# L2TP/IPSec Server can't ping Client



## Young (Jan 30, 2021)

Hi folks,

I have a L2TP/IPSec Server running on FreeBSD 12.2, but I'm unable to ping clients. I think the problem is related to my peculiar network scheme, with the IP block configured on the bridge interface. I need server communicate with client to setup an reverse proxy. Any help will be apreciated!

Server configuration files:

/etc/rc.conf

```
ifconfig_igb1="up"
cloned_interfaces="bridge1 tap10 tap11"
ifconfig_bridge1="inet 192.168.111.1 netmask 255.255.255.0 addm igb1 addm tap10 addm tap11"
```
/etc/sysctl.conf

```
net.inet.ip.forwarding=1
net.link.tap.up_on_open=1
```
/usr/local/etc/mpd5/mpd.conf

```
l2tp_server:
    set ippool add pool1 192.168.111.100 192.168.111.110

    create bundle template B_l2tp
    set iface enable proxy-arp
    set iface enable tcpmssfix
    set ipcp yes vjcomp

    set ipcp ranges 192.168.111.1/32 ippool pool1
    set ipcp dns 192.168.111.1

    create link template L_l2tp l2tp
    set link action bundle B_l2tp
    set link mtu 1230
    set link keep-alive 0 0
    set link yes acfcomp protocomp
    set link no pap chap eap
    set link enable chap-msv2

    set l2tp self 123.123.123.123
    set l2tp disable dataseq

    set link enable incoming
```

Server running outputs:


```
root@server:~ # ping -c 4 192.168.111.100
PING 192.168.111.100 (192.168.111.100): 56 data bytes

--- 192.168.111.100 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

root@server:~ # netstat -nr
Destination        Gateway            Flags     Netif Expire
192.168.111.0/24   link#7             U       bridge1
192.168.111.1      link#7             UHS         lo0
192.168.111.100    link#12            UH          ng0

root@server:~ # arp -a
? (192.168.111.100) at 02:38:ad:84:d0:01 on bridge1 permanent published [bridge]
? (192.168.111.3) at d0:50:99:d8:8a:4c on bridge1 expires in 74 seconds [bridge]
? (192.168.111.10) at 00:a0:98:e7:c5:a9 on bridge1 expires in 800 seconds [bridge]
? (192.168.111.25) at 00:a0:98:74:d1:6c on bridge1 expires in 191 seconds [bridge]

root@server:~ # ifconfig
igb1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=a520b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6>
        ether a4:bf:01:44:49:60
        inet6 fe80::a6bf:1ff:fe44:4960%igb1 prefixlen 64 scopeid 0x2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:38:ad:84:d0:01
        inet 192.168.111.1 netmask 0xffffff00 broadcast 192.168.111.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap11 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 11 priority 128 path cost 2000000
        member: tap10 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 10 priority 128 path cost 2000000
        member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
        groups: bridge
        nd6 options=1<PERFORMNUD>
tap10: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 58:9c:fc:10:29:19
        groups: tap
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 3367
tap11: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 58:9c:fc:10:ff:ed
        groups: tap
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 3347
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1230
        inet 192.168.111.1 --> 192.168.111.100 netmask 0xffffffff
        inet6 fe80::a6bf:1ff:fe44:495f%ng0 prefixlen 64 scopeid 0xc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

Client running outputs:


```
root@client:~ # ping -c 4 192.168.111.1
PING 192.168.111.1 (192.168.111.1): 56 data bytes
64 bytes from 192.168.111.1: icmp_seq=0 ttl=64 time=158.578 ms
64 bytes from 192.168.111.1: icmp_seq=1 ttl=64 time=157.290 ms
64 bytes from 192.168.111.1: icmp_seq=2 ttl=64 time=158.959 ms
64 bytes from 192.168.111.1: icmp_seq=3 ttl=64 time=158.175 ms

--- 192.168.111.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 157.290/158.251/158.959/0.620 ms

root@client:~ # netstat -nr
Destination        Gateway            Flags     Netif Expire
192.168.111.0/24   192.168.111.1      UGS         ng0
192.168.111.1      link#4             UH          ng0
192.168.111.100    link#4             UHS         lo0

root@client:~ # ifconfig
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1460
        inet 192.168.111.100 --> 192.168.111.1 netmask 0xffffffff
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```

Thanks.


----------



## SirDice (Jan 31, 2021)

There is no IPSec here. This is a plain L2TP connection.


----------



## Young (Jan 31, 2021)

SirDice said:


> There is no IPSec here. This is a plain L2TP connection.


I'm not an expert, but I don't think that encryption layer is the cause of my problem. Anyway, follow the IPSec configuration files.

Server's /usr/local/etc/ipsec.conf

```
conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   leftauth = psk
   rightauth = psk
   left = %defaultroute
   right = %any
   dpddelay = 10
   dpdtimeout = 90
   dpdaction = clear
   auto = add
```
Client's /usr/local/etc/ipsec.conf

```
conn L2TP/IPsec-Client
   keyexchange = ikev1
   type = transport
   leftauth = psk
   left = %defaultroute
   leftprotoport = 17/%any
   rightauth = psk
   rightid = %any
   right = 123.123.123.123
   rightprotoport = 17/1701
   auto = start
```
Thanks.


----------



## VladiBG (Feb 1, 2021)

Do you have any firewall on client and/or server?


----------



## Young (Feb 3, 2021)

VladiBG said:


> Do you have any firewall on client and/or server?


Only on server side. But I moved to WireGuard, that have better performance, easier configuration and more important: it worked with my network design.

Thanks!


----------



## SirDice (Feb 4, 2021)

With IPSec it's quite important to set the `left` and `right` correct. These act a lot like firewalls and only allow the traffic that's specifically defined there. Everything else is filtered out and won't be passed along the IPSec tunnel.

But yes, OpenVPN/Wireguard is a lot simpler to configure and usually suffices.


----------

