|
|
Post by descarte on Jun 14, 2015 16:17:08 GMT
Hi, Can anyone provide me with an example setup for L2TP? I'm trying to get this working on my Mac ( Yosemite ) and I keep getting disconnected. I've setup one user with a simple password of xxx and also a simple shared secret. I've also setup the firewall rules as I see it and also the LT2P config. When I try to connect I get a message (On the Mac side) that the VPN server is not responding. I can do a PPTP VPN connection with no issues. It's not urgent (for me at least) as I'm still over the moon that I was able to move from MW to SW as I was going to spend money on PfSense firewalls. Regards, Descarte.    |
|
|
|
Post by descarte on Jun 14, 2015 16:56:27 GMT
Here are the logs from trying to connect via my iPhone. The external IP has been replaced by the word external, the 92.40xxx address is the connection from three mobile.
The only message the client (iPhone) comes up with is "The L2TP-VPN server did not reply" which is at odds with the logs below.
Jun 14 17:47:54
racoon: INFO: KA remove: external[4500]->92.40.249.237[58342]
Jun 14 17:47:54
racoon: INFO: ISAKMP-SA deleted external[4500]-92.40.249.237[58342] spi:e205c0d304eae078:2d4ba0f6612144e4
Jun 14 17:47:54
racoon: INFO: purged ISAKMP-SA spi=e205c0d304eae078:2d4ba0f6612144e4.
Jun 14 17:47:54
racoon: INFO: purging ISAKMP-SA spi=e205c0d304eae078:2d4ba0f6612144e4.
Jun 14 17:47:25
racoon: ERROR: pfkey ADD failed: Invalid argument
Jun 14 17:47:25
racoon: ERROR: pfkey UPDATE failed: Invalid argument
Jun 14 17:47:25
racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Jun 14 17:47:25
racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Jun 14 17:47:25
racoon: INFO: respond new phase 2 negotiation: external[4500]<=>92.40.249.237[58342]
Jun 14 17:47:24
racoon: INFO: ISAKMP-SA established external[4500]-92.40.249.237[58342] spi:e205c0d304eae078:2d4ba0f6612144e4
Jun 14 17:47:24
racoon: [92.40.249.237] INFO: received INITIAL-CONTACT
Jun 14 17:47:24
racoon: INFO: KA list add: external[4500]->92.40.249.237[58342]
Jun 14 17:47:24
racoon: INFO: NAT-T: ports changed to: 92.40.249.237[58342]<->external[4500]
Jun 14 17:47:23
racoon: INFO: Adding remote and local NAT-D payloads.
Jun 14 17:47:23
racoon: [external] INFO: Hashing external[500] with algo #2
Jun 14 17:47:23
racoon: [92.40.249.237] INFO: Hashing 92.40.249.237[32422] with algo #2
Jun 14 17:47:23
racoon: INFO: NAT detected: PEER
Jun 14 17:47:23
racoon: INFO: NAT-D payload #1 doesn't match
Jun 14 17:47:23
racoon: [92.40.249.237] INFO: Hashing 92.40.249.237[32422] with algo #2
Jun 14 17:47:23
racoon: INFO: NAT-D payload #0 verified
Jun 14 17:47:23
racoon: [external] INFO: Hashing external[500] with algo #2
Jun 14 17:47:23
racoon: [92.40.249.237] INFO: Selected NAT-T version: RFC 3947
Jun 14 17:47:23
racoon: INFO: received Vendor ID: DPD
Jun 14 17:47:23
racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jun 14 17:47:23
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Jun 14 17:47:23
racoon: INFO: received Vendor ID: RFC 3947
Jun 14 17:47:23
racoon: INFO: begin Identity Protection mode.
