240s
Mar 22 17:50:37 14[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10780s
Mar 22 17:50:37 14[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
Mar 22 17:50:37 14[NET] <L2TP/IPsec-PSK|1> sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (76 bytes)
Mar 22 17:50:37 15[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (332 bytes)
Mar 22 17:50:37 15[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Mar 22 17:50:37 15[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
Mar 22 17:50:37 15[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Mar 22 17:50:37 15[NET] <L2TP/IPsec-PSK|1> sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (204 bytes)
Mar 22 17:50:37 15[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (60 bytes)
Mar 22 17:50:37 15[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH ]
Mar 22 17:50:37 15[IKE] <L2TP/IPsec-PSK|1> CHILD_SA L2TP/IPsec-PSK{1} established with SPIs c8f95a4c_i 4bffdc99_o and TS x.x.x.x/32[udp/l2f] === y.y.y.y/32[udp/l2f]
Mar 22 17:51:12 14[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes)
Mar 22 17:51:12 14[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 1219894490 [ HASH D ]
Mar 22 17:51:12 14[IKE] <L2TP/IPsec-PSK|1> received DELETE for ESP CHILD_SA with SPI 4bffdc99
Mar 22 17:51:12 14[IKE] <L2TP/IPsec-PSK|1> closing CHILD_SA L2TP/IPsec-PSK{1} with SPIs c8f95a4c_i (774 bytes) 4bffdc99_o (0 bytes) and TS x.x.x.x/32[udp/l2f] === y.y.y.y/32[udp/l2f]
Mar 22 17:51:12 10[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (92 bytes)
Mar 22 17:51:12 10[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 1641099219 [ HASH D ]
Mar 22 17:51:12 10[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
Mar 22 17:51:12 10[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between x.x.x.x[x.x.x.x]...y.y.y.y[192.168.1.20]
###################################################
###################################################
Mar 22 18:02:17 10[NET] <2> received packet: from y.y.y.y[500] to x.x.x.x[500] (384 bytes)
Mar 22 18:02:17 10[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V V ]
Mar 22 18:02:17 10[IKE] <2> received MS NT5 ISAKMPOAKLEY vendor ID
Mar 22 18:02:17 10[IKE] <2> received NAT-T (RFC 3947) vendor ID
Mar 22 18:02:17 10[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 22 18:02:17 10[IKE] <2> received FRAGMENTATION vendor ID
Mar 22 18:02:17 10[ENC] <2> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Mar 22 18:02:17 10[ENC] <2> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Mar 22 18:02:17 10[ENC] <2> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Mar 22 18:02:17 10[IKE] <2> y.y.y.y is initiating a Main Mode IKE_SA
Mar 22 18:02:17 10[ENC] <2> generating ID_PROT response 0 [ SA V V V ]
Mar 22 18:02:17 10[NET] <2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (136 bytes)
Mar 22 18:02:17 10[NET] <2> received packet: from y.y.y.y[500] to x.x.x.x[500] (228 bytes)
Mar 22 18:02:17 10[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 22 18:02:17 10[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 22 18:02:17 10[NET] <2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (212 bytes)
Mar 22 18:02:17 10[NET] <2> received packet: from y.y.y.y[500] to x.x.x.x[500] (76 bytes)
Mar 22 18:02:17 10[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
Mar 22 18:02:17 10[CFG] <2> looking for pre-shared key peer configs matching x.x.x.x...y.y.y.y[y.y.y.y]
Mar 22 18:02:17 10[CFG] <2> selected peer config "L2TP/IPsec-PSK"
Mar 22 18:02:17 10[IKE] <L2TP/IPsec-PSK|2> IKE_SA L2TP/IPsec-PSK[2] established between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
Mar 22 18:02:17 10[IKE] <L2TP/IPsec-PSK|2> scheduling reauthentication in 10161s
Mar 22 18:02:17 10[IKE] <L2TP/IPsec-PSK|2> maximum IKE_SA lifetime 10701s
Mar 22 18:02:17 10[ENC] <L2TP/IPsec-PSK|2> generating ID_PROT response 0 [ ID HASH ]
Mar 22 18:02:17 10[NET] <L2TP/IPsec-PSK|2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (76 bytes)
Mar 22 18:02:17 13[NET] <L2TP/IPsec-PSK|2> received packet: from y.y.y.y[500] to x.x.x.x[500] (316 bytes)
Mar 22 18:02:17 13[ENC] <L2TP/IPsec-PSK|2> parsed QUICK_MODE request 1 [ HASH SA No ID ID ]
Mar 22 18:02:17 13[IKE] <L2TP/IPsec-PSK|2> received 250000000 lifebytes, configured 0
Mar 22 18:02:17 13[ENC] <L2TP/IPsec-PSK|2> generating QUICK_MODE response 1 [ HASH SA No ID ID ]
Mar 22 18:02:17 13[NET] <L2TP/IPsec-PSK|2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (188 bytes)
Mar 22 18:02:17 13[NET] <L2TP/IPsec-PSK|2> received packet: from y.y.y.y[500] to x.x.x.x[500] (60 bytes)
Mar 22 18:02:17 13[ENC] <L2TP/IPsec-PSK|2> parsed QUICK_MODE request 1 [ HASH ]
Mar 22 18:02:17 13[IKE] <L2TP/IPsec-PSK|2> CHILD_SA L2TP/IPsec-PSK{2} established with SPIs c89b837b_i 95b272f6_o and TS x.x.x.x/32[udp/l2f] === y.y.y.y/32[udp/l2f]
Mar 22 18:02:18 13[KNL] interface ng0 appeared
Mar 22 18:02:18 13[IKE] <L2TP/IPsec-PSK|2> old path is not available anymore, try to find another
Mar 22 18:02:18 13[IKE] <L2TP/IPsec-PSK|2> looking for a route to y.y.y.y ...
Mar 22 18:02:18 14[KNL] 192.168.0.7 appeared on ng0
```
My log file. First part (NAT, NO_NAT) identical, second part (NO_NAT) the connection is established.
I will be glad for any help.


----------



## obsigna (Mar 23, 2015)

Did you create and configure the AssumeUDPEncapsulationContextOnSendRule registry value on your Windows client(s)? This was discussed in various posts of this thread. The support document of Microsoft is a little bit misleading since it suggests that it is necessary for a Windows 2008 server behind NAT. As a matter of fact, the registry entry needs to be done on any Windows client doing NAT-T with any IPsec server.

see: https://support.microsoft.com/en-us/kb/926179/en-us

You want to set AssumeUDPEncapsulationContextOnSendRule to 2.


----------



## balgaa (Aug 9, 2015)

Yesterday, I upgraded FreeBSD machine to latest 9.3-stable and after that L2TP client can not get connect to server.
`root@vpn:/usr/local/etc/mpd5 # uname -a`

```
FreeBSD x.x.x.x 9.3-STABLE FreeBSD 9.3-STABLE #5 r286367M: Fri Aug  7 08:45:01 ULAT 2015     dashka@x.x.x.x:/usr/obj/usr/src/sys/VPN  amd64
```

But PPTP client can connect without any problem. Nothing changed to racoon and mpd.conf. Nothing change to ipsec-tools.

I patched again kernel source using ipsec-patches.diff after SVN FreeBSD source tree. Any suggestion?

below mpd.conf:
==========

```
startup:
        # configure mpd users
        # set user super pwSuper admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
       load l2tp_server
       load pptp_server

set user test password test

pptp_server:
    set ippool add pptp_pool 192.168.1.170 192.168.1.199
    create bundle template B_pptp
    set iface enable proxy-arp
    set iface idle 1800
    set iface enable tcpmssfix
    #set iface route 192.168.1.1
    set ipcp yes vjcomp
    set ipcp ranges 192.168.1.1/32 ippool pptp_pool
    set ipcp dns 202.180.216.12
    #set ipcp dns 122.254.125.13
    #set ipcp dns 122.254.125.14
    #set ipcp nbns 192.168.0.1
    set bundle enable compression
    set bundle enable encryption
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless
    create link template L_pptp pptp
    set link fsm-timeout 5
    set link action bundle B_pptp
    set link enable multilink
    set link yes acfcomp protocomp
    #set link no pap chap eap chap-msv2
    set link no pap chap
    set link accept eap
    set link enable chap chap-msv2 eap
    set link accept chap-msv2
    #set auth enable system-auth
    #set auth enable internal
    #set bundle authname balgaa
    set link keep-alive 10 60
    set link mtu 1460
    #set pptp self 122.254.125.6
    set pptp self 172.16.2.5
    set pptp enable always-ack
    set link enable incoming


l2tp_server:
# Define dynamic IP address pool - these are the IP addresses which will be
# allocated to our remote clients when they join the LAN
# REPLACE w.x.y.from - w.x.y.to with the IP addresses mpd5 will allocate IP address range.
# e.g.  set ippool add pool_l2tp w.x.y.150 w.x.y.199
        set ippool add pool_l2tp 192.168.1.150 192.168.1.169

