10
PfSense VPN mit L2TP (IPsec) Protokoll für mobile Nutzer
Inhaltsverzeichnis
Allgemeine Einleitung
(Die OPNsense Variante der Einrichtung findet man HIER.)
Das folgende VPN Tutorial ist eine Ergänzung zum bestehenden VPN_Client_Tutorial. Es beschreibt die VPN Anbindung von mobilen Benutzern oder Homeoffice Nutzern mit Windows, Mac OS, Linux sowie Smartphones und Pads unter Apple iOS und Android an die Firewall pfSense (Netgate).
Auch mit dem L2TP VPN Protokoll werden immer die bordeigenen VPN Clients verwendet die alle Betriebssysteme, Smartphones usw. von sich aus schon mitbringen. Die Installation einer extra VPN Client Software ist in dieser L2TP VPN Variante wie auch bei der o. g. reinen IPsec IKE2 Variante mit Server Zertifikat NICHT erforderlich !
Entgegen der zertifikatsbasierten IPsec IKEv2 Lösung, verzichtet das L2TP VPN Protokoll auf ein Server Zertifikat. Die VPN Einrichtung gerät damit insgesamt etwas leichter.
Sie hat aber den Nachteil das es keine eindeutige VPN Server Identifizierung durch den Client mit einem Zertifikat gibt, was eine Einschränkung in der Sicherheit bedeutet.
Anwender müssen hier also entscheiden ob das eine oder andere Verfahren für sie günstiger und vor allem sicherer ist. Beide bieten mit den bordeigenen VPN Clients eine problemlose und kryptografisch sichere Client Anbindung per VPN an die Firewall.
Los gehts....
pfSense Grundkonfiguration für L2TP
Zuerst aktiviert man im Menüpunkt VPN --> L2TP den L2TP Server mit folgenden Einstellungen:
- Haken aktiviert den L2TP Server
- "Interface" = WAN (WAN IP Adresse der Firewall)
- "Server Address" = Hier konfiguriert man eine VPN Server IP Adresse für das interne VPN Netzwerk. ACHTUNG: Dieses Netzwerk darf NICHT im Bereich der bestehenden Netzwerk IP Adressen der pfSense liegen ! Zudem sollte es niemals im Bereich vielfach verwendeter Standard IP Adressen, wie z.B. FritzBox (192.168.178.0), liegen da das zu einer Überschneidung und zur Fehlfunktion führt. Ideal sind hier etwas exotische IP Netze. Dieser Thread gibt Tips_zum_richtigen_VPN_Adressdesign !
- "Remote Adresse Range" = Adressbereich der VPN Clients. Dieses Netzwerk definiert den Client IP Bereich. Es darf sich NICHT mit der darüber liegenden Server IP überschneiden ! Das Beispiel hier nutzt das Subnetz 10.77.77.192 mit einer 26 Bit Maske (255.255.255.192) was damit insgesamt 62 VPN Clients erlaubt. Eine Maske von z.B. 25 Bit (255.255.255.128, Netzwerk: 10.77.77.128) erlaubt insgesamt 126 User usw.
- "Number of Users" = Hier gibt man die maximale Anzahl der zu erwartenden VPN User an. Aufpassen: Die Anzahl muss zum obigen Bereich (Netzmaske) der VPN Adressen passen und immer kleiner sein als die maximale, durch die Netzmaske technisch mögliche Anzahl !
- "Authentication Type" = MS CHAPv2
- "L2TP DNS Server" = (Optional) Hier definiert man z.B. interne DNS Server (Windows) die man dem Client bei VPN Einwahl automatisch übergeben will. Lässt man es weg wird normal wie auch im LAN die pfSense als DNS IP vergeben.
- "Radius" = (Optional) Wer einen Radius Server zur externen User Authentisierung verwendet aktiviert ihn hier. In dem Fall entfällt der Eintrag der lokalen Userdaten.
L2TP Benutzernamen einrichten
Im VPN -> L2TP User Menü konfiguriert man nun die Benutzernamen und Passwort zur VPN Einwahl.
WICHTIG: Unter IP Address kann man optional jedem Benutzer eine spezifische IP zuweisen lassen. Das ist wichtig wenn man später bestimmte Benutzer mit Zugriffen auf einzelne Netze oder Rechner oder auch Anwendungsdienste über die Firewall Regeln steuern will !
