I have configured a VPN server on my FreeBSD server, it all seems to be running, but the VPN traffic is not routing through to the local VPN server and I cannot figure out as to why. So my question is, what is wrong with my current setup? Note firewall disabled for testing purposes.
My server IP is 172.10.10.240, with the DNS at 192.168.155.2 and lastly the range of IP addresses that I want available to the VPN are "172.10.10.150 --> 172.10.10.199"
So I am trying to connect to my server from an Android phone (IPV6 address masked), I connect and this is the wireshark dump
13:33:16.467067 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 > 172.10.10.240.l2f: l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(35359) *RECV_WIN_SIZE(1)
13:33:16.467162 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 > 172.10.10.240.l2f: l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(35359) *RESULT_CODE(6)
Here you can see the server is getting the connection from the device, coming in, but nothing else.
My racoon.log
2014-12-23 12:07:22: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2014-12-23 12:07:22: INFO: @(#)This product linked OpenSSL 1.0.1j-freebsd 15 Oct 2014 (http://www.openssl.org/)
2014-12-23 12:07:22: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-12-23 12:07:22: INFO: 172.10.10.240[4500] used for NAT-T
2014-12-23 12:07:22: INFO: 172.10.10.240[4500] used as isakmp port (fd=4)
2014-12-23 12:07:22: INFO: 172.10.10.240[500] used for NAT-T
2014-12-23 12:07:22: INFO: 172.10.10.240[500] used as isakmp port (fd=5)
Nothing in here, lets take a look at my racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
isakmp 172.10.10.240 [500];
isakmp_natt 172.10.10.240 [4500];
strict_address;
}
remote anonymous
{
exchange_mode main;
passive on;
proposal_check obey;
support_proxy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
proposal
{
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
mpd.conf
startup:
# configure mpd users
set user super adminpassword admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load l2tp_server
l2tp_server:
# Define dynamic IP address pool.
set ippool add pool_l2tp 172.10.10.150 172.10.10.199
# Create clonable bundle template named B_l2tp
create bundle template B_l2tp
set iface enable proxy-arp
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 172.10.10.0/24 ippool pool_l2tp
set ipcp dns 192.168.155.2
# Create clonable link template named L_l2tp
create link template L_l2tp l2tp
set link action bundle B_l2tp
set link mtu 1230
set link keep-alive 0 0
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap
# Configure L2TP
set l2tp self 172.10.10.240
set l2tp disable dataseq
# Allow to accept calls
set link enable incoming
setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;
sysctl.conf
net.link.tap.up_on_open=1
net.inet.tcp.tso=0
net.inet.ipsec.filtertunnel=0
net.inet6.ipsec6.filtertunnel=0
Custom Kernel options
device crypto
options IPSEC_DEBUG
options IPSEC_NAT_T
/etc/rc.conf
gateway_enable="YES"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"
And lastly some debugging
# setkey -D
No SAD entries.
/usr/local/etc/racoon/psk.txt
cat /usr/local/etc/racoon/psk.txt
* testpsk