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Specify IP address pool for dynamic assigment.
       # This is the internal IP and netmask of the box
       # REPLACE w.x.y.z with the IP address for your VPN server
        set ipcp ranges 192.168.1.1/24 ippool pool_l2tp
       # an accessible DNS server for clients to use
       # REPLACE w.x.y.dns with the IP address for your DNS server
       # e.g. set ipcp dns w.x.y.50
        set ipcp dns 202.180.216.12

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
        set link yes acfcomp protocomp
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
       # REPLACE with the IP address racoon will listen on (if behind NAT, this is the INSIDE IP)
       # Unfortunately, you can not specify multiple IPs here, so just comment the next line if you need that
        set l2tp self 0.0.0.0
        set l2tp enable length
        #set l2tp secret testvpn
# Allow to accept calls
        set link enable incoming
```

below racoon.conf:
============

```
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;

padding {
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}

listen
{
        isakmp           172.16.2.5 [500];
        isakmp_natt      172.16.2.5 [4500];

#        isakmp           192.168.1.0/24 [500];
#        isakmp_natt      192.168.1.0/24 [4500];

        strict_address;
}

timer {
        counter 5;
        interval 20 sec;
        persend 1;
        phase1 30 sec;
        phase2 20 sec;
        natt_keepalive 0 sec;
}

remote anonymous
{
        exchange_mode    main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        30;
        doi              ipsec_doi;
        #generate_policy         on;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}
```


----------



## balgaa (Aug 9, 2015)

I done debug no any request going from Racoon to MPD5 during connection attempt L2TP...


----------



## balgaa (Aug 9, 2015)

Same thing happened on another FreeBSD-9.3-STABLE machine...


----------



## balgaa (Sep 1, 2015)

I found that after update source tree, there no such sysctl(8) parameter.


```
root@vpn:/home/dashka # sysctl net.inet.esp.esp_ignore_natt_cksum=1
sysctl: unknown oid 'net.inet.esp.esp_ignore_natt_cksum'
```

How can I fix it?


----------



## junovitch@ (Sep 2, 2015)

balgaa said:


> ...
> How can I fix it?


What does `sysctl kern.features.ipsec` and `uname -a; freebsd-version` say?  Is ipsec(4) support properly compiled in?


----------



## balgaa (Sep 5, 2015)

Finally, got fix it... I missed ipsec-patches.diff patch, applied again and it works.


----------



## Senya88 (Sep 8, 2015)

Hi All,

Patch for IPSEC over NAT not working on 10.2-p2 kernel. I tested it.
http://tech4u.pro/files/ipsec-patches-FBSD-10.0.diff
Do anybody has patch for kernel 10.2?

Thanks


----------



## aladedragon (Sep 22, 2015)

Senya88 said:


> Hi All,
> 
> Patch for IPSEC over NAT not working on 10.2-p2 kernel. I tested it.
> http://tech4u.pro/files/ipsec-patches-FBSD-10.0.diff
> ...


I was wondering if this howto aplies to the FreeBSD-10.2.
Thanks.


----------



## Senya88 (Sep 22, 2015)

aladedragon said:


> I was wondering if this howto aplies to the FreeBSD-10.2.
> Thanks.



I think we need wait somebody who can do editing patch. Unfortunatly, I don't have developer skills. I tried by classic way:
1. `cd /usr/`
2. `patch -p0 < patch.diff`


----------



## obsigna (Sep 24, 2015)

aladedragon said:


> I was wondering if this howto aplies to the FreeBSD-10.2.
> Thanks.



I am the author of this Howto (at that time my member name was rolfheinrich). Therefore, I guess I may give you the authoritative answer to your question.

If you need Mac OS X and/or iOS connectivity only *AND* if you don't need more than one client connecting from behind the same NAT, then *YES*. If you need Windows connectivity and/or multiple clients behind the same NAT connecting at the same time, then *NO*.



Senya88 said:


> I think we need wait somebody who can do editing patch. Unfortunatly, I don't have developer skills. I tried by classic way:
> 1. `cd /usr/`
> 2. `patch -p0 < patch.diff`



The net.inet.esp.esp_ignore_natt_cksum kernel patch not only cannot be applied anymore, if it could be, it would no more be effective, because on 10.2 any esp checksum flags are removed at another place in the kernel. That means, simply forget that patch.

As I wrote already sometime ago, I switched from ipsec-tools/mpd5 to strongswan/mpd5.

In addition, for Windows connectivity you want to restore the non-patched original kernel files in sys/netipsec, sys/netinet, and sys/netinet6, and you may want to edit the following kernel file `nano +1561 /usr/src/sys/netinet/udp_usrreq.c` -- Comment out the two lines #1561 and #1562, leaving the code as follows:

```
...

        /*
         * We cannot yet update the cksums so clear any
         * h/w cksum flags as they are no longer valid.
         */
        // if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID)
        //      m->m_pkthdr.csum_flags &= ~(CSUM_DATA_VALID|CSUM_PSEUDO_HDR);

...
```

Provided that you set AssumeUDPEncapsulationContextOnSendRule in the Windows registry to 2, L2TP/IPsec using the strongswan/mpd5 combo should work perfectly with Windows, Android, Mac OS X, and iOS clients with Multi-NAT-T.

Once again, forget racoon from the security/ipsec-tools, it is a pain in the ass, compared to security/strongswan.


----------



## Senya88 (Sep 26, 2015)

obsigna said:


> As I wrote already sometime ago, I switched from ipsec-tools/mpd5 to strongswan/mpd5.
> In addition, for Windows connectivity you want to restore the non-patched original kernel files in sys/netipsec, sys/netinet, and sys/netinet6, and you may want to edit the following kernel file  nano +1561 /usr/src/sys/netinet/udp_usrreq.c -- Comment out the two lines #1561 and #1562, leaving the code as follows:



Thanks for the detailed answer. However, I didn't find good guide about strongswan + FreeBSD. I found one article about http://blog.obsigna.net/?p=520 on German. I tried to deploy this on my server,
but it didn't work.


