# Cannot connect to Internet as a vpn client



## CanvisMe (May 19, 2021)

Hello, I'm studying in a university and using FreeBSD as my daily computer operate system for months. However, I cannot connect to outside Internet via *wired ethernet* until now. There are *two steps* to set up a connection in my laboratory.

First, provide the information of *static ipv4 address*, *netmask*, *defaultrouter* and *DNS server*.
Second, set up a l2tp vpn client to the remote server. Every users should provide their own _username_ and _password_.
The first step works *fine*, and I can browse school's forum and other local website, the trouble comes in the *second step*. According to some threads in FreeBSD forum, I tried to use net/mpd5 and security/strongswan to configure a vpn client but it failed at last. The messages from mpd5 suggested that the connection was established for seconds and disconnected immediately. Maybe my configuration files were wrong, or the remote server does not support FreeBSD's connection? The same connection steps works fine in Windows and Ubuntu.

Here are some configuration files and other information about my network.

/etc/rc.conf:

```
ifconfig_re0_ipv6="inet6 accept_rtad"
ifconfig_re0="inet *.*.*.76 netmask *.*.*.*"
defaultrouter="*.*.*.169"
```

/etc/resolv.conf

```
nameserver *.*.*.*
```

/usr/local/etc/ipsec.conf

```
config setup
    strictcrlpolicy=no

conn l2tp_client
    keyexchange=ikev2
    type=transport
    leftfirewall=yes

    leftauth=eap-mschapv2
    left=%defaultroute
    leftprotoport=17/%any

    right=lns.*.*.*
    rightauth=pubkey
    rightsubnet=*.*.*.169
    rightprotoport=17/1701

    auto=route
```

/usr/local/etc/ipsec.secret

```
lns.*.*.* 21***@* : XAUTH "Jw***"
21***@* : XAUTH "Jw***"
21***@* : EAP "Jw***"
21***@* : NTLM "Jw***"
```
For my _username_ and _password_, I used multi-entry for an account. Probably one entry is enough.

/usr/local/etc/mpd5/mpd.conf

```
startup:

default:
    load l2tp_client

l2tp_client:
    create bundle static B_l2tp
    set bundle enable compression
    set iface enable tcpmssfix
    set iface route default
    set iface mtu 1428

    create link static L_l2tp l2tp

    set link action bundle B_l2tp
    set link max-redial 5
    set link keep-alive 0 0
    set link yes acfcomp protocomp
    set link accept pap
    set link accept chap-msv2
    set link accept chap
    set link accept eap
    set auth authname "21***@*"
    set auth password "Jw***"
    set l2tp peer lns.*.*.*
    set l2tp disable dataseq
    set l2tp enable outcall

    open
```
/usr/local/etc/mpd5/mpd.secret

```
21***@*    "Jw***"
```

And here are some message from command `mpd5 l2tp_client`:

```
Multi-link PPP daemon for FreeBSD

process 4825 started, version 5.9
[B_l2tp] Bundle: Interface ng0 created
[L_l2tp] [L_l2tp] Link: OPEN event
[L_l2tp] LCP: Open event
[L_l2tp] LCP: state change Initial --> Starting
[L_l2tp] LCP: LayerStart
L2TP: Initiating control connection 0x80183f310 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f310 *.*.*.76 26062 <-> 10.0.2.3 1701 connected
ppp_l2tp_initiate: Operation not supported
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 1 in 3 seconds
L2TP: Control connection 0x80183f310 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 1
L2TP: Initiating control connection 0x80183f610 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f610 *.*.*.76 22782 <-> 10.0.2.3 1701 connected
ppp_l2tp_initiate: Operation not supported
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 2 in 2 seconds
L2TP: Control connection 0x80183f610 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 2
```

Following some info about Ubuntu and Windows vpn config.

Ubuntu l2tp vpn setup. I need to install network-manager-l2tp first to enable gui setting.











Windows l2tp vpn setup.


----------



## obsigna (May 19, 2021)

IKEv2 does not work in transport mode. L2TP/IPsec works in transport mode only, and you must use *IKEv1*. There might be other errors in your setup, however with the wrong IKE version in place, for now, troubleshooting does take you to the middle of nowhere.

Here comes a description of a working client/server setup using net/mpd5 in combination with security/strongswan.
https://forums.freebsd.org/threads/...vpn-client-with-mpd5-racoon.75359/post-462689

Also note, that the most recent strongSwan by default utilizes no more the simple configuration files for setting up the connections, although, the simple ones do continue to work. For this you need to add the following line to /etc/rc.conf: `strongswan_interface="stroke"`


----------



## covacat (May 19, 2021)

try to remove
set l2tp enable outcall and see what happens


----------



## CanvisMe (May 19, 2021)

obsigna said:


> IKEv2 does not work in transport mode. L2TP/IPsec works in transport mode only, and you must use *IKEv1*. There might be other errors in your setup, however with the wrong IKE version in place, for now, troubleshooting does take you to the middle of nowhere.
> 
> Here comes a description of a working client/server setup using net/mpd5 in combination with security/strongswan.
> https://forums.freebsd.org/threads/...vpn-client-with-mpd5-racoon.75359/post-462689
> ...


