PfSense VPN mit L2TP (IPsec) Protokoll für mobile Nutzer

Anleitung Netzwerke

aqui (Level 5)

06.07.2020, aktualisiert am 12.05.2022

19662

Inhaltsverzeichnis

Allgemeine Einleitung

pfSense Grundkonfiguration für L2TP

L2TP Benutzernamen einrichten

L2TP Tunnelprotokoll konfigurieren

Einrichtung IPsec Phase 1

Einrichtung IPsec Phase 2

Setzen des globalen Pre Shared Key (vorinstallierter Schlüssel)

Firewall Regeln richtig einstellen

L2TP Client Setup für alle Plattformen

Windows Client Setup

Apple Mac OS Client Setup

Apple iPhone/iPad Setup

Android Client Setup

Linux Client Setup (CLI)

Weiterführende Links

Allgemeine Einleitung

(Die OPNsense Variante der Einrichtung findet man HIER.)
Das folgende VPN Tutorial ist eine Ergänzung zum bestehenden VPN_Client_Tutorial. Es beschreibt ebenfalls die VPN Anbindung von mobilen Benutzern oder Homeoffice Nutzern mit Windows, Mac OS, Linux sowie Smartphones und Pads unter Apple iOS und Android an die Firewall pfSense (Netgate).

Auch mit dem L2TP VPN Protokoll werden immer die bordeigenen VPN Clients verwendet die alle Betriebssysteme von sich aus mitbringen. Eine Installation von extra Software für den Client VPN Zugriff ist in dieser L2TP Variante ebenso wie bei der reinen IPsec IKE2 Variante mit Server Zertifikat NICHT erforderlich !
Entgegen der zertifikatsbasierten IPsec IKEv2 Lösung, nutzt diese Variante zur Authentisierung das L2TP Protokoll. Die VPN Einrichtung durch das Fehlen der Server Zertifikats Prüfung gerät hier etwas leichter.
Sie hat aber den Nachteil das es keine eindeutige und sichere VPN Server Identifizierung durch den Client mit einem Zertifikat gibt, was eine Einschränkung in der Sicherheit bedeutet.
Anwender müssen hier also entscheiden ob das eine oder andere Verfahren für sie günstiger und vor allem sicherer ist. Beide bieten in Summe eine problemlose und kryptografisch sichere Client Anbindung per VPN mit allen bordeigenen VPN Clients an die Firewall.
Los gehts....

pfSense Grundkonfiguration für L2TP

Zuerst aktiviert man im Menüpunkt VPN --> L2TP den L2TP Server mit folgenden Einstellungen:

Haken aktiviert den L2TP Server
"Interface" = WAN (WAN IP Adresse der Firewall)
"Server Address" = Hier konfiguriert man eine VPN Server IP Adresse für das interne VPN Netzwerk. ACHTUNG: Dieses Netzwerk darf NICHT im Bereich der bestehenden Netzwerk IP Adressen der pfSense liegen ! Zudem sollte es niemals im Bereich verwendeter Standard IP Adressen wie z.B. FritzBox (192.168.178.0) liegen da das zu einer Überschneidung und zur Fehlfunktion führt. Ideal sind hier etwas exotische IP Netze. Dieser Thread gibt Tips_zum_richtigen_VPN_Adressdesign ! Es ist sehr wichtig hier keine 192.168er Allerweltsnetze zu definieren was oft zu Fehlfunktionen und Scheitern der VPNs führt !!
"Remote Adresse Range" = Adressbereich der VPN Clients. Dieses Netzwerk definiert den Client IP Bereich. Es darf sich NICHT mit der darüber liegenden Server IP überschneiden ! Das Beispiel hier nutzt das Subnetz 10.77.77.192 mit einer 26 Bit Maske (255.255.255.192) was damit insgesamt 62 VPN Clients erlaubt. Eine Maske von z.B. 25 Bit (255.255.255.128, Netzwerk: 10.77.77.128) erlaubt insgesamt 126 User usw.
"Number of Users" = Hier gibt man die maximale Anzahl der zu erwartenden VPN User an. Aufpassen: Die Anzahl muss zum obigen Bereich (Netzmaske) der VPN Adressen passen und immer kleiner sein als die maximale, durch die Netzmaske bedingte Anzahl !
"Authentication Type" = MS CHAPv2
"L2TP DNS Server" = (Optional) Hier definiert man z.B. interne DNS Server (Windows) die man dem Client bei VPN Einwahl automatisch übergeben will. Lässt man es weg wird normal wie auch im LAN die pfSense als DNS IP vergeben.
"Radius" = (Optional) Wer einen Radius Server zur externen User Authentisierung verwendet aktiviert ihn hier. In dem Fall entfällt der Eintrag der lokalen Userdaten.

L2TP Benutzernamen einrichten

Im VPN -> L2TP User Menü konfiguriert man nun die Benutzernamen und Passwort zur VPN Einwahl.
WICHTIG: Unter IP Address kann man optional jedem Benutzer eine spezifische IP zuweisen lassen. Das ist wichtig wenn man später bestimmte Benutzer mit Zugriffen auf einzelne Netze oder Rechner oder auch Anwendungsdienste über die Firewall Regeln steuern will !

L2TP Tunnelprotokoll konfigurieren

Der L2TP Tunnel nutzt IPsec ESP mit IKEv1 als Verschlüsselung was entsprechend im Menüpunkt VPN -> IPsec, Mobile Clients eingerichtet werden muss.

"User Authentication" = Local Database

Der Rest bleibt LEER ! Optional kann bei Bedarf unter "Login Banner" eine Begrüßungs Message bei VPN Einwahl mitgesendet werden.

ACHTUNG:
Die folgende IPsec Phase 1 muss aus diesem Mobile Client Menü heraus eingerichtet werden !! Von dort also unbedingt rechts auf "Create Phase 1" klicken !

Einrichtung IPsec Phase 1

"Key Exchange Version" = IKEv1
"Authentication method" = Mutual PSK
"Negotiation Mode" = Main
"My Identifier" = My IP address
"Encryption algorithm" = AES 256
"Hash algorithm" = SHA1
"DH key group" = 14 (2048 bit) (Achtung: Bei