```
2015-09-06 21:43:07 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p2, i386)
2015-09-06 21:43:07 00[LIB] arbitrary naming of TUN devices is not supported
2015-09-06 21:43:07 00[LIB] failed to open : Device busy
2015-09-06 21:43:07 00[LIB] failed to open : Device busy
2015-09-06 21:43:07 00[LIB] created TUN device: tun2
2015-09-06 21:43:07 00[NET] unable to bind socket: Address already in use
2015-09-06 21:43:07 00[NET] could not open IPv4 socket, IPv4 disabled
2015-09-06 21:43:07 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-09-06 21:43:07 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-09-06 21:43:07 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-09-06 21:43:07 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-09-06 21:43:07 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-09-06 21:43:07 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-09-06 21:43:07 00[CFG] loaded IKE secret for %any
2015-09-06 21:43:07 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-09-06 21:43:07 00[JOB] spawning 16 worker threads
2015-09-06 21:43:07 09[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-09-06 21:43:07 09[CFG] left nor right host is our side, assuming left=local
2015-09-06 21:43:07 09[CFG] added configuration 'L2TP/IPsec-PSK'
2015-09-06 21:43:28 09[NET] <1> received packet: from ::ffff:2.94.9.220[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-09-06 21:43:28 09[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-09-06 21:43:28 09[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-09-06 21:43:28 09[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-09-06 21:43:28 09[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-09-06 21:43:28 09[IKE] <1> received FRAGMENTATION vendor ID
2015-09-06 21:43:28 09[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-09-06 21:43:28 09[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-09-06 21:43:28 09[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-09-06 21:43:28 09[IKE] <1> ::ffff:2.94.9.220 is initiating a Main Mode IKE_SA
2015-09-06 21:43:28 09[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-09-06 21:43:28 09[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.94.9.220[500] (136 bytes)
2015-09-06 21:43:28 09[NET] <1> received packet: from ::ffff:2.94.9.220[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-09-06 21:43:28 09[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-09-06 21:43:28 09[IKE] <1> local host is behind NAT, sending keep alives
2015-09-06 21:43:28 09[IKE] <1> remote host is behind NAT
2015-09-06 21:43:28 09[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-09-06 21:43:28 09[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.94.9.220[500] (212 bytes)
2015-09-06 21:43:28 09[NET] <1> received packet: from ::ffff:2.94.9.220[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-09-06 21:43:28 09[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-09-06 21:43:28 09[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.94.9.220[192.168.42.198]
2015-09-06 21:43:28 09[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-09-06 21:43:28 09[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.94.9.220[192.168.42.198]
2015-09-06 21:43:28 09[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 10152s
2015-09-06 21:43:28 09[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10692s
2015-09-06 21:43:28 09[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
2015-09-06 21:43:28 09[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.94.9.220[4500] (92 bytes)
2015-09-06 21:43:28 11[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.94.9.220[4500] to ::ffff:85.113.221.175[4500] (332 bytes)
2015-09-06 21:43:28 11[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-06 21:43:28 11[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
2015-09-06 21:43:28 11[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-06 21:43:28 11[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.94.9.220[4500] (252 bytes)
2015-09-06 21:43:28 11[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.94.9.220[4500] to ::ffff:85.113.221.175[4500] (92 bytes)
2015-09-06 21:43:28 11[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 3811068122 [ HASH D ]
2015-09-06 21:43:28 11[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
2015-09-06 21:43:28 11[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.94.9.220[192.168.42.198]
2015-09-06 22:09:52 00[DMN] signal of type SIGTERM received. Shutting down
```

May be I missed patch from article. I need check it once again, but main problem for me this is:

```
2015-09-06 21:43:07 00[NET] unable to bind socket: Address already in use
2015-09-06 21:43:07 00[NET] could not open IPv4 socket, IPv4 disabled
```


----------



## obsigna (Sep 26, 2015)

Senya88 said:


> ...
> 
> ```
> 2015-09-06 21:43:07 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p2, i386)
> ...


You built strongSwan with the option KERNELLIBIPSEC. That was wrong. Do the following:

`# service strongswan stop`

`# cd /usr/ports/security/strongswan`

`# make rmconfig`

`# make deinstall clean distclean`

Finally, install a plainly configured strongSwan, i.e. one without all the bells and whistles: `# pkg install strongswan`

`# service strongswan start`

Try again!


----------



## Senya88 (Sep 27, 2015)

obsigna said:


> You built strongSwan with the option KERNELLIBIPSEC. That was wrong. Do the following:
> 
> `# service strongswan stop`
> 
> ...



Thank you for help!
I did it. Before this, I recompiled kernel with patch http://blog.obsigna.net/downloads/IPsec-NATT-Win_v10.2.patch.


```
(pts/2)[root@server:~]# uname -a
FreeBSD server 10.2-RELEASE-p3 FreeBSD 10.2-RELEASE-p3 #1 r288274M: Sat Sep 26 23:09:17 MSK 2015     root@server:/usr/obj/usr/src/sys/SERVER  i386
```

I added key AssumeUDPEncapsulationContextOnSendRule=2 in my Windows registry.

My configs:
strongswan.conf:

```
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        install_routes = no
        process_route = no

        filelog
        {
            /var/log/strongswan.log
            {
            flush_line = yes
            ike_name = yes
            time_format = "%Y-%m-%d %H:%M:%S"
            }
                ike_name = yes
        }
}
```

ipsec.conf:

```
conn L2TP/IPsec-PSK
    keyexchange = ikev1
    type = transport
    leftauth = psk
    rightauth = psk
    left = %defaultroute
    right = %any
    auto = add
```

ipsec.secrets:

```
: PSK "mykey"
```

Logs:

```
pts/4)[root@server:/usr/local/etc]# /usr/local/etc/rc.d/strongswan onerestart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
(pts/4)[root@server:/usr/local/etc]# tail -f /var/log/strongswan.log
2015-09-27 17:03:33 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-09-27 17:03:33 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-09-27 17:03:33 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-09-27 17:03:33 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-09-27 17:03:33 00[CFG]   loaded IKE secret for %any
2015-09-27 17:03:33 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-09-27 17:03:33 00[JOB] spawning 16 worker threads
2015-09-27 17:03:33 16[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-09-27 17:03:33 16[CFG] left nor right host is our side, assuming left=local
2015-09-27 17:03:33 16[CFG] added configuration 'L2TP/IPsec-PSK'
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-09-27 17:04:03 16[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-09-27 17:04:03 16[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-09-27 17:04:03 16[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-09-27 17:04:03 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-09-27 17:04:03 16[IKE] <1> received FRAGMENTATION vendor ID
2015-09-27 17:04:03 16[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-09-27 17:04:03 16[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-09-27 17:04:03 16[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-09-27 17:04:03 16[IKE] <1> ::ffff:2.93.190.121 is initiating a Main Mode IKE_SA
2015-09-27 17:04:03 16[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-09-27 17:04:03 16[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (136 bytes)
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-09-27 17:04:03 16[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-09-27 17:04:03 16[IKE] <1> local host is behind NAT, sending keep alives
2015-09-27 17:04:03 16[IKE] <1> remote host is behind NAT
2015-09-27 17:04:03 16[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-09-27 17:04:03 16[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (212 bytes)
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-09-27 17:04:03 16[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-09-27 17:04:03 16[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.93.190.121[192.168.42.145]
2015-09-27 17:04:03 16[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-09-27 17:04:03 16[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
2015-09-27 17:04:03 16[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 9845s
2015-09-27 17:04:03 16[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10385s
2015-09-27 17:04:03 16[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
2015-09-27 17:04:03 16[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (92 bytes)
2015-09-27 17:04:03 09[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (380 bytes)
2015-09-27 17:04:03 09[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-27 17:04:03 09[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
2015-09-27 17:04:03 09[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-27 17:04:03 09[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (252 bytes)
2015-09-27 17:04:03 09[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (92 bytes)
2015-09-27 17:04:03 09[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 515713003 [ HASH D ]
2015-09-27 17:04:03 09[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
2015-09-27 17:04:03 09[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
```

Unfortunately, It doesn't works.

PS Sorry, I did not pay attention that you are the author of the article http://blog.obsigna.net/?p=520. Thanks for article. This is the only good article on the Internet entitled FreeBSD + Strongswan


----------



## obsigna (Sep 27, 2015)

Sorry, I didn't pay attention that you are using IPv6.

For Windows 7 connectivity I patched the function udp4_espdecap(), which as the name indicates clearly, is for IPv4 only. I had a quick look at the sources and there is no function udp6_espdecap() that could be patched as well.

Perhaps the more coarse solution of the post L2TP/IPSec VPN problems would work with IPv6.


----------



## obsigna (Sep 27, 2015)

obsigna said:


> Sorry, I didn't pay attention that you are using IPv6. ...
> 
> ... I had a quick look at the sources and there is no function udp6_espdecap() that could be patched as well
> 
> ...



In the meantime I went out for the morning tour with my dog, and the fresh clean air brushed my brain. Of course there is no function udp6_espdecap() because there is no NAT for IPv6, at least no one in FreeBSD that I know of. Some IETF members are thinking loud about it, however, I did not know that there is a working implementation yet.


