# L2TP/IPSec NAT-T FreeBSD related issue



## Young (Sep 5, 2017)

Hi,

I'm a week, trying to figure out why FreeBSD L2TP over IPSec cannot work with Windows/Android boxes, that are behind NAT. I readed that L2TP/IPSec NAT-T protocol is "broken by design" at StrongSwan mail list, but this problem only occour at FreeBSD server, no issues with Cisco, MikroTik or OpenBSD! How this can be explained? I had to try it myself, then I ran L2TP/IPSec in my office MikroTik router, and the Windows/Android boxes at my home, that are behind NAT, were connected succesfuly. What the heck is that? There is no conclusive answer for that on the web...


```
# uname -a
FreeBSD web.***.com.br 10.3-RELEASE-p21 FreeBSD 10.3-RELEASE-p21 #2: Sat Sep  2 23:53:31 BRT 2017     victor@web.***.com.br:/usr/obj/usr/src/sys/CUSTOM  amd64
```

/usr/src/sys/amd64/conf/CUSTOM

```
options IPSEC
options IPSEC_NAT_T
device crypto
device enc
```

/usr/local/etc/ipsec.conf

```
conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   leftauth = psk
   rightauth = psk
   left = %defaultroute
   right = %any
   auto = add
```

/usr/local/etc/ipsec.secrets

```
: PSK "My_Secret_Phrase"
```

/usr/local/etc/mpd5/mpd.conf

```
startup:
        set user admin MYPASSWORD admin
        set console self 127.0.0.1 5005
        set console open
        set web self 192.168.0.1 5006
        set web open

default:
        load l2tp_server

l2tp_server:
        set ippool add pool_l2tp 192.168.0.100 192.168.0.110

        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

        set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
        set ipcp dns 192.168.0.1

        create link template L_l2tp l2tp
        set link action bundle B_l2tp
        set link mtu 1230
        set link keep-alive 0 0
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap-msv2

        set l2tp self 0.0.0.0
        set l2tp disable dataseq

        set link enable incoming
```

Tcpdump

```
# tcpdump -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
12:15:07.704792 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:08.705074 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:10.705948 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:14.714536 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
```

Thanks!


----------



## Young (Sep 8, 2017)

Fixed with the patch posted in this topic: https://forums.freebsd.org/threads/49641/#post-280547


----------