L2TP Tunnelprotokoll konfigurieren
Der L2TP Tunnel nutzt IPsec ESP mit IKEv1 als Verschlüsselung was entsprechend im Menüpunkt VPN -> IPsec, Mobile Clients eingerichtet werden muss.
- "User Authentication" = Local Database
Die folgende IPsec Phase 1 muss aus diesem Mobile Client Menü heraus eingerichtet werden !! Von dort also unbedingt rechts auf "Create Phase 1" klicken !
Einrichtung IPsec Phase 1
- "Key Exchange Version" = IKEv1
- "Authentication method" = Mutual PSK
- "Negotiation Mode" = Main
- "My Identifier" = My IP address
- "Encryption algorithm" = AES 256
- "Hash algorithm" = SHA1
- "DH key group" = 14 (2048 bit) (Achtung: Bei Fehlfunktion im VPN Aufbau mit älteren Smartphones, Chromebooks und einigen Android Modellen hier statt 14 dann DH key group = 2 (1024 bit) verwenden !)
Einrichtung IPsec Phase 2
- "Mode" = Transport
- "Protocol" = ESP
- "Encryption algorithms" = nur AES 128
- "Hash algorithms" = nur SHA1
- "PFS Key Group" = off (muss auf AUS sein !)
Setzen des globalen Pre Shared Key (vorinstallierter Schlüssel)
Im Menü VPN -> IPsec, Pre-Shared Keys
- "Identifier" = MUSS hier immer allusers sein ! Der String allusers ist eine Wildcard für den vorinstallierten L2TP Schlüssel. Er darf nicht verändert werden !
Hat man alles richtig konfiguriert sieht die Übersicht des IPsec Tunnel Protokolls so aus:
Firewall Regeln richtig einstellen
Es sind 3 Regelwerke einzustellen damit der VPN Zugriff klappt !
Einmal den Zugriff von L2TP auf die WAN IP Adresse der Firewall:
FW Regel WAN Port:
Hier definiert man die L2TP Ports idealerweise, der Übersicht halber, vorher in einem Firewall Port Alias Eintrag mit UDP 500, 4500 und 1701. Zusätzlich ist das ESP Protokoll freizugeben.
FW Regel L2TP Tunnel Port:
Hier nutzt man meist die bekannte "Scheunentor" Regel. Bei Bedarf kann (und sollte) sie später aber strikter eingestellt werden.
L2TP Client Setup für alle Plattformen
Windows Client Setup
(Achtung !:21H2 oder älter benötigt den Patch KB5010793! Siehe dazu auch HIER !)
22H2 oder neuer erfordert keinen Patch!
(Bei älteren Windows Versionen wie Win 7 unbedingt NAT-Traversal in der Registry aktivieren!)
Den Windows Client legt man mit dem bordeigenen Windows Setup an:
Apple Mac OS Client Setup
Analog funktioniert die Einrichtung des Apple MacOS L2TP Clients:
Apple iPhone/iPad Setup
Der Apple iOS Client hat als einziger L2TP Client die Option "Split Tunneling" zu machen oder alles in den Tunnel zu senden:
Android Client Setup
Achtung:
Einige ältere und einfache Android Smartphones (und vereinzelt alte Apple iPhones) supporten keine DH Key Gruppe 14 (2048 Bit) und dann scheitert der L2TP Verbindungsversuch.
In diesem Falle muss man für den Support älterer Geräte oben in den IPsec Settings auf DH key group = 2 (1024 bit) umstellen !
Linux Client Setup (CLI)
Eine detailierte Anleitung zur Anbindung eines Linux Clients (Server etc.) an ein L2TP VPN findet man HIER.
Die GUI Variante über die grafische Oberfläche hier.
Weiterführende Links
NetGate L2TP/IPsec Handbuch:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html
L2TP/IPsec VPN auf OPNsense:
https://www.portunity.de/access/wiki/L2TP_VPN-Tunnel(IPv4)_mit_OPNsense_ ...
Mikrotik L2TP VPN Server für alle onboard VPN Clients und Smartphones:
https://administrator.de/forum/scheitern-am-ipsec-vpn-mit-mikrotik-56292 ...
https://administrator.de/forum/vpn-verbindung-windows-10-zu-mikrotik-l2t ...
L2TP Site to Site (Standort) Anbindung mit Mikrotik:
https://administrator.de/contentid/1721997934#comment-1736463492
Cisco IOS Router als L2TP VPN Server:
https://administrator.de/contentid/179345#toc-13
pfSense/OPNsense Zertifikats gesichertes IKEv2 VPN für mobile Benutzer mit bordeigener VPN Software:
https://administrator.de/wissen/ipsec-vpn-mobile-benutzer-pfsense-opnsen ...