```
...
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
...
```

Without NAT, there is no reason to NAT-T encapsulate the IPsec packets (port 4500), so why your setup does it nonetheless?

You might want to rework your concept. NAT is generally not needed for IPv6 and without NAT in the middle, Windows would not have any problems at all to make connections to L2TP/IPsec , e.g., no hassle with kernel patching and registry hacks.


----------



## Senya88 (Sep 27, 2015)

obsigna said:


> Sorry, I didn't pay attention that you are using IPv6.
> For Windows 7 connectivity I patched the function udp4_espdecap(), which as the name indicates clearly, is for IPv4 only. I had a quick look at the sources and there is no function udp6_espdecap() that could be patched as well.
> Perhaps the more coarse solution of the post L2TP/IPSec VPN problems would work with IPv6.



Unfortunately, I didn't use IPv6. I turn off IPv6 in Windows connection settings. I installed strongswan via `pkg install strongswan`, but my trouble is actual yet:

`(pts/1)[root@server:~]# /usr/local/etc/rc.d/strongswan onerestart`

```
Stopping strongSwan IPsec...
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
```
(pts/1)[root@server:~]#


```
2015-09-27 21:12:46 00[DMN] signal of type SIGINT received. Shutting down
2015-09-27 21:12:49 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p3, i386)
2015-09-27 21:12:49 00[LIB] arbitrary naming of TUN devices is not supported
2015-09-27 21:12:49 00[LIB] failed to open : Device busy
2015-09-27 21:12:49 00[LIB] failed to open : Device busy
2015-09-27 21:12:49 00[LIB] created TUN device: tun2
2015-09-27 21:12:49 00[NET] unable to bind socket: Address already in use
2015-09-27 21:12:49 00[NET] could not open IPv4 socket, IPv4 disabled
```

`(pts/2)[root@server:~]# sockstat | grep 500`

```
root     charon     7392  11 udp4 6 *:500                 *:*
root     charon     7392  12 udp4 6 *:4500                *:*
```

Maybe strongswan wants tun0 or tun1 (they are used by OpenVPN). However, this is unlikely.


----------



## obsigna (Sep 27, 2015)

Senya88 said:


> Unfortunaltly, I didn't use IPv6. I turn off IPv6 in Windows connection settings.



Well, the IP addresses of your previous log don't look quite like IPv4 addresses.


Senya88 said:


> ```
> ...
> 2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
> ...
> ```





Senya88 said:


> I installed strongswan via `pkg install strongswan`, but my trouble is actual yet:
> `[root@server:~]# /usr/local/etc/rc.d/strongswan onerestart`
> 
> ```
> ...



This is not a trouble, this is normal on non-Linux machines. I see this also.



Senya88 said:


> ```
> 2015-09-27 21:12:49 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p3, i386)
> 2015-09-27 21:12:49 00[LIB] arbitrary naming of TUN devices is not supported
> 2015-09-27 21:12:49 00[LIB] failed to open : Device busy
> ...



This is troublesome. DO NOT ACTIVATE the option KERNELLIBIPSEC! This will NOT WORK!!


----------



## Senya88 (Oct 1, 2015)

obsigna said:


> This is troublesome. DO NOT ACTIVATE the option KERNELLIBIPSEC! This will NOT WORK!!



Thank you for help.

I tried both solutions:
1. As you recommended install from pkg:

`# service strongswan stop`

`# cd /usr/ports/security/strongswan`

`# make rmconfig`

`# make deinstall clean distclean`

Finally, install a plainly configured strongSwan, i.e. one without all the bells and whistles: # pkg install strongswan

`# service strongswan start`

Try again!
Look please my attempt:

```
(pts/1)[root@server:/usr/ports/security/strongswan]# cd /usr/ports/security/strongswan/
(pts/1)[root@server:/usr/ports/security/strongswan]# make rmconfig
===> Removing user-configured options for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# make deinstall clean distclean
===>  Deinstalling for strongswan
===>   Deinstalling strongswan-5.3.2
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        strongswan-5.3.2

The operation will free 4 MiB.
[1/1] Deinstalling strongswan-5.3.2...
You may need to manually remove /usr/local/etc/ipsec.conf if it's no longer needed.
You may need to manually remove /usr/local/etc/strongswan.conf if it's no longer needed.
[1/1] Deleting files for strongswan-5.3.2: 100%
===>  Cleaning for strongswan-5.3.3
===>  Deleting distfiles for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# pkg install strongswan
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    5 MiB   1.4MB/s    00:04
Processing entries: 100%
FreeBSD repository update completed. 24333 packages processed.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        strongswan: 5.3.2

The process will require 4 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Installing strongswan-5.3.2...
[1/1] Extracting strongswan-5.3.2: 100%
(pts/1)[root@server:/usr/ports/security/strongswan]#

(pts/1)[root@server:/usr/ports/security/strongswan]# /usr/local/etc/rc.d/strongswan onestart
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

(pts/2)[root@server:~]# tail -f /var/log/strongswan.log
2015-10-01 20:37:06 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.1-RELEASE-p14, i386)
2015-10-01 20:37:06 00[LIB] arbitrary naming of TUN devices is not supported
2015-10-01 20:37:06 00[LIB] failed to open : Device busy
2015-10-01 20:37:06 00[LIB] failed to open : Device busy
2015-10-01 20:37:06 00[LIB] created TUN device: tun2
2015-10-01 20:37:06 00[NET] unable to bind socket: Address already in use
2015-10-01 20:37:06 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 20:37:06 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 20:37:06 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 20:37:06 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 20:37:06 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 20:37:06 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 20:37:06 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 20:37:06 00[CFG]   loaded IKE secret for %any
2015-10-01 20:37:06 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 ran                          dom nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf                           xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap                          -mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 20:37:06 00[JOB] spawning 16 worker threads
2015-10-01 20:37:06 11[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 20:37:06 11[CFG] left nor right host is our side, assuming left=local
2015-10-01 20:37:06 11[CFG] added configuration 'L2TP/IPsec-PSK'
```

2. Install from ports without KERNELLIBIPSEC:

```
(pts/1)[root@server:/usr/ports/security/strongswan]# service strongswan onestop
Stopping strongSwan IPsec...
(pts/1)[root@server:/usr/ports/security/strongswan]# make rmconfig
===> No user-specified options configured for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# make deinstall clean distclean
===>  Deinstalling for strongswan
===>   Deinstalling strongswan-5.3.2
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        strongswan-5.3.2

The operation will free 4 MiB.
[1/1] Deinstalling strongswan-5.3.2...
You may need to manually remove /usr/local/etc/ipsec.conf if it's no longer needed.
You may need to manually remove /usr/local/etc/strongswan.conf if it's no longer needed.
[1/1] Deleting files for strongswan-5.3.2: 100%
===>  Cleaning for strongswan-5.3.3
===>  Deleting distfiles for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# make config
                                                                             strongswan-5.3.3 qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
                                                      x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
                                                      x x+[ ] CURL            Enable CURL to fetch CRL/OCSP                        x x
                                                      x x+[ ] EAPAKA3GPP2     Enable EAP AKA with 3gpp2 backend                    x x
                                                      x x+[ ] EAPDYNAMIC      Enable EAP dynamic proxy module                      x x
                                                      x x+[ ] EAPRADIUS       Enable EAP Radius proxy authentication               x x
                                                      x x+[ ] EAPSIMFILE      Enable EAP SIM with file backend                     x x
                                                      x x+[ ] GCM             Enable GCM AEAD wrapper crypto plugin                x x
                                                      x x+[x] IKEv1           Enable IKEv1 support                                 x x
                                                      x x+[ ] IPSECKEY        Enable authentication with IPSECKEY resource records x x
                                                      x x+[ ] KERNELLIBIPSEC  Enable IPSec userland backend                        x x
                                                      x x+[ ] LDAP            LDAP protocol support                                x x
                                                      x x+[ ] LOADTESTER      Enable load testing plugin                           x x
                                                      x x+[ ] MYSQL           MySQL database support                               x x
                                                      x x+[x] PKI             Enable PKI tools                                     x x
                                                      x x+[ ] SCEP            Enable Simple Certificate Enrollment Protocol        x x
                                                      x x+[ ] SMP             Enable XML-based management protocol                 x x
                                                      x x+[ ] SQLITE          SQLite database support                              x x
                                                      x x+[ ] TESTVECTOR      Enable crypto test vectors                           x x
                                                      x x+[ ] UNBOUND         Enable DNSSEC-enabled resolver                       x x
                                                      x x+[ ] UNITY           Enable Cisco Unity extension plugin                  x x
                                                      x x+[ ] XAUTH           Enable XAuth password verification                   x x
                                                      x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
                                                      tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
                                                      x                       <  OK  >            <Cancel>
(pts/1)[root@server:/usr/ports/security/strongswan]# make reinstall clean