Jun 14 17:47:23
racoon: INFO: respond new phase 1 negotiation: external[500]<=>92.40.249.237[32422]
Jun 14 17:47:06
racoon: ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[1701] 0.0.0.0/0[0] proto=udp dir=out
Jun 14 17:47:06
racoon: ERROR: such policy already exists. anyway replace it: 0.0.0.0/0[0] 0.0.0.0/0[1701] proto=udp dir=in
Jun 14 17:47:06
racoon: INFO: fe80:6::20d:b9ff:fe17:bda0[4500] used as isakmp port (fd=25)
Jun 14 17:47:06
racoon: INFO: fe80:6::20d:b9ff:fe17:bda0[500] used as isakmp port (fd=24)
Jun 14 17:47:06
racoon: INFO: external[4500] used as isakmp port (fd=23)
Jun 14 17:47:06
racoon: INFO: external[4500] used for NAT-T
Jun 14 17:47:06
racoon: INFO: external[500] used as isakmp port (fd=22)
Jun 14 17:47:06
racoon: INFO: external[500] used for NAT-T
Jun 14 17:47:06
racoon: INFO: fe80:4::1[4500] used as isakmp port (fd=21)
Jun 14 17:47:06
racoon: INFO: fe80:4::1[500] used as isakmp port (fd=20)
Jun 14 17:47:06
racoon: INFO: ::1[4500] used as isakmp port (fd=19)
Jun 14 17:47:06
racoon: INFO: ::1[500] used as isakmp port (fd=18)
Jun 14 17:47:06
racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=17)
Jun 14 17:47:06
racoon: INFO: 127.0.0.1[4500] used for NAT-T
Jun 14 17:47:06
racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
|
|
|
|
Post by Lee Sharp on Jun 14, 2015 18:02:43 GMT
First, this is very new, so there will be new issues...  And not having Apple, I will need your help. One thing I noticed was the shared secret option on your client. That is not implemented on the server. Can you not use the machine authentication? |
|
|
|
Post by descarte on Jun 14, 2015 19:12:03 GMT
Hi Lee,
No problem on any issues. I just wanted to verify, first of all, I'd setup the firewall correctly. I can select machine authentication on the Mac, but not the iPhone. To be honest I've no idea what to do with that other than selecting a certificate.
What would I need to do on the firewall?
|
|
|
|
Post by descarte on Jun 14, 2015 19:13:15 GMT
Here's the cert screen. I can select one for Machine Authentication: Certificate.  |
|
|
|
Post by descarte on Jun 14, 2015 19:58:42 GMT
Right. Re-booted the firewall and I can connect. I think the machine authentication was a red herring. I'm back using shared secret. After another reboot.
However there are some routing issues:
If I connect to the same subnet e.g. my assigned IP is of 192.168.1.x range then I can use the internet, ping only some of the internal machines but never the firewall. If I assign an external ip of 10.32.100.x then I can ping the firewall but not get out to the internet.
These issues might be because I'm testing external access -> internal via a mobile hotspot or maybe I need to reboot after each VPN change? I'll try to test it again when I've a better signal or am on another wifi network.
|
|
|
|
Post by Lee Sharp on Jun 14, 2015 21:06:40 GMT
VPN routing is complex, and it cab be very easily mis-configured. (OK, routing is complex, and is OFTEN mis-configured) I am actually working on the VPN documentation now. the L2TP code is actually very similar to the PPTP code, so this older documentation may help you. m0n0wall-docs.smallwall.org/handbook/pptp.html |
|
|
|
Post by descarte on Jun 14, 2015 21:56:51 GMT
I'll take a look - but the kids have effectively banded together and banned me from rebooting the firewall as it affects their Minecraft server. A server I configured and continue to pay for (seems to be a moot point). Previously I had the IPSEC site to site working correctly, so I know the base code works.
I admit I've been dipping in and out of this most of the day so haven't been giving it my full attention. Kids, the dog, and alcohol all have played a part this weekend. As it should be.
|
|
|
|
Post by Lee Sharp on Jun 14, 2015 22:05:40 GMT
Looking back at the thread, I misread your config, and yes, you had it correct for the machine authentication. Apple just likes to rename things. Why use PreShared Key (psk) when you can use Shared Secret? And can I keep your screenshot for the documentation? |
|
|
|
Post by descarte on Jun 15, 2015 16:26:56 GMT
Sorry for delay (long day at work). Yes I know, Apple do try to simplify things too much - confuses the technical. I get wound up when I have to dig into the config files, but only because Linux is my norm, not BSD.
As for the screenshot - no problem.
|
|
|
|
Post by descarte on Jun 15, 2015 17:22:15 GMT
Looks like I'm having routing issues - let me explain... Network 192.168.1.0 with Netmask 255.255.255.0 Router is 192.168.1.1 Server is 192.168.1.10 Setup L2TP as above with Server Address = 192.168.1.222 Remote address Range 192.168.1.32/28 ( 16 addresses) 1 User - default to 192.168.1.32 Changed WIFI to external ISP Connected to firewall. I can ping 192.168.1.10 I cannot ping the firewall (192.168.1.1) - just get ICMP timeout I can ssh into server @ 192.168.1.10 and then from that server ping 192.168.1.1 I can browse the web. On the mac the lt2p is setup as before. All traffic goes via VPN. When I go into network options on VPN I get odd connection details:  It would appear my IP (192.168.1.32) is also the router with no netmask. What is even odder - when I ssh to 192.168.1.10, exit and re-ssh it shows the last connection as 192.168.1.32. OK, this is the correct ip address but what's the server address (192.168.1.222) for? Really confused as it kind of works but I can't use a browser to get to the firewall, unless I do it via an internal server e.g. 192.168.1.10 Again, not that important for me at the moment - just odd behaviour. PPTP works OK. |
|
|
|
Post by Lee Sharp on Jun 15, 2015 18:34:17 GMT
So 192.168.1.10 is a stand alone server on your LAN, correct? Now I can not say for MAC, but in other systems, the server on 192.168.1.222 could be your route, but also your own IP address could be your route. It can be odd here. The fact that you see LAN devices means the tunnel is up. Not seeing the firewall is an odd problem, however. What is in your arp table on your machine once you have connected to the VPN?