Mikrotik als SSTP VPN Server für Windows Clients:
https://justit.eu/mikrotik-sstp-vpn-fuer-windows-clients/
Windows 10: Schneller VPN Aufbau per einfachem Mausklick:
https://www.heise.de/ct/ausgabe/2017-19-VPN-und-Remote-Desktop-Verbindun ...
Windows User Credentials beachten:
https://administrator.de/forum/windows-vpn-l2tp-falsche-anmeldedaten-367 ...
Windows und iPhone L2TP Client und Routing Verhalten:
https://administrator.de/forum/mikrotik-input-rule-for-l2tp-vpn-41960522 ...
Automatisiertes VPN "on Demand" für iOS Apple Endgeräte über XML Templates:
https://www.administrator.de/content/detail.php?id=378502&token=736
Windows 10 VPN IKE Verhalten:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ikee/74d ...
FritzBox 7412 als preiswertes VDSL "nur" Modem für pfSense/OPNsense:
https://www.spiegel.de/netzwelt/gadgets/fritzbox-7412-als-dsl-modem-dect ...
https://www.heise.de/select/ct/2020/2/1578238295698254
pfSense auf VmWare ESXi:
https://administrator.de/content/detail.php?id=639239&nid=1030243#co ...
https://administrator.de/forum/sophos-software-appliance-utm-vlan-cisco- ...
Fehler bei IPv6 vermeiden:
https://administrator.de/forum/pfsense-ipv6-was-mache-ich-falsch-507207. ...
Seriellen Terminal Anschluss richtig handhaben:
https://administrator.de/content/detail.php?id=620563&token=523#comm ...
Email Benachrichtigungen richtig einrichten:
https://administrator.de/forum/opnsense-email-alerts-failed-login-232385 ...
Link Aggregation (LAG) mit pfSense und OPNsense:
https://administrator.de/tutorial/link-aggregation-lag-im-netzwerk-15860 ...
AirPrint Drucker und andere Bonjour/mDNS Dienste erreichbar machen:
https://administrator.de/contentid/2382190660#comment-2394690003
OT: AdGuard DNS Filter auf pfSense/OPNsense installieren:
https://broadbandforum.co/t/205884/
OpenVPN auf der pfSense einrichten:
https://administrator.de/wissen/openvpn-server-installieren-pfsense-fire ...
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 585307
Url: https://administrator.de/contentid/585307
Printed on: February 1, 2023 at 04:02 o'clock
10 Comments
Latest comment
Hat jemand eine Anpassung parat, damit das unter Big Sur funktioniert?
Funktioniert auch unter Big Sur fehlerlos.
Eben grad auf einer pfSense (Ver. 2.5.2) und als Crosscheck auch auf einem Mikrotik (Ver. 6.48.4) und auch Cisco Meraki MX64 problemlos getestet.
Eben grad auf einer pfSense (Ver. 2.5.2) und als Crosscheck auch auf einem Mikrotik (Ver. 6.48.4) und auch Cisco Meraki MX64 problemlos getestet.
Ich bekomme das hier nicht zum laufen.
Weiss jemand, was da falsch läuft?
An https://support.apple.com/de-at/HT211840 liegt es nicht?
Mac:
Thu Sep 9 11:52:22 2021 : publish_entry SCDSet() failed: Success!
Thu Sep 9 11:52:22 2021 : publish_entry SCDSet() failed: Success!
Thu Sep 9 11:52:22 2021 : l2tp_get_router_address
Thu Sep 9 11:52:22 2021 : l2tp_get_router_address 172.20.10.1 from dict 1
Thu Sep 9 11:52:22 2021 : L2TP connecting to server 'vpn.xxxx.de' (xxx.yz.148.51)...