[skipped]
Installing strongswan-5.3.3...
===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/lib/ipsec/libstrongswan.so.0.0.0
/usr/local/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/strongswan

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://www.strongswan.org
===>  Cleaning for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]#

(pts/1)[root@server:/usr/ports/security/strongswan]# /usr/local/etc/rc.d/strongswan onestart
Starting strongSwan 5.3.3 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
(pts/1)[root@server:/usr/ports/security/strongswan]#

(pts/3)[root@server:/usr/local/etc/strongswan.d/charon]# tail -f /var/log/strongswan.log
2015-10-01 20:49:02 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.1-RELEASE-p14, i386)
2015-10-01 20:49:02 00[LIB] arbitrary naming of TUN devices is not supported
2015-10-01 20:49:02 00[LIB] failed to open : Device busy
2015-10-01 20:49:02 00[LIB] failed to open : Device busy
2015-10-01 20:49:02 00[LIB] created TUN device: tun2
2015-10-01 20:49:02 00[NET] unable to bind socket: Address already in use
2015-10-01 20:49:02 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 20:49:02 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 20:49:02 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 20:49:02 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 20:49:02 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 20:49:02 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 20:49:02 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 20:49:02 00[CFG]   loaded IKE secret for %any
2015-10-01 20:49:02 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 20:49:02 00[JOB] spawning 16 worker threads
2015-10-01 20:49:02 07[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 20:49:02 07[CFG] added configuration 'L2TP/IPsec-PSK'
```

What I'm not so I do?

Unfortunately, the result was similar.


----------



## Senya88 (Oct 1, 2015)

obsigna said:


> This is troublesome. DO NOT ACTIVATE the option KERNELLIBIPSEC! This will NOT WORK!!



Solved!

```
cat /usr/local/etc/strongswan.d/charon/kernel-libipsec.conf
kernel-libipsec {

    # Allow that the remote traffic selector equals the IKE peer.
    # allow_peer_ts = no

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = no

}
```
I put "load = no". May be it's default of new version port?


```
(pts/1)[root@server:/usr/ports/security/strongswan]# sockstat | grep 500
root     charon     45327 11 udp4 6 *:500                 *:*
root     charon     45327 12 udp4 6 *:4500                *:*
[skipped]
```


----------



## Senya88 (Oct 1, 2015)

Unfortunately, it doesn't works:


```
2015-10-01 21:17:08 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.2-RELEASE-p3, i386)
2015-10-01 21:17:08 00[KNL] unable to set UDP_ENCAP: Invalid argument
2015-10-01 21:17:08 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2015-10-01 21:17:08 00[NET] unable to bind socket: Address already in use
2015-10-01 21:17:08 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 21:17:08 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 21:17:08 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 21:17:08 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 21:17:08 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 21:17:08 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 21:17:08 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 21:17:08 00[CFG]   loaded IKE secret for %any
2015-10-01 21:17:08 00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 21:17:08 00[JOB] spawning 16 worker threads
2015-10-01 21:17:08 03[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 21:17:08 03[CFG] added configuration 'L2TP/IPsec-PSK'
2015-10-01 21:17:17 03[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-10-01 21:17:17 03[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-10-01 21:17:17 03[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-10-01 21:17:17 03[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-10-01 21:17:17 03[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-10-01 21:17:17 03[IKE] <1> received FRAGMENTATION vendor ID
2015-10-01 21:17:17 03[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-10-01 21:17:17 03[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-10-01 21:17:17 03[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-10-01 21:17:17 03[IKE] <1> ::ffff:2.93.190.121 is initiating a Main Mode IKE_SA
2015-10-01 21:17:17 03[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-10-01 21:17:17 03[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (136 bytes)
2015-10-01 21:17:17 03[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-10-01 21:17:17 03[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-10-01 21:17:17 03[IKE] <1> local host is behind NAT, sending keep alives
2015-10-01 21:17:17 03[IKE] <1> remote host is behind NAT
2015-10-01 21:17:17 03[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-10-01 21:17:17 03[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (212 bytes)
2015-10-01 21:17:17 02[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-10-01 21:17:17 02[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-10-01 21:17:17 02[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.93.190.121[192.168.42.145]
2015-10-01 21:17:17 02[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-10-01 21:17:17 02[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
2015-10-01 21:17:17 02[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 9873s
2015-10-01 21:17:17 02[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10413s
2015-10-01 21:17:17 02[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
2015-10-01 21:17:17 02[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (92 bytes)
2015-10-01 21:17:17 15[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (332 bytes)
2015-10-01 21:17:17 15[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-10-01 21:17:17 15[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
2015-10-01 21:17:17 15[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-10-01 21:17:17 15[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (252 bytes)
2015-10-01 21:17:17 15[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (92 bytes)
2015-10-01 21:17:17 15[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 3018828040 [ HASH D ]
2015-10-01 21:17:17 15[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
2015-10-01 21:17:17 15[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
```


----------



## obsigna (Oct 1, 2015)

Senya88 said:


> ```
> kernel-libipsec {...  load = no ...}
> ```
> I put "load = no". May be it's default of new version port?



No, it's not the default of strongSwan from the ports nor from the packages. I don't know how this is possible, but it must be somehow a left over from one of your previous installations. Maybe because you asked for re-installation [`make reinstall clean`] instead of a fresh install.

Regarding the other issue, Windows starting to talk on the NAT-T channel (port 4500), even when there can't be any NAT because it is IPv6, it came to my mind that the Windows registry hack AssumeUDPEncapsulationContextOnSendRule is nonsense for IPv6. It might be a good idea to remove that value from the Windows registry, and see whether Windows starts again with communication on port 4500.


----------



## Senya88 (Oct 1, 2015)

obsigna said:


> No, it's not the default of strongSwan from the ports nor from the packages. I don't know how this is possible, but it must be somehow a left over from one of your previous installations.



I think yes. Maybe first installation was with KERNELLIBIPSEC. I did
`rm ./strongswan.d`
after this strongswan can listen ports 500 and 4500.



obsigna said:


> Regarding the other issue, Windows starting to talk on the NAT-T channel (port 4500), even when there can't be any NAT because it is IPv6, it came to my mind that the Windows registry hack AssumeUDPEncapsulationContextOnSendRule is nonsense for IPv6. It might be a good idea to remove that value from the Windows registry, and see whether Windows starts again with communication on port 4500.



If I'm understood correctly, I need remove AssumeUDPEncapsulationContextOnSendRule, isn't it?

I remove this key, then reboot my computer:


```
2015-10-01 22:33:42 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.2-RELEASE-p3, i386)
2015-10-01 22:33:42 00[KNL] unable to set UDP_ENCAP: Invalid argument
2015-10-01 22:33:42 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2015-10-01 22:33:42 00[NET] unable to bind socket: Address already in use
2015-10-01 22:33:42 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 22:33:42 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 22:33:43 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 22:33:43 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 22:33:43 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 22:33:43 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 22:33:43 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 22:33:43 00[CFG]   loaded IKE secret for %any
2015-10-01 22:33:43 00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 22:33:43 00[JOB] spawning 16 worker threads
2015-10-01 22:33:43 14[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 22:33:43 14[CFG] added configuration 'L2TP/IPsec-PSK'
2015-10-01 22:33:51 14[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-10-01 22:33:51 14[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-10-01 22:33:51 14[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-10-01 22:33:51 14[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-10-01 22:33:51 14[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-10-01 22:33:51 14[IKE] <1> received FRAGMENTATION vendor ID
2015-10-01 22:33:51 14[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-10-01 22:33:51 14[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-10-01 22:33:51 14[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-10-01 22:33:51 14[IKE] <1> ::ffff:2.93.190.121 is initiating a Main Mode IKE_SA
2015-10-01 22:33:51 14[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-10-01 22:33:51 14[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (136 bytes)
2015-10-01 22:33:51 14[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-10-01 22:33:51 14[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-10-01 22:33:51 14[IKE] <1> local host is behind NAT, sending keep alives
2015-10-01 22:33:51 14[IKE] <1> remote host is behind NAT
2015-10-01 22:33:51 14[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-10-01 22:33:51 14[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (212 bytes)
2015-10-01 22:33:51 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-10-01 22:33:51 16[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-10-01 22:33:51 16[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.93.190.121[192.168.42.145]
2015-10-01 22:33:51 16[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-10-01 22:33:51 16[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
```

Win7 gave me 789 error code.


----------



## obsigna (Oct 1, 2015)

Senya88 said:


> ...
> If I'm understood correctly, I need remove AssumeUDPEncapsulationContextOnSendRule, isn't it?



Yes, either remove it, or set the value to 0, the default behaviour of Windows, see https://support.microsoft.com/en-us/kb/926179.

Clearly you are on IPv6, and for sure IPv6 UDP decapsulation won't work by no means on your server, for this to know, we need only to read the initial section of your last connection log:

