# l2tp/ipsec mdp5 only works from inside gateway.



## jhenriksen (Sep 18, 2012)

Hello everyone.

Based on the following http://forums.freebsd.org/showthread.php?t=26755 I tried to setup a l2tp/ipsec server based on FreeBSD 9.0 with strongswan 5.0.0.

 My network looks like this:

[ISP]->[FREEBSD 9.0 re0 public em0 private) em0 is in 192.168.1/0.

Trying to connect from outside (from another isp) the ike steps succeeds but mpd does not receive any traffic:

```
IKE_SA l2tp[8] established between x.x.x.x[x.x.x.x]...y.y.y.y[10.95.1.2]
Sep 18 18:46:04 hostname charon: 01[IKE] deleting IKE_SA l2tp[8] between x.x.x.x[x.x.x.x]...y.y.y.y[10.95.1.2]
```

When I connect from a (network bridged to 192.168.1.0/24 virtualbox) Windows 7 to my external ip l2tp does get traffic and sets up an interface. 

This look like this in the log:


```
Sep 18 19:20:18 hostname charon: 13[IKE] 192.168.1.147 is initiating a Main Mode IKE_SA
Sep 18 19:20:19 hostname charon: 09[IKE] IKE_SA l2tp[10] established between x.x.x.x[x.x.x.x]...192.168.1.147[192.168.1.147]
Sep 18 19:20:19 hostname charon: 10[IKE] CHILD_SA l2tp{5} established with SPIs cb460e16_i 4c4c6c5d_o and TS x.x.x.x/32[udp/l2f] === 192.168.1.147/32[udp/l2f]
```

and the mpd log:

```
x mpd: [L_l2tp-1] LCP: authorization successful
Sep 18 19:20:22 hostname mpd: [L_l2tp-1] Link: Matched action 'bundle "B_l2tp" ""'
Sep 18 19:20:22 hostname mpd: [L_l2tp-1] Creating new bundle using template "B_l2tp".
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] Bundle: Interface ng0 created
Sep 18 19:20:22 hostname mpd: [L_l2tp-1] Link: Join bundle "B_l2tp-1"
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] Bundle: Status update: up 1 link, total bandwidth 64000 bps
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: Open event
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: state change Initial --> Starting
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: LayerStart
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: Up event
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: Got IP 192.168.1.200 from pool "pool_l2tp" for peer
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: state change Starting --> Req-Sent
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: SendConfigReq #1
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR x.x.x.x
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 18 19:20:22 hostname mpd: [L_l2tp-1] rec'd unexpected protocol IPV6CP, rejecting
Sep 18 19:20:22 hostname mpd: [L_l2tp-1] rec'd unexpected protocol CCP, rejecting
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: rec'd Configure Request #7 (Req-Sent)
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]     NAKing with 192.168.1.200
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   PRIDNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]     NAKing with 192.168.1.1
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   PRINBNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   SECDNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   SECNBNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: SendConfigRej #7
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   PRINBNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   SECDNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   SECNBNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: rec'd Configure Reject #1 (Req-Sent)
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: SendConfigReq #2
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR x.x.x.x
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: rec'd Configure Request #8 (Req-Sent)
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]     NAKing with 192.168.1.200
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   PRIDNS 0.0.0.0
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]     NAKing with 192.168.1.1
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: SendConfigNak #8
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR 192.168.1.200
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   PRIDNS 192.168.1.1
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: rec'd Configure Ack #2 (Req-Sent)
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR x.x.x.x
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: state change Req-Sent --> Ack-Rcvd
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: rec'd Configure Request #9 (Ack-Rcvd)
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR 192.168.1.200
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]     192.168.1.200 is OK
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   PRIDNS 192.168.1.1
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: SendConfigAck #9
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   IPADDR 192.168.1.200
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   PRIDNS 192.168.1.1
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: state change Ack-Rcvd --> Opened
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IPCP: LayerUp
Sep 18 19:20:22 hostname mpd: [B_l2tp-1]   x.x.x.x -> 192.168.1.200
Sep 18 19:20:22 hostname mpd: [B_l2tp-1] IFACE: Up event
```
I do not have any idea, the only difference to me seems to be the remote subnet is of another class, I have not the possible to check from a similar remote subnet.

I'm using pf after trying ipfw with the same result. I've set up a setkey.conf to require esp over 1701, and I'm allowing enc0 and esp,ah.

Any clues are highly appreciated.

Best regards.


----------



## jhenriksen (Sep 25, 2012)

*UPDATE tried with racoon, same result.*

I tried to follow the howto post mentioned earlier more strictly, i.e using racoon instead of strogswan 5.0.0 and are having the same mpd5 issue, mpd5 does not get any traffic from a remote windows 2008 client. The esp part is working just nothing get passed to mpd5. ( a windows 7 & winXp client works and a ng0 interface is created, but only when the clients are behind the gateway, i.e in the physically same network, which is pointless for a vpn of course.) 

Are anyone successfully using strongswan/racoon and mpd5 (not behind nat) for l2tp over ipsec?

I'm kind of stuck the same place as this person 
http://forums.freebsd.org/showpost.php?p=124566&postcount=8

Any help highly appreciated.

Regards.


----------



## gkontos (Sep 25, 2012)

I haven't implement this yet. I am going to test some different scenarios  in a few days for a client. I want to create an IPSEC VPN server using L2TP.

Have you tried using nat traversal? I believe that you have to compile it in the kernel.


```
options         IPSEC_NAT_T
```


----------



## jhenriksen (Sep 26, 2012)

Thanks for your reply, I have IPSEC_NAT_T compiled into the kernel. If you want go give strongswan 5.0.0 a try here are some patchfiles that I made. (Have not contacted the maintainer or made a PR, since I'm not sure where the problem is, but it compiles an run)

patch-src__ipsec__Makefile.in


```
--- ./src/ipsec/Makefile.in.orig        2012-09-12 20:39:33.901395149 +0000
+++ ./src/ipsec/Makefile.in     2012-09-12 20:41:37.421393361 +0000
@@ -550,7 +550,7 @@
        -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
        -e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
        -e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
-       $< > $@
+       ipsec.8.in > _ipsec.8
 
 _ipsec : ipsec.in
        sed \
@@ -563,7 +563,7 @@
        -e "s:@IPSEC_SBINDIR@:$(sbindir):" \
        -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
        -e "s:@IPSEC_PIDDIR@:$(piddir):" \
-       $< > $@
+       ipsec.in > _ipsec
        chmod +x $@
 
 install-exec-hook:
```

patch-src__libcharon__encoding__payloads__transform_attribute.h

```
--- ./src/libcharon/encoding/payloads/transform_attribute.h.orig        2012-06-01 04:43:57.000000000 +0000
+++ ./src/libcharon/encoding/payloads/transform_attribute.h     2012-09-12 20:34:20.851397733 +0000
@@ -24,7 +24,7 @@
 
 typedef enum transform_attribute_type_t transform_attribute_type_t;
 typedef struct transform_attribute_t transform_attribute_t;
-
+#include <stdint.h>
 #include <library.h>
 #include <encoding/payloads/payload.h>
```


----------



## m6tt (Nov 4, 2012)

Can you try these things:
1. Post the subnets involved
2. Cut out Vbox, because it adds a network layer
3. Specify ("static") the client's IP address

The IPCP rejection looks like it's trying to request 0.0.0.0 and getting kicked.
The funny thing is if the L2TP host actually allows that, which I have unfortunately seen.


----------