|
|
|
|
Post by descarte on Jun 15, 2015 20:30:43 GMT
Hi and, Yes, 192.168.1.10 is a server on my internal lan (standalone). I'll have to give you the arp tomorrow evening (UK time) as not on friends lan now. I can connect to any of the internal machines once I'm in - just not to the firewall. Wonder if it's to do with a src address from the internet being seen as a non-routable IP? Just a theory based on being able to ping it from ssh'ing into 192.168.1.10 from an external ip VPN'ing into my server.
What I might do is build a Linux VM on the mac and VPN from there. Any suggestions as what to use e.g Ubuntu? Something you know works?
Again, sorry for not being available much, work, kids etc. and on (secure) client sites most of the day.
|
|
|
|
Post by Lee Sharp on Jun 15, 2015 22:56:11 GMT
I will be playing with a Chromebook and l2tp over the next few days to see if I can get a clean setup. I suspect it will be the simplest.
|
|
|
|
Post by descarte on Jun 16, 2015 16:43:39 GMT
Hi,
Tried again today signing onto a machine with a 10.236.187 range....
No matter what I do I just can't route to the firewall on 192.168.1.1 even though the DNS servers are brought back on the pop connection via DHCP the firewall ignores any connections to itself as a DNS and I can just see the OpenDNS ip range.
At one level it's fine because it's doing the job e.g. letting me onto my LAN and allowing me access to my machines and the internet, except the firewall. It's maybe an Apple issue but the only thing that bugs me is that PPTP works fine and in the past I managed to get a IPSEC tunnel between my 192.168.1.0 range and 10.x.x.x range and was able to route happily and access both firewalls.
Very odd.
Hope the below helps somewhat. I've removed ethernet addresses etc.
mymachine:~ descarte$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
mymachine:~ descarte$ ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
64 bytes from 192.168.1.10: icmp_seq=0 ttl=63 time=51.262 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=63 time=127.559 ms
^C
--- 192.168.1.10 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.262/89.410/127.559/38.148 ms
mymachine:~ descarte$ ping www.bbc.co.uk
PING www.bbc.net.uk (212.58.246.54): 56 data bytes
64 bytes from 212.58.246.54: icmp_seq=0 ttl=55 time=63.319 ms
64 bytes from 212.58.246.54: icmp_seq=1 ttl=55 time=64.917 ms
^C
--- www.bbc.net.uk ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 63.319/64.118/64.917/0.799 ms
mymachine:~ descarte$
mymachine:~ descarte$
mymachine:~ descarte$ nslookup www.bbc.co.uk
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
www.bbc.co.uk canonical name = www.bbc.net.uk.
Name: www.bbc.net.uk
Address: 212.58.244.71
Name: www.bbc.net.uk
Address: 212.58.244.70
mymachine:~ descarte$ ifconfig -a
<snip>
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 192.168.1.32 --> 192.168.1.222 netmask 0xffffff00
mymachine:~ descarte$ netstatat -r
-bash: netstatat: command not found
mymachine:~ descarte$ netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default link#9 UCS 14 0 ppp0
default 10.236.187.57 UGScI 9 0 en0
10.236.187.56/29 link#4 UCS 1 0 en0
10.236.187.57/32 link#4 UCS 1 0 en0
10.236.187.57 34:8a:ae:90:9d:8a UHLWIir 12 67 en0 1176
10.236.187.58/32 link#4 UCS 0 0 en0
10.236.187.63 ff:ff:ff:ff:ff:ff UHLWbI 0 17 en0
MYFIREWALLEXTERNALIP 10.236.187.57 UGHS 4 377 en0
108.160.170.39 link#9 UHWIi 1 11 ppp0
108.160.172.225 link#9 UHWIi 1 10 ppp0
127 localhost UCS 0 0 lo0
localhost localhost UH 4 241 lo0
169.254 link#4 UCS 0 0 en0
192.168.1 ppp0 USc 3 2 ppp0
192.168.1.222 192.168.1.32 UH 0 0 ppp0
resolver1.opendns. link#9 UHW3I 0 23 ppp0 3581
bbc-vip045.cwwtf.b link#9 UHW3I 0 2 ppp0 3562
224.0.0.251 link#9 UHmW3I 0 0 ppp0 3550
239.255.255.250 link#9 UHmW3I 0 2 ppp0 3535
broadcasthost link#9 UHW3bI 0 2 ppp0 3568
a
mymachine:~ descarte$
|
|
And not having Apple, I will need your help.