Thu Sep 9 11:52:22 2021 : IPSec connection started
Thu Sep 9 11:52:22 2021 : IPSec phase 1 client started
Thu Sep 9 11:52:22 2021 : IPSec phase 1 server replied
Thu Sep 9 11:52:23 2021 : IPSec phase 2 started
Thu Sep 9 11:52:24 2021 : IPSec phase 2 established
Thu Sep 9 11:52:24 2021 : IPSec connection established
Thu Sep 9 11:52:24 2021 : L2TP sent SCCRQ
Thu Sep 9 11:52:44 2021 : L2TP cannot connect to the server
PFsense:
Sep 9 11:52:22 charon 13353 06[NET] <6> received packet: from xyz.abc.116.238[500] to def.ijk.148.51[500] (788 bytes)
Sep 9 11:52:22 charon 13353 06[ENC] <6> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Sep 9 11:52:22 charon 13353 06[CFG] <6> looking for an IKEv1 config for def.ijk.148.51...xyz.abc.116.238
Sep 9 11:52:22 charon 13353 06[CFG] <6> candidate: 0.0.0.0/0, ::/0...0.0.0.0/0, ::/0, prio 28
Sep 9 11:52:22 charon 13353 06[CFG] <6> found matching ike config: 0.0.0.0/0, ::/0...0.0.0.0/0, ::/0 with prio 28
Sep 9 11:52:22 charon 13353 06[IKE] <6> received NAT-T (RFC 3947) vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received FRAGMENTATION vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> received DPD vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> xyz.abc.116.238 is initiating a Main Mode IKE_SA
Sep 9 11:52:22 charon 13353 06[IKE] <6> IKE_SA (unnamed)[6] state change: CREATED => CONNECTING
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable DIFFIE_HELLMAN_GROUP found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable DIFFIE_HELLMAN_GROUP found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 charon 13353 06[CFG] <6> selecting proposal:
Sep 9 11:52:22 charon 13353 06[CFG] <6> proposal matches
Sep 9 11:52:22 charon 13353 06[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Sep 9 11:52:22 charon 13353 06[CFG] <6> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 9 11:52:22 charon 13353 06[CFG] <6> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 9 11:52:22 charon 13353 06[IKE] <6> sending XAuth vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> sending DPD vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> sending FRAGMENTATION vendor ID
Sep 9 11:52:22 charon 13353 06[IKE] <6> sending NAT-T (RFC 3947) vendor ID
Sep 9 11:52:22 charon 13353 06[ENC] <6> generating ID_PROT response 0 [ SA V V V V ]
Sep 9 11:52:22 charon 13353 06[NET] <6> sending packet: from def.ijk.148.51[500] to xyz.abc.116.238[500] (160 bytes)
Sep 9 11:52:23 charon 13353 06[NET] <6> received packet: from xyz.abc.116.238[500] to def.ijk.148.51[500] (228 bytes)
Sep 9 11:52:23 charon 13353 06[ENC] <6> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 9 11:52:23 charon 13353 06[IKE] <6> remote host is behind NAT
Sep 9 11:52:23 charon 13353 06[CFG] <6> candidate "con-mobile", match: 1/1/28 (me/other/ike)
Sep 9 11:52:23 charon 13353 06[ENC] <6> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 9 11:52:23 charon 13353 06[NET] <6> sending packet: from def.ijk.148.51[500] to xyz.abc.116.238[500] (244 bytes)
Sep 9 11:52:23 charon 13353 06[NET] <6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (108 bytes)
Sep 9 11:52:23 charon 13353 06[ENC] <6> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 9 11:52:23 charon 13353 06[CFG] <6> looking for pre-shared key peer configs matching def.ijk.148.51...xyz.abc.116.238[172.20.10.2]
Sep 9 11:52:23 charon 13353 06[CFG] <6> candidate "con-mobile", match: 1/1/28 (me/other/ike)
Sep 9 11:52:23 charon 13353 06[CFG] <6> selected peer config "con-mobile"
Sep 9 11:52:23 charon 13353 06[IKE] <con-mobile|6> IKE_SA con-mobile[6] established between def.ijk.148.51[def.ijk.148.51]...xyz.abc.116.238[172.20.10.2]
Sep 9 11:52:23 charon 13353 06[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: CONNECTING => ESTABLISHED
Sep 9 11:52:23 charon 13353 06[IKE] <con-mobile|6> scheduling reauthentication in 23393s
Sep 9 11:52:23 charon 13353 06[IKE] <con-mobile|6> maximum IKE_SA lifetime 26273s
Sep 9 11:52:23 charon 13353 06[ENC] <con-mobile|6> generating ID_PROT response 0 [ ID HASH ]
Sep 9 11:52:23 charon 13353 06[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (76 bytes)
Sep 9 11:52:24 charon 13353 10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (396 bytes)
Sep 9 11:52:24 charon 13353 10[ENC] <con-mobile|6> parsed QUICK_MODE request 1176519332 [ HASH SA No ID ID NAT-OA NAT-OA ]
Sep 9 11:52:24 charon 13353 10[IKE] <con-mobile|6> changing received traffic selectors 172.20.10.2/32|/0[udp/61568]=== def.ijk.148.51/32|/0[udp/l2f] due to NAT
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> looking for a child config for def.ijk.148.51/32|/0[udp/l2f] === xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> proposing traffic selectors for us:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> def.ijk.148.51/32|/0
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> proposing traffic selectors for other:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> xyz.abc.116.238/32|/0
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> candidate "con-mobile" with prio 1+1
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> found matching child config "con-mobile" with prio 2
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting traffic selectors for other:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> config: xyz.abc.116.238/32|/0, received: xyz.abc.116.238/32|/0[udp/61568] => match: xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting traffic selectors for us:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> config: def.ijk.148.51/32|/0, received: def.ijk.148.51/32|/0[udp/l2f] => match: def.ijk.148.51/32|/0[udp/l2f]
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> no acceptable ENCRYPTION_ALGORITHM found
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> no acceptable ENCRYPTION_ALGORITHM found
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> no acceptable ENCRYPTION_ALGORITHM found
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> proposal matches
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ
Sep 9 11:52:24 charon 13353 10[CFG] <con-mobile|6> selected proposal: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ
Sep 9 11:52:24 charon 13353 10[ENC] <con-mobile|6> generating QUICK_MODE response 1176519332 [ HASH SA No ID ID NAT-OA NAT-OA ]
Sep 9 11:52:24 charon 13353 10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (204 bytes)
Sep 9 11:52:24 charon 13353 10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (60 bytes)
Sep 9 11:52:24 charon 13353 10[ENC] <con-mobile|6> parsed QUICK_MODE request 1176519332 [ HASH ]
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: CREATED => INSTALLING
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> using AES_CBC for encryption
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> using HMAC_MD5_96 for integrity
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> adding inbound ESP SA
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> SPI 0xced0dc9e, src xyz.abc.116.238 dst def.ijk.148.51
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> adding outbound ESP SA
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> SPI 0x03595e06, src def.ijk.148.51 dst xyz.abc.116.238
Sep 9 11:52:24 charon 13353 10[IKE] <con-mobile|6> CHILD_SA con-mobile{5} established with SPIs ced0dc9e_i 03595e06_o and TS def.ijk.148.51/32|/0[udp/l2f] === xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:24 charon 13353 10[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: INSTALLING => INSTALLED
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:25 charon 13353 06[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 3401304144 [ HASH N(DPD) ]
Sep 9 11:52:25 charon 13353 06[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:25 charon 13353 06[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:25 charon 13353 06[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2200524928 [ HASH N(DPD_ACK) ]
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:25 charon 13353 06[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:26 charon 13353 10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 3125698663 [ HASH N(DPD) ]
Sep 9 11:52:26 charon 13353 10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:26 charon 13353 10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:26 charon 13353 10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1412957240 [ HASH N(DPD_ACK) ]
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:26 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:27 charon 13353 10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 3169018633 [ HASH N(DPD) ]
Sep 9 11:52:27 charon 13353 10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:27 charon 13353 10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:27 charon 13353 10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 161370408 [ HASH N(DPD_ACK) ]
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:27 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:28 charon 13353 10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2846347057 [ HASH N(DPD) ]
Sep 9 11:52:28 charon 13353 10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:28 charon 13353 10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:28 charon 13353 10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 3166884827 [ HASH N(DPD_ACK) ]
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:28 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:29 charon 13353 10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 1399713983 [ HASH N(DPD) ]
Sep 9 11:52:29 charon 13353 10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:29 charon 13353 10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:29 charon 13353 10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1972336736 [ HASH N(DPD_ACK) ]
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:29 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:30 charon 13353 10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 652951414 [ HASH N(DPD) ]
Sep 9 11:52:30 charon 13353 10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:30 charon 13353 10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:30 charon 13353 10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 404915874 [ HASH N(DPD_ACK) ]
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:30 charon 13353 10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:31 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 920528892 [ HASH N(DPD) ]
Sep 9 11:52:31 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:31 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:31 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 3285350641 [ HASH N(DPD_ACK) ]
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:31 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:32 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2256793496 [ HASH N(DPD) ]
Sep 9 11:52:32 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:32 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:32 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1455714175 [ HASH N(DPD_ACK) ]
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:32 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:33 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 331134726 [ HASH N(DPD) ]
Sep 9 11:52:33 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:33 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:33 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2640606474 [ HASH N(DPD_ACK) ]
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:33 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:34 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 1247638940 [ HASH N(DPD) ]
Sep 9 11:52:34 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:34 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:34 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2530195038 [ HASH N(DPD_ACK) ]
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:34 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:35 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2079041617 [ HASH N(DPD) ]
Sep 9 11:52:35 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:35 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:35 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2914855772 [ HASH N(DPD_ACK) ]