```
2015-10-01 21:17:08 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.2-RELEASE-p3, i386)
2015-10-01 21:17:08 00[KNL] unable to set UDP_ENCAP: Invalid argument
2015-10-01 21:17:08 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2015-10-01 21:17:08 00[NET] unable to bind socket: Address already in use
2015-10-01 21:17:08 00[NET] could not open IPv4 socket, IPv4 disabled
...
```
In addition, something is occupying already the IPv4 port 500 and/or 4500, and for this reason IPv4 has been disabled.

On the other hand, strongSwan detects that your server and the remote client are both sitting behind NAT:

```
...
2015-10-01 21:17:17 03[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-10-01 21:17:17 03[IKE] <1> local host is behind NAT, sending keep alives
2015-10-01 21:17:17 03[IKE] <1> remote host is behind NAT
2015-10-01 21:17:17 03[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
...
```
Are you connected via DS-Lite, or do you have a real IPv6 address? If you can't disable NAT then you will be on a dead end here. FreeBSD is not able to do IPv6 UDP decapsulation.

Your options are getting rid of DS-Lite, by switching either to pure IPv6 without NAT or to IPv4 (with or without NAT).


----------



## Senya88 (Oct 1, 2015)

obsigna said:


> Yes, either remove it, or set the value to 0, the default behaviour of Windows, see https://support.microsoft.com/en-us/kb/926179.



Done.



obsigna said:


> Clearly you are on IPv6, and for sure IPv6 UDP decapsulation won't work by no means on your server, for this to know, we need only to read the initial section of your last connection log:



The main problem for me that I didn't use IPv6



obsigna said:


> In addition, something is occupying already the IPv4 port 500 and/or 4500, and for this reason IPv4 has been disabled.



Sockstat output:

```
(pts/3)[root@server:/usr/local/etc]# sockstat | grep 500
root     charon     10816 11 udp4 6 *:500                 *:*
root     charon     10816 12 udp4 6 *:4500                *:*
root     ntpd       1500  3  dgram  -> /var/run/logpriv
root     ntpd       1500  20 udp4   *:123                 *:*
root     ntpd       1500  21 udp4   10.0.0.1:123          *:*
root     ntpd       1500  22 udp4   192.168.1.1:123       *:*
root     ntpd       1500  23 udp4   127.0.0.1:123         *:*
root     ntpd       1500  24 udp4   85.113.221.175:123    *:*
root     ntpd       1500  28 udp4   10.1.200.1:123        *:*
root     ntpd       1500  29 udp4   10.20.0.5:123         *:*
root     rtorrent   1470  13 tcp4   127.0.0.1:5000        *:*
root     mpd5       1331  16 tcp4   127.0.0.1:5005        *:*
```



obsigna said:


> Are you connected via DS-Lite, or do you have a real IPv6 address? If you can't disable NAT then you will be on a dead end here. FreeBSD is not able to do IPv6 UDP decapsulation.
> Your options are getting rid of DS-Lite, by switching either to pure IPv6 without NAT or to IPv4 (with or without NAT).



Server ip: 85.113.221.175 (static via PPPoE)
My external ip: 2.93.190.121 (dynamic)
My internal ip: 192.168.42.145 (behind NAT (OpenWRT router))
I use standard Win7 network manager.

No IPv6.


----------



## obsigna (Oct 2, 2015)

Why don't these IPv4 addresses show up in the strongSwan connection log, but instead it shows some mangled IPv6 addresses? Does the OpenWRT router do some sort of 4to6 translation?


----------



## Senya88 (Nov 28, 2015)

obsigna said:


> Why don't these IPv4 addresses show up in the strongSwan connection log, but instead it shows some mangled IPv6 addresses? Does the OpenWRT router do some sort of 4to6 translation?



Hi,

Sorry for long delay. Recently I returned to this issue. I did test on another test machine (FreeBSD 10.2). It works.
However, I have concluded that there is a problem on the server.
I tried to connect from another addresses, but always in logs I see this address:
::ffff

May be my kernel has wrong options?


----------



## Senya88 (Jan 16, 2016)

obsigna said:


> Why don't these IPv4 addresses show up in the strongSwan connection log, but instead it shows some mangled IPv6 addresses? Does the OpenWRT router do some sort of 4to6 translation?



Hi,

I did some interesting tests. I compiled this kernel: FreeBSD server 10.2-RELEASE-p8 FreeBSD 10.2-RELEASE-p8 with patch:

http://blog.obsigna.net/downloads/IPsec-NATT-Win_v10.2.patch

Unfortunatly, it doesn't have effect, but with 10.1 kernel old patch for racoon works successfully. May be 10.2-p8  has some changes, so patch IPsec-NATT-Win_v10.2.patch doesn't work. Unfortunatly, I don't know.


----------



## obsigna (Jan 16, 2016)

I just finished a quite thorough test on my server running FreeBSD 10.2-RELEASE-p8 (GENERIC_IPsec). My GENERIC_IPsec kernel configuration file contains:

```
include GENERIC
ident    GENERIC_IPsec

# Options for IPsec
options    IPSEC
options    IPSEC_NAT_T
device    crypto
```
In addition before making the custom kernel, /usr/src/sys/netinet/udp_usrreq.c has been patched using http://blog.obsigna.net/downloads/IPsec-NATT-Win_v10.2.patch.

My Windows 7 client can connect successfully from behind a NAT and two Mac OS X clients and more one iOS client can connect concurrently from behind the same NAT to the same L2TP/IPsec server running net/mpd5+security/stongswan, see:







The third entry belongs to the Windows 7 client. Without said patch, Windows 7 cannot connect. In addition I verified, that at my FreeBSD server nothing of the old racoon patch sets were left and forgotten in my kernel sources. In order to verify this, I did:

`cd`
`mkdir -p orig-src/sys`

`svn co http://svn0.us-east.freebsd.org/base/releng/10.2/sys/netinet orig-src/sys/netinet`
`svn co http://svn0.us-east.freebsd.org/base/releng/10.2/sys/netinet6 orig-src/sys/netinet6`
`svn co http://svn0.us-east.freebsd.org/base/releng/10.2/sys/netipsec orig-src/sys/netipsec`

`diff -rI '\$FreeBSD*' orig-src/sys/netinet /usr/src/sys/netinet`

```
Only in orig-src/sys/netinet: .svn
diff -rI '\$FreeBSD*' orig-src/sys/netinet/udp_usrreq.c /usr/src/sys/netinet/udp_usrreq.c
1557,1563d1556
<     /*
<     * We cannot yet update the cksums so clear any
<     * h/w cksum flags as they are no longer valid.
<     */
<     if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID)
<         m->m_pkthdr.csum_flags &= ~(CSUM_DATA_VALID|CSUM_PSEUDO_HDR);
<
Only in /usr/src/sys/netinet: udp_usrreq.c.orig
```
That one was expected, because the new patch deleted the indicated lines.

`diff -rI '\$FreeBSD*' orig-src/sys/netinet6 /usr/src/sys/netinet6`

```
Only in orig-src/sys/netinet6: .svn
```
`diff -rI '\$FreeBSD*' orig-src/sys/netipsec /usr/src/sys/netipsec`