Thanks for your reply, obsigna. I have read about threads you post before, so the conf files were kind of like your style. Now, I use *IKEv1* and add `strongswan_interface="stroke"` to /etc/rc.conf, the result was the same. The output messages don't change.


----------



## CanvisMe (May 19, 2021)

covacat said:


> try to remove
> set l2tp enable outcall and see what happens


Something changed. Here are some messages after running `mpd5 l2tp_client`:

```
Multi-link PPP daemon for FreeBSD

process 98443 started, version 5.9
[B_l2tp] Bundle: Interface ng0 created
[L_l2tp] [L_l2tp] Link: OPEN event
[L_l2tp] LCP: Open event
[L_l2tp] LCP: state change Initial --> Starting
[L_l2tp] LCP: LayerStart
L2TP: Initiating control connection 0x80183f310 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f310 *.*.*.76 47098 <-> 10.0.2.3 1701 connected
[L_l2tp] L2TP: Incoming call #250000 via control connection 0x80183f310 initiated
[L_l2tp] L2TP: call #250000 terminated: result=2 error=6 errmsg="control connection closing"
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 1 in 1 seconds
L2TP: Control connection 0x80183f310 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 1
L2TP: Initiating control connection 0x80183f610 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f610 *.*.*.76 37978 <-> 10.0.2.3 1701 connected
[L_l2tp] L2TP: Incoming call #250001 via control connection 0x80183f610 initiated
[L_l2tp] L2TP: call #250001 terminated: result=2 error=6 errmsg="control connection closing"
[L_l2tp] Link: DOWN event
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 2 in 2 seconds
L2TP: Control connection 0x80183f610 terminated: 8 ()
[L_l2tp] Link: reconnection attempt 2
```


----------



## covacat (May 19, 2021)

l2tp config seems ok
if you have any firewall disable it
try to build mpd5 from ports (i had some problems when kernel and userland ng went a bit out if sync) (minor binary release upgrade)


----------



## CanvisMe (May 20, 2021)

covacat said:


> l2tp config seems ok
> if you have any firewall disable it
> try to build mpd5 from ports (i had some problems when kernel and userland ng went a bit out if sync) (minor binary release upgrade)


Thanks, I didn't enable firewall in /etc/rc.conf. Here is my firewall status:

```
~ service pf onestatus
pf.ko is not loaded
~ service ipfw onestatus
ipfw is not enabled
~ service ipfilter onestatus
~
```
Then I rebuilt net/mpd5 via ports-mgmt/portmaster, and enabled `NG_IPACCT`, which was `OFF` before, results were the same.


----------



## covacat (May 20, 2021)

tested the exact l2tp client config with mpd5 and it works (LNS same mpd5)
try to tcpdump -vvv udp 1701 from lac to lns and see if you can get some more info
and maximize mpd5 debug level

other then that have no idea


----------



## keilecpod (May 22, 2021)

Hi, I also recently entered the university and am studying working with networks. And I had a similar problem when I tried to set up proxy servers for a project at the university myself. I have been looking for a solution to this problem for a long time. I thought that I wrote something wrong in the server config. And it turns out that I used low-quality proxy servers. After I was prompted to use paid proxies and showed a detailed guide on setting up servers, everything began to work out. Well, as for the VPN setup, I can't say for sure. I hope you can solve this problem.

____________________________________________

https://help.proxies.com/hc/en-us/articles/1500001146241-Chrome


----------



## CanvisMe (Jun 3, 2021)

covacat said:


> tested the exact l2tp client config with mpd5 and it works (LNS same mpd5)
> try to tcpdump -vvv udp 1701 from lac to lns and see if you can get some more info
> and maximize mpd5 debug level
> 
> other then that have no idea


Some config files changed in my latest test.

/usr/local/etc/ipsec.conf

```
config setup
    uniqueids = yes
    charondebug="ike 1, knl 1, cfg 4"

conn l2tp_client
    keyexchange=ikev1
    type=transport
    leftauth=psk
    leftauth2=xauth
    leftid="21***@a"
    left=*.*.*.76
    leftsubnet=*.*.*.169/24
    leftprotoport=17/%any
    rightauth=psk
    rightid=%any
    right=lns.*.*.*
    rightprotoport=17/1701
    auto=start
```

/usr/local/etc/ipsec.secret was empty now, cos I don't have a real PSK for authentication. Previous ipsec conf was wrong, when I ran `ipsec start` or something related to `ipsec`, it resulted in `unsupported operation`. And refered to config on MacOS from school BBS, GUI settings of L2TP remained PSK empty for machine identification, user's info were still needed.