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:35 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:36 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 860455598 [ HASH N(DPD) ]
Sep 9 11:52:36 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:36 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:36 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 841506726 [ HASH N(DPD_ACK) ]
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:36 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:37 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2252303055 [ HASH N(DPD) ]
Sep 9 11:52:37 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:37 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:37 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2173860112 [ HASH N(DPD_ACK) ]
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:37 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:38 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2162668809 [ HASH N(DPD) ]
Sep 9 11:52:38 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:38 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:38 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2263478134 [ HASH N(DPD_ACK) ]
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:38 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:39 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2611093714 [ HASH N(DPD) ]
Sep 9 11:52:39 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:39 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:39 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2556323718 [ HASH N(DPD_ACK) ]
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:39 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:40 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 4040646048 [ HASH N(DPD) ]
Sep 9 11:52:40 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:40 charon 13353 09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:40 charon 13353 09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1484630634 [ HASH N(DPD_ACK) ]
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:40 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:41 charon 13353 09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:41 charon 13353 09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:41 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:41 charon 13353 09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:41 charon 13353 09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 830103228 [ HASH N(DPD) ]
Sep 9 11:52:41 charon 13353 09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:41 charon 13353 09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:41 charon 13353 09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:41 charon 13353 12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:41 charon 13353 12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 3661340784 [ HASH N(DPD_ACK) ]
Sep 9 11:52:41 charon 13353 12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:41 charon 13353 12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:42 charon 13353 12[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2881913898 [ HASH N(DPD) ]
Sep 9 11:52:42 charon 13353 12[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:42 charon 13353 12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:42 charon 13353 12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1867954662 [ HASH N(DPD_ACK) ]
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:42 charon 13353 12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:43 charon 13353 12[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 1763851670 [ HASH N(DPD) ]
Sep 9 11:52:43 charon 13353 12[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:43 charon 13353 12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:43 charon 13353 12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 291869909 [ HASH N(DPD_ACK) ]
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:43 charon 13353 12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:44 charon 13353 12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (76 bytes)
Sep 9 11:52:44 charon 13353 12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 742545670 [ HASH D ]
Sep 9 11:52:44 charon 13353 12[IKE] <con-mobile|6> received DELETE for ESP CHILD_SA with SPI 03595e06
Sep 9 11:52:44 charon 13353 12[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: INSTALLED => DELETING
Sep 9 11:52:44 charon 13353 12[IKE] <con-mobile|6> closing CHILD_SA con-mobile{5} with SPIs ced0dc9e_i (660 bytes) 03595e06_o (0 bytes) and TS def.ijk.148.51/32|/0[udp/l2f] === xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:44 charon 13353 12[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: DELETING => DELETED
Sep 9 11:52:44 charon 13353 12[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: DELETED => DESTROYING
Sep 9 11:52:44 charon 13353 11[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:44 charon 13353 11[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2500915748 [ HASH D ]
Sep 9 11:52:44 charon 13353 11[IKE] <con-mobile|6> received DELETE for IKE_SA con-mobile[6]
Sep 9 11:52:44 charon 13353 11[IKE] <con-mobile|6> deleting IKE_SA con-mobile[6] between def.ijk.148.51[def.ijk.148.51]...xyz.abc.116.238[172.20.10.2]
Sep 9 11:52:44 charon 13353 11[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: ESTABLISHED => DELETING
Sep 9 11:52:44 charon 13353 11[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: DELETING => DELETING
Sep 9 11:52:44 charon 13353 11[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: DELETING => DESTROYING Weiss jemand, was da falsch läuft?
An https://support.apple.com/de-at/HT211840 liegt es nicht?
Das hast du beachtet ?
https://administrator.de/forum/l2tp-ipsec-vpn-pfsense-2-3-317353.html
Tip: Am besten einen separaten Thread aufmachen mit den Setup Screenshots um das Tutorial hier nicht "aufzublähen". da können wir dann ins Eingemachte gehen. Du hast irgendwo noch einen Konfig Kinken im Firewall Setup.