```
Only in orig-src/sys/netipsec: .svn
```
Conclusion, my custom kernel FreeBSD 10.2-RELEASE-p8 (GENERIC_IPsec) was built with only one patch in place, and with a minimal set of configuration additions -- and, the best of all, *it works*.


----------



## Senya88 (Jan 16, 2016)

obsigna said:


> Conclusion, my custom kernel FreeBSD 10.2-RELEASE-p8 (GENERIC_IPsec) was built with only one patch in place, and with a minimal set of configuration additions -- and, the best of all, *it works*.



My kernel basically is GENERIC, 


```
(pts/7)[root@server:/usr/src/sys/netinet]# uname -ar
FreeBSD server 10.2-RELEASE-p8 FreeBSD 10.2-RELEASE-p8 #0 r293283M: Thu Jan  7 03:37:27 MSK 2016     root@server:/usr/obj/usr/src/sys/SERVER  i386
```

this is my custom part:


```
#CUSTOM KERNEL FOLLOWING...
options         NETGRAPH
options         NETGRAPH_PPP
options         NETGRAPH_PPTPGRE
options         NETGRAPH_ETHER
options         NETGRAPH_SOCKET
options         NETGRAPH_TEE
options         NETGRAPH_ASYNC
options         NETGRAPH_IFACE
options         NETGRAPH_MPPC_ENCRYPTION
options         NETGRAPH_MPPC_COMPRESSION
options         NETGRAPH_BPF
options         NETGRAPH_KSOCKET
options         NETGRAPH_TCPMSS
options         NETGRAPH_VJC
options         NETGRAPH_ONE2MANY
options         NETGRAPH_RFC1490
options         NETGRAPH_TTY
options         NETGRAPH_UI
options         LIBALIAS
options         MROUTING
options         NETGRAPH_PPPOE
options         NETGRAPH_HOLE
options         NETGRAPH_ECHO
options         NETGRAPH_L2TP

# By Executor
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=999
options IPFILTER
options IPFILTER_LOG
options IPDIVERT
options DUMMYNET
options DEVICE_POLLING
#options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options IPFIREWALL_DEFAULT_TO_ACCEPT

#colortag
options SC_NORM_ATTR="(FG_GREEN|BG_BLACK)"
options SC_NORM_REV_ATTR="(FG_YELLOW|BG_GREEN)"
options SC_KERNEL_CONS_REV_ATTR="(FG_BLACK|BG_RED)"
options SC_KERNEL_CONS_ATTR="(FG_RED|BG_BLACK)"

# For HTTP Server
maxusers 512

#

options HZ=1000

# PF support
device          pf
device          pflog
device          pfsync
options         ALTQ
options         ALTQ_CBQ
options         ALTQ_RED
options         ALTQ_RIO
options         ALTQ_HFSC
options         ALTQ_PRIQ
options         ALTQ_NOPCC
options         SHMMAXPGS=65536
options         SEMMNI=40
options         SEMMNS=240
options         SEMUME=40
options         SEMMNU=120


#options RADIX_MPATH
#options COMPAT_FREEBSD8 # Compatible with FreeBSD8

#22-08-2012 for ZFS
#options         KVA_PAGES=160

#03-10-2013
# IPSec
options         IPSEC
options         IPSEC_FILTERTUNNEL
options         IPSEC_NAT_T
options         IPSEC_DEBUG
device          crypto
device          enc

#19-11-2013
options         VFS_AIO
device          tap

#28-02-2014
options MAC_PORTACL
```

This is patched file:


```
(pts/7)[root@server:/usr/src/sys/netinet]# diff -c ./udp_usrreq.c ./udp_usrreq.c.orig
*** ./udp_usrreq.c      2016-01-07 03:09:34.000000000 +0300
--- ./udp_usrreq.c.orig 2016-01-07 02:47:59.000000000 +0300
***************
*** 1554,1559 ****
--- 1554,1566 ----
        ip->ip_len = htons(ntohs(ip->ip_len) - skip);
        ip->ip_p = IPPROTO_ESP;

+       /*
+        * We cannot yet update the cksums so clear any
+        * h/w cksum flags as they are no longer valid.
+        */
+       if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID)
+               m->m_pkthdr.csum_flags &= ~(CSUM_DATA_VALID|CSUM_PSEUDO_HDR);
+
        (void) ipsec4_common_input(m, iphlen, ip->ip_p);
        return (NULL);                  /* NB: consumed, bypass processing. */
  }
(pts/7)[root@server:/usr/src/sys/netinet]#
```

This is log of strongswan:

http://pastebin.com/7ZpRV4zG

Finally, I get 809 error in Win7. All configs from http://blog.obsigna.net/?p=520
May be my other kernel options can do effect to ipsec?


----------



## obsigna (Jan 16, 2016)

On the Windows client try the both registry changes described in the following support document by Microsoft:

https://support.microsoft.com/en-us/kb/947234

The description is about Windows Vista, however, it should work for Windows 7 as well. Set both values, namely the one of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule and the other one of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\IPsecThroughNAT to 2.


----------



## Senya88 (Jan 21, 2016)

obsigna said:


> On the Windows client try the both registry changes described in the following support document by Microsoft:
> https://support.microsoft.com/en-us/kb/947234
> The description is about Windows Vista, however, it should work for Windows 7 as well. Set both values, namely the one of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule and the other one of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\IPsecThroughNAT to 2.



Unfortunately, it has no effect. As I wrote earlier, if to do rollback to kernel version 10.1 with an old kernel patch NAT-T for Racoon, it works (racoon or strongswan are worked well). 
Most likely the problem in my server configuration. For example, Strongswan can start only during boot server. If you do Strongswan restart, it will no longer be working with an error:

```
could not open IPv4 socket, IPv4 disabled
```
It's very strange. While, I don't know how to solve my issue. The only thing that comes to mind is my set of custom kernel options can be reason of problem, but I can't test it on live server.


----------



## Jan Knepper (Oct 26, 2016)

I followed these instructions, not to a "tee" as I have 20+ years of experience with FreeBSD, and was able to get a L2TP VPN up and running within an hour. Connecting from iOS was a breeze.

I installed racoon and mpd5 via: 
# pkg install racoon
# pkg install mpd5

When I brought the system up I learned quickly that the wildcard IP check is NOT (yet) build into the prebuild port of racoon.
The solution is was simple:
# cd /usr/ports/ipsec-tools
# make configure
   (Select the Wildcard option!)
# make
# make reinstall

Thank you for documenting this!


----------



## polijn (May 25, 2020)

Hi to all,
Thanks to obsigna (aka. rolfheinrich) for this howto! I learnd so much!!

I successfully set up the VPN-Server on an aws instance.
I can connect my iPhone to it but it has no access to the internet (the website runing on port 8000 is reachable). I cant figure out why.

The next problem I encounterd is to set up a FreeBSD VPN-Client. I found that: Thread l2tp-ipsec-client.41846 but it is not working for me (I'm a little confused because there is no option for the PSK).

Another question came up while working with ipsec-tools, is it still secure to use? Currently it has no maintainer and I heard it has some securety issues.

I am aware of stongSwan and openVPN and that they are much more easy to set up but I realy want to use "truly" open-source software (BSD, MIT, Apache and so forth).

I'm struggling with those problems for a very long time now and would be happy with any advise and help.

I'm using: FreeBSD 12.1-RELEASE-p5 GENERIC  amd64
I istalled all applications with `pkg`.

The appendix consists of config files I used and the racoon log file.


----------



## obsigna (May 25, 2020)

This is quite an old thread, and a lot of water has flowed down the river Rhine since I started it. To begin with, security/ipsec-tools came with a lot of flaws and there were a lot of obstacles to overcome for getting it to work. In addition for working with pre-12.0 systems it was necessary to patch the kernel. I dropped usage of racoon from said ipsec-tools in favor of security/strongswan already some years ago. The latter is well mainteaind and much easier to set up. In addition no kernel patching is necessary anymore with FreeBSD 12.1-RELEASE.

Some times ago I wrote a BLog post on my setup utilizing net/mpd5 together with strongSwan:
German language: https://obsigna.com/articles/1548367297.html
English translation: https://www.translatetheweb.com/?from=de&to=en&a=https://obsigna.com/articles/1548367297.html

In a more recent thread about L2TP/IPsec client configuration on this forums, I showed my setup:








						Solved - FreeBSD 12.1-RELEASE - L2TP/IPSEC VPN Client with MPD5/Racoon
					

Hello,       I have two servers at two different locations running FreeBSD-12.1-RELEASE, L2TP/IPSEC VPN servers with Racoon & MPD5.  They both work great and allow MAC/Windows/iPhones to connect.        I'm also trying to set up Server A to do a connect to Server B as an L2TP/IPSEC Client and...




					forums.freebsd.org
				




For getting this to work on AWS-EC2 instances, I create always an alias IP on the xn0 interface. This is because the primary IP range (172.z.z.z) seems to be shared with other instances and would not be exactly available for the IP pool for VPN clients.