/usr/local/etc/mpd5/mpd.conf

```
startup:
    log +ALL +EVENTS -FRAME -ECHO
default:
    load l2tp_client l2tp_client:
    create bundle static B_l2tp
    set bundle enable compression
    set iface enable tcpmssfix
    set iface route *.*.*.169
    set iface mtu 1500

    set ipcp yes vjcomp
    set ccp yes mppc
    set mppc yes e128
    set mppc yes stateless

    create link static L_l2tp l2tp
    set link action bundle B_l2tp
    set link max-redial 5
    set link keep-alive 0 0
    set link yes acfcomp protocomp
    set link accept pap
    set link accept chap-msv2
    set link accept chap
    set link accept eap

    set auth authname "21***@a"
    set auth password "Jw***"
   set l2tp peer lns.*.*.* 
    set l2tp disable dataseq
    open
```

Running `mpd5 l2tp_client`:

```
Multi-link PPP daemon for FreeBSD

process 77828 started, version 5.9
EVENT: Registering event EVENT_READ MsgEvent() at msg.c:77
EVENT: Registering event EVENT_READ MsgEvent() done at msg.c:77
[B_l2tp] Bundle: Interface ng0 created
EVENT: Message 1 to LinkMsg() sent
[L_l2tp] EVENT: Processing event EVENT_TIMEOUT ConfigRead() done
EVENT: Processing event EVENT_READ MsgEvent()
EVENT: Message 1 to LinkMsg() received
[L_l2tp] Link: OPEN event
[L_l2tp] LCP: Open event
[L_l2tp] LCP: state change Initial --> Starting
[L_l2tp] LCP: LayerStart
EVENT: Message 1 to PhysMsg() sent
EVENT: Message 1 to LinkMsg() processed
EVENT: Message 1 to PhysMsg() received
[L_l2tp] device: OPEN event
L2TP: ppp_l2tp_ctrl_create invoked
L2TP: Initiating control connection 0x80183f310 0.0.0.0 0 <-> 10.0.2.3 1701
L2TP: Control connection 0x80183f310 *.*.*.76 31199 <-> 10.0.2.3 1701 initiated
L2TP: ppp_l2tp_ctrl_initiate invoked
L2TP: XMIT [MESSAGE_TYPE SCCRQ] [HOST_NAME "******"] [VENDOR_NAME "FreeBSD MPD"] [BEARER_CAPABILITIES digital=1 analog=1] [RECEIVE_WINDOW_SIZE 8] [PROTOCOL_VERSION 1.0] [FRAMING_CAPABILITIES sync=1 async=1] [ASSIGNED_TUNNEL_ID 0xe777]
EVENT: Message 1 to PhysMsg() processed
EVENT: Processing event EVENT_READ MsgEvent() done
EVENT: Processing event EVENT_READ MsgEvent()
EVENT: Processing event EVENT_READ MsgEvent() done
L2TP: RECV [MESSAGE_TYPE SCCRP] [PROTOCOL_VERSION 1.0] [HOST_NAME "***"] [FRAMING_CAPABILITIES sync=1 async=0] [ASSIGNED_TUNNEL_ID 0xc2e6] [FIRMWARE_REVISION 0x0001] [VENDOR_NAME "***"]
L2TP: rec'd SCCRP in state wait-ctl-reply
L2TP: connected to "***", version=1.0
L2TP: XMIT [MESSAGE_TYPE SCCCN] [HOST_NAME "******"] [VENDOR_NAME "FreeBSD MPD"] [BEARER_CAPABILITIES digital=1 analog=1] [RECEIVE_WINDOW_SIZE 8] [PROTOCOL_VERSION 1.0] [FRAMING_CAPABILITIES sync=1 async=1] [ASSIGNED_TUNNEL_ID 0xe777]
L2TP: Control connection 0x80183f310 *.*.*.76 31199 <-> 10.0.2.3 1701 connected
L2TP: ppp_l2tp_initiate invoked, ctrl=0x80183f310 out=0
L2TP: created new session #6800000 id 0xe569 orig=local side=LAC state=wait-cs-reply
L2TP: XMIT [MESSAGE_TYPE ICRQ] [ASSIGNED_SESSION_ID 0xe569] [CALL_SERIAL_NUMBER 6800000] [L_l2tp] L2TP: Incoming call #6800000 via control connection 0x80183f310 initiated
L2TP: ppp_l2tp_connected invoked, sess=0x801868010
L2TP: RECV [MESSAGE_TYPE StopCCN] [ASSIGNED_TUNNEL_ID 0xc2e6] [RESULT_CODE result=2 error=8 errmsg=""]
L2TP: rec'd StopCCN in state established
[L_l2tp] L2TP: call #6800000 terminated: result=2 error=6 errmsg="control connection closing"
[L_l2tp] device: DOWN event
[L_l2tp] Link: DOWN event EVENT: Starting timer "PhysOpen" LinkReopenTimeout() for 3000 ms at link.c:278
EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50
EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50
[L_l2tp] LCP: Down event
[L_l2tp] Link: reconnection attempt 1 in 3 seconds
```