Wichtig sind die Crypto Settings. SHA1 (L2TP kann nur das) und ggf. mal mit anderer DH Group testen.
Der Mac kommt nochmalerweise auch mit DH14 klar.
https://administrator.de/forum/l2tp-ipsec-vpn-pfsense-2-3-317353.html
Tip: Am besten einen separaten Thread aufmachen mit den Setup Screenshots um das Tutorial hier nicht "aufzublähen". da können wir dann ins Eingemachte gehen. Du hast irgendwo noch einen Konfig Kinken im Firewall Setup.
Wichtig sind die Crypto Settings. SHA1 (L2TP kann nur das) und ggf. mal mit anderer DH Group testen.
Der Mac kommt nochmalerweise auch mit DH14 klar.
So, Schnellcheck und ums vorweg zu nehmen: Works as designed ! 😉
Wie gesagt...alles fehlerlos.
(Winblows 10 (21H1) L2TP Client übrigens auch !)
Fazit: Irgendwo hast du einen Setup Fehler in deiner L2TP Konfig !
Hier der komplette L2TP Log Auszug der Connection:
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Add group l2tp to ng0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Rename interface ng0 to l2tps1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: No interface to proxy arp on for 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] 10.77.77.1 -> 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: LayerUp
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Ack-Rcvd --> Opened
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigAck #3
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] 10.77.77.192 is OK
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #3 (Ack-Rcvd)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Req-Sent --> Ack-Rcvd
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Ack #2 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigNak #2
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #2 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: LayerFinish
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Req-Sent --> Stopped
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: protocol was rejected by peer
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: protocol CCP was rejected
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Protocol Reject #2 (Opened)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigReq #2
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Reject #1 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] rec'd unexpected protocol Apple Client Server Protocol Control, rejecting
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] rec'd unexpected protocol IPV6CP, rejecting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] SECDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigRej #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] SECDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #1 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: SendConfigReq #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Starting --> Req-Sent
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Protocol mppc disabled as useless for this setup
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigReq #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Starting --> Req-Sent
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Got IP 10.77.77.192 from pool "p0" for peer
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: LayerStart
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Initial --> Starting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Open event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: LayerStart
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Initial --> Starting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Open event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] Bundle: Status update: up 1 link, total bandwidth 64000 bps
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Link: Join bundle "l2tp_b-1"
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] Bundle: Interface ng0 created
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Creating new bundle using template "l2tp_b".
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Link: Matched action 'bundle "l2tp_b" ""'
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: authorization successful
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: sending SUCCESS #1 len: 46
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Reply message: S=363EBA31DE02EF8CA838CFC4B4A7A0534566B3B4
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Response is valid
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Auth return status: undefined
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTH: INTERNAL returned: undefined
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTH: Trying INTERNAL
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Name: "user1"
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: rec'd RESPONSE #1 len: 59
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: LayerUp
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: sending CHALLENGE #1 len: 21
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: auth: peer wants nothing, I want CHAP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: state change Ack-Sent --> Opened
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Ack #3 (Ack-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #3
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Reject #2 (Ack-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ENDPOINTDISC [802.1] 00 0d b9 3a 26 61
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #2
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Req-Sent --> Ack-Sent
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x3259fde5
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACCMAP 0x00000000
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: SendConfigAck #1
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x3259fde5
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACCMAP 0x00000000
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Request #1 (Req-Sent)
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ENDPOINTDISC [802.1] 00 0d b9 3a 26 61
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #1
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Starting --> Req-Sent
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: Up event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] Link: UP event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] L2TP: Call #1 connected
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: LayerStart
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Initial --> Starting
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: Open event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] Link: OPEN event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] L2TP: Incoming call #1 via control connection 0x800cc3310 accepted
Sep 9 14:42:02 l2tps 44792 L2TP: Incoming call #1 via connection 0x800cc3310 received
Sep 9 14:42:02 l2tps 44792 L2TP: Control connection 0x800cc3310 10.99.1.99 1701 <-> 10.99.1.140 56990 connected
Sep 9 14:42:02 l2tps 44792 Incoming L2TP packet from 10.99.1.140 56990
pfSense Setup:
Connection Status pfSense bei aktivem Mac L2TP Client
Mac L2TP Client Status
Wie gesagt...alles fehlerlos.
(Winblows 10 (21H1) L2TP Client übrigens auch !)
Fazit: Irgendwo hast du einen Setup Fehler in deiner L2TP Konfig !