```
...
### Network
hostname="example.com"
ifconfig_DEFAULT="SYNCDHCP -tso"
ifconfig_xn0_alias0="inet 10.x.x.x netmask 255.255.255.0"
gateway_enable="YES"
...
```

I just opened an L2TP/IPsec connection to one of my instances:
`ifconfig`

```
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9001
    options=403<RXCSUM,TXCSUM,LRO>
    ether 06:f3:e9:dd:ac:91
    inet6 fe80::4f3:e9ff:fedd:ac91%xn0 prefixlen 64 scopeid 0x2
    inet 172.z.z.z netmask 0xfffff000 broadcast 172.z.z.255
    inet 10.x.x.1 netmask 0xffffff00 broadcast 10.x.x.255
    media: Ethernet manual
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1280
    inet 10.x.x.1 --> 10.x.x.161 netmask 0xffffffff
    inet6 fe80::f4ef:9a0c:283e:4fe8%ng0 prefixlen 64 scopeid 0x3
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

In addition I run local_unbound on said instances as a caching recursive resolver, and in mpd.conf the address of this resolver is informed. This improves very much the privacy of our installations:





						Netzwerkdienste DNS und DHCP auf dem FreeBSD-Home-Server
					






					obsigna.com
				








						Spam-Sperrzonen im DNS des FreeBSD-Home-Servers
					






					obsigna.com
				











						GitHub - cyclaero/void-zones-tools: Prepare a list of void zones that can be readily feed into Unbound on FreeBSD
					

Prepare a list of void zones that can be readily feed into Unbound on FreeBSD - GitHub - cyclaero/void-zones-tools: Prepare a list of void zones that can be readily feed into Unbound on FreeBSD




					github.com


----------



## polijn (May 26, 2020)

Thanks for the quick response.

I am familiar with your work and a huge fan. Sadly strongSwan is no option for me because of the GNU GPL.

I created the IP alias on the interface and tried various combinations of mpd.conf with it but failed to succeed. Which options do I have to change to the newly created alias IP?
I read your "Netzwerkdienste DNS und DHCP" BLog again but could not tie it to the problem I'm having. Is the local_unbound necessary to set up the VPN-Server? If so do you have some example configurations for my use case?


----------



## obsigna (May 26, 2020)

polijn said:


> Thanks for the quick response.
> 
> I am familiar with your work and a huge fan. Sadly strongSwan is no option for me because of the GNU GPL.
> 
> ...


I mentioned the DNS setup, because in case the VPN client can't access a nameserver it would not reach the internet.

I don't like the GPL too much either, however, sometimes among a bad and a worse choice, I may opt for the bad one. I am liberal enough to let others do their own choices. That said, L2TP/IPsec works in two defined separate stages, and you may want to troubleshoot each stage separately. Please let me suggest that you install security/strongswan for the troubleshooting sessions only. Once you got everything working with strongSwan you would deactivate it for changing the IPsec part of the VPN to racoon. The benefit is, that you know that MPD5 and L2TP is working and you may focus on resolving any left IPsec issues with racoon.

Here come the configuration files of a working installation on an AWS-EC2 instance.


----------



## icinemagr (Nov 10, 2021)

When I try to `make buildkernel KERNCONF=GENERIC_IPsec`


I get error

```
/usr/src/sys/amd64/conf/GENERIC_IPsec: unknown option "IPSEC_NAT_T"
```
Any suggestion?


----------



## SirDice (Nov 10, 2021)

Those options have been removed a long time ago (you're following 10 year old instructions). You don't need to recompile the kernel for IPSec to work (it's already enabled by default in the GENERIC kernel).





__





						[base] Revision 315514
					






					svnweb.freebsd.org


----------



## icinemagr (Nov 10, 2021)

SirDice said:


> Those options have been removed a long time ago (you're following 10 year old instructions). You don't need to recompile the kernel for IPSec to work (it's already enabled by default in the GENERIC kernel).
> 
> 
> 
> ...


so do i need the patches also ????
I installed Freebsd 13 i am search for a tutorial installing a Vpn server L2tp like this thread no luck.


----------



## SirDice (Nov 10, 2021)

icinemagr said:


> So do I need the patches also ????


No.


----------



## SirDice (Nov 10, 2021)

icinemagr said:


> So do I need the patches also ????


No.


icinemagr said:


> I installed Freebsd 13 i am search for a tutorial installing a Vpn server L2tp like this thread no luck.


You might want to start with something a little easier to configure (IPSec is a bit of a pain to configure correctly), OpenVPN or WireGuard are probably easier to start with.


----------



## icinemagr (Nov 10, 2021)

SirDice said:


> No.
> 
> You might want to start with something a little easier to configure (IPSec is a bit of a pain to configure correctly), OpenVPN or WireGuard are probably easier to start with.


well i dont like 3rd part tools in windows clients.
in centos there is a script and everythign is setup automatically.
but i prefer freebsd


----------



## SirDice (Nov 10, 2021)

IPSec requires a quite a bit of networking knowledge. Certainly possible to set up (I have an IPSec tunnel between my home network and my VPS), but a major hurdle if you don't know the difference between layer 2 and 3, or how IPSec works.


----------



## obsigna (Nov 10, 2021)

I started this thread as another user, at that time I was @rolfheinrich. Actually a lot of things changed. To begin with, FreeBSD fully supports IPsec NATT without rebuilding the kernel, also more than one client may connect to the same server from behind the same NAT. Almost all obstacles of these old day had been teared down, and with the advent of security/strongswan which is working extremely well on FreeBSD, it is even a snap to get IPsec working.

IMHO, the big advantage of L2TP/IPsec over other VPNs is that almost all end user OS come with L2TP/IPsec clients pre-installed which are easy to configure. This is already handy if you use your server for yourself only, but it is of paramount importance if you want to setup the service for others. With L2TP/IPsec it is usually done by informing the server address and the credentials to the users. I am even not sure that L2TP/IPsec is more complicated to setup, than OpenVPN nowadays, and even if it is the little more work on the server side, is payed back quickly, by not needing to do anything on multiple clients.

I documented the setup which I use on my BLog. Unfortunately, this article is in German language, however I am sure that people are able to grasp the essentials from the English translation by the Google Translator:
In German: https://obsigna.com/articles/1548367297.html
English Translation by the Google Translator: https://obsigna-com.translate.goog/articles/1548367297.html?_x_tr_sl=de&_x_tr_tl=en


----------



## icinemagr (Nov 10, 2021)

You article is Great and as far i can tell its the only One on the Web.
When you try to find vpn server for bsd supporting l2tp you see everything like openvpn etc.
many congrats for your article again.


----------



## icinemagr (Nov 10, 2021)

is it possible with your configuration in the article to have a vpn on a virtual machine with one network interface and public ip x.x.x.x ?
or i sould install one more interface with local ip?

Thanks anyway.


----------



## obsigna (Nov 10, 2021)

icinemagr said:


> is it possible with your configuration in the article to have a vpn on a virtual machine with one network interface and public ip x.x.x.x ?
> or i sould install one more interface with local ip?
> 
> Thanks anyway.


No need to install another network interface. You may want to use the alias facility of ifconfig(8) to assign another  network address to the network interface. For example, this is what I have on a number of AWS-EC2 instances:


```
ifconfig_DEFAULT="SYNCDHCP -tso"
ifconfig_xn0_alias0="inet 10.0.0.XX netmask 255.255.255.0"
```

The benefit is, that I don’t need to care whether the instance always gets assigned the same local IP from the AWS hypervisor. Whith that in place we would do all the adjustments according to my Blog post against 10.0.0.XX as if it were a network provided by a second NIC.


----------

