2

I have configured a VPN server on my FreeBSD server, it all seems to be running, but the VPN traffic is not routing through to the local VPN server and I cannot figure out as to why. So my question is, what is wrong with my current setup? Note firewall disabled for testing purposes.

My server IP is 172.10.10.240, with the DNS at 192.168.155.2 and lastly the range of IP addresses that I want available to the VPN are "172.10.10.150 --> 172.10.10.199"

So I am trying to connect to my server from an Android phone (IPV6 address masked), I connect and this is the wireshark dump

13:33:16.467067 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 > 172.10.10.240.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(35359) *RECV_WIN_SIZE(1)
13:33:16.467162 IP XXX-XXX-h-15-6.XXX.02.XXX.54600 > 172.10.10.240.l2f:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(35359) *RESULT_CODE(6)

Here you can see the server is getting the connection from the device, coming in, but nothing else.

My racoon.log

2014-12-23 12:07:22: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2014-12-23 12:07:22: INFO: @(#)This product linked OpenSSL 1.0.1j-freebsd 15 Oct 2014 (http://www.openssl.org/)
2014-12-23 12:07:22: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-12-23 12:07:22: INFO: 172.10.10.240[4500] used for NAT-T
2014-12-23 12:07:22: INFO: 172.10.10.240[4500] used as isakmp port (fd=4)
2014-12-23 12:07:22: INFO: 172.10.10.240[500] used for NAT-T
2014-12-23 12:07:22: INFO: 172.10.10.240[500] used as isakmp port (fd=5)

Nothing in here, lets take a look at my racoon.conf

path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
  isakmp  172.10.10.240 [500];
  isakmp_natt  172.10.10.240 [4500];
  strict_address;
}
remote anonymous
{
  exchange_mode  main;
  passive  on;
  proposal_check  obey;
  support_proxy  on;
  nat_traversal  on;
  ike_frag  on;
  dpd_delay  20;
  proposal
  {
  encryption_algorithm  aes;
  hash_algorithm  sha1;
  authentication_method pre_shared_key;
  dh_group  modp1024;
  }
  proposal
  {
  encryption_algorithm  3des;
  hash_algorithm  sha1;
  authentication_method pre_shared_key;
  dh_group  modp1024;
  }
}
sainfo anonymous
{
  encryption_algorithm  aes,3des;
  authentication_algorithm hmac_sha1;
  compression_algorithm  deflate;
  pfs_group  modp1024;
}

mpd.conf

startup:
# configure mpd users
  set user super adminpassword admin

# configure the console
  set console self 127.0.0.1 5005
  set console open

# configure the web server
  set web self 0.0.0.0 5006
  set web open

default:
  load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
  set ippool add pool_l2tp 172.10.10.150 172.10.10.199

# Create clonable bundle template named B_l2tp
  create bundle template B_l2tp
  set iface enable proxy-arp
  set iface enable tcpmssfix
  set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
   set ipcp ranges 172.10.10.0/24 ippool pool_l2tp
  set ipcp dns 192.168.155.2

# Create clonable link template named L_l2tp
  create link template L_l2tp l2tp
  set link action bundle B_l2tp
  set link mtu 1230
  set link keep-alive 0 0
  set link yes acfcomp protocomp
  set link no pap chap eap
  set link enable chap

# Configure L2TP
  set l2tp self 172.10.10.240
  set l2tp disable dataseq

# Allow to accept calls
  set link enable incoming

setkey.conf

flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P in  ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P out ipsec esp/transport//require;

sysctl.conf

net.link.tap.up_on_open=1
net.inet.tcp.tso=0
net.inet.ipsec.filtertunnel=0
net.inet6.ipsec6.filtertunnel=0

Custom Kernel options

device crypto
options IPSEC_DEBUG
options IPSEC_NAT_T

/etc/rc.conf

gateway_enable="YES"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"

And lastly some debugging

# setkey -D
No SAD entries.

/usr/local/etc/racoon/psk.txt

cat /usr/local/etc/racoon/psk.txt
* testpsk
crooksey
  • 121
  • 1
  • 6

0 Answers0