Hier der komplette L2TP Log Auszug der Connection:
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Add group l2tp to ng0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Rename interface ng0 to l2tps1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: No interface to proxy arp on for 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] 10.77.77.1 -> 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: LayerUp
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Ack-Rcvd --> Opened
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigAck #3
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] 10.77.77.192 is OK
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #3 (Ack-Rcvd)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Req-Sent --> Ack-Rcvd
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Ack #2 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigNak #2
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #2 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: LayerFinish
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Req-Sent --> Stopped
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: protocol was rejected by peer
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: protocol CCP was rejected
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Protocol Reject #2 (Opened)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigReq #2
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Reject #1 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] rec'd unexpected protocol Apple Client Server Protocol Control, rejecting
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] rec'd unexpected protocol IPV6CP, rejecting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] SECDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigRej #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] SECDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #1 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: SendConfigReq #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Starting --> Req-Sent
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Protocol mppc disabled as useless for this setup
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigReq #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Starting --> Req-Sent
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Got IP 10.77.77.192 from pool "p0" for peer
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: LayerStart
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Initial --> Starting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Open event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: LayerStart
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Initial --> Starting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Open event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] Bundle: Status update: up 1 link, total bandwidth 64000 bps
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Link: Join bundle "l2tp_b-1"
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] Bundle: Interface ng0 created
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Creating new bundle using template "l2tp_b".
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Link: Matched action 'bundle "l2tp_b" ""'
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: authorization successful
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: sending SUCCESS #1 len: 46
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Reply message: S=363EBA31DE02EF8CA838CFC4B4A7A0534566B3B4
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Response is valid
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Auth return status: undefined
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTH: INTERNAL returned: undefined
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTH: Trying INTERNAL
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Name: "user1"
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: rec'd RESPONSE #1 len: 59
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: LayerUp
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: sending CHALLENGE #1 len: 21
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: auth: peer wants nothing, I want CHAP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: state change Ack-Sent --> Opened
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Ack #3 (Ack-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #3
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Reject #2 (Ack-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ENDPOINTDISC [802.1] 00 0d b9 3a 26 61
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #2
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Req-Sent --> Ack-Sent
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x3259fde5
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACCMAP 0x00000000
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: SendConfigAck #1
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x3259fde5
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACCMAP 0x00000000
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Request #1 (Req-Sent)
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ENDPOINTDISC [802.1] 00 0d b9 3a 26 61
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #1
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Starting --> Req-Sent
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: Up event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] Link: UP event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] L2TP: Call #1 connected
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: LayerStart
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Initial --> Starting
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: Open event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] Link: OPEN event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] L2TP: Incoming call #1 via control connection 0x800cc3310 accepted
Sep 9 14:42:02 l2tps 44792 L2TP: Incoming call #1 via connection 0x800cc3310 received
Sep 9 14:42:02 l2tps 44792 L2TP: Control connection 0x800cc3310 10.99.1.99 1701 <-> 10.99.1.140 56990 connected
Sep 9 14:42:02 l2tps 44792 Incoming L2TP packet from 10.99.1.140 56990
Der Screenshot VPN/IPsec/Pre-Shared-Keys ist falsch. Bei PSK wird nur der PSK angezeigt. Der Rest (identifyer type etc) wird nur in der Maske EAP angezeigt. Der Rest im anderen Fred. ;)
Der Screenshot VPN/IPsec/Pre-Shared-Keys ist falsch.
Bahnhof ?? WO bitte ist der falsch ?? Das ist ein Screenshot der aktiv laufenden Konfig ?! Aber egal...
Fehler gefunden: Es fehlte in der Firewall eine IPSec-Regel im IPSec-Reiter.
Bei VPN/IPsec/Pre-Shared-Keys zeigst du im Screenshot die Parameter für EAP an. Bei PSK (so wie in deinem Screenshot dargestellt) zeigt er bei mir nur Identier, Secret Type und Pre-Shared-Key an.
Wenn die den Secret-Type auf EAP umstelle, dann wird in der 2.5, so wie in deinem Screenshot zusätzlich die Parameter Identifier type, Virtual Address Pool und DNS Server angezeigt.
Wenn die den Secret-Type auf EAP umstelle, dann wird in der 2.5, so wie in deinem Screenshot zusätzlich die Parameter Identifier type, Virtual Address Pool und DNS Server angezeigt.
Fehler gefunden: Es fehlte in der Firewall eine IPSec-Regel im IPSec-Reiter.
👍 Alles wird gut !