----------



## covacat (Jun 3, 2021)

is ipsec working ?
setkey -D and setkey -DP output

```
#setkey -DP
XX.97.169.105[63379] 10.1.1.1[1701] udp
    in ipsec
    esp/transport//unique:11
    created: Jun  3 11:06:24 2021  lastused: Jun  3 11:06:24 2021
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=523 seq=1 pid=15282 scope=global
    refcnt=1
10.1.1.1[1701] XX.97.169.105[63379] udp
    out ipsec
    esp/transport//unique:11
    created: Jun  3 11:06:24 2021  lastused: Jun  3 11:06:24 2021
    lifetime: 9223372036854775807(s) validtime: 0(s)
    spid=524 seq=0 pid=15282 scope=global
    refcnt=2
```


----------



## CanvisMe (Jun 3, 2021)

covacat said:


> is ipsec working ?
> setkey -D and setkey -DP output
> 
> ```
> ...


When I ran `ipsec restart`:

```
Stopping strongSwan IPsec...
Starting strongSwan 5.9.2 IPsec [starter]...
```

`ipsec status`:

```
Security Associations (0 up, 1 connecting):
 l2tp_client[1]: CONNECTING, *.*.*.76[%any]...10.0.2.3[%any]
```
But it will not connect successfully via ipsec, cos I don't fill in the user's info. 

For `setkey -D`:
`No SAD entries.`

`setkey -DP`:
`No SAD entries.`


----------



## covacat (Jun 3, 2021)

l2tp might not progress / work any further without ipsec (server might block unencrypted packets)
 you can add your creds in ipsec.secrets
dave  : XAUTH "ryftzG4A"


----------



## CanvisMe (Jun 3, 2021)

Added user info to /usr/local/etc/ipsec.secrets, ran `ipsec  reload`.

For `ipsec statusall`:

```
Status of IKE charon daemon (strongSwan 5.9.2, FreeBSD 13.0-STABLE, amd64):
  uptime: 38 minutes, since Jun 03 16:31:08 2021
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon ldap aes des blowfish rc2 sha2 sha1 md4 md5 ...
Listening IP addresses:
Connections:
 l2tp_client:  *.*.*.76...lns.*.*.*  IKEv1
 l2tp_client:   local:  [21***@a] uses pre-shared key authentication
 l2tp_client:   local:  [21***@a] uses XAuth authentication: any
 l2tp_client:   remote: uses pre-shared key authentication
 l2tp_client:   child:  *.*.*.0/24[udp] === dynamic[udp/l2f] TRANSPORT
Security Associations (0 up, 1 connecting):
 l2tp_client[2]: CONNECTING, *.*.*.76[%any]...10.0.2.3[%any]
 l2tp_client[2]: IKEv1 SPIs: 41b72cbabd5de722_i* 0000000000000000_r
 l2tp_client[2]: Tasks queued: QUICK_MODE
 l2tp_client[2]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
```

Then `ipsec status`:

```
Security Associations (0 up, 0 connecting):
  none
```

And running `mpd5 l2tp_client` resulted the same.


----------



## CanvisMe (Jun 3, 2021)

Even though I added `rightauth2=xauth` in /usr/local/etc/ipsec.conf, it didn't work.


----------



## covacat (Jun 3, 2021)

are you sure you need xauth ?
try with an empty shared key and remove xauth
 : PSK ""
and post ipsec logs


----------



## CanvisMe (Jun 3, 2021)

No, I'm not sure, I just tried. Running `ipsec reload`, the /var/log/daemon.log outputs:
`11[IKE] establishing IKE_SA failed, peer not responding`.


----------



## VladiBG (Jun 3, 2021)

Solved - IPsec/L2tp VPN cannot connect to Mikrotik
					

Hi, I'm trying to connect my FreeBsd 12.2 workstation to an IPSec/L2tp VPN serverd by a Mikrotik router, the IPsec part apparently is working, but I cannot make mpd5 to assign an IP to the generated ng0 interface.  ipsec status all  Status of IKE charon daemon (strongSwan 5.9.1, FreeBSD...




					forums.freebsd.org


----------



## CanvisMe (Jun 4, 2021)

Ok, I found out that the connection should use l2tp without ipsec. So is there any way to accomplish it? Using net/mpd5 still generated the same error messages.


----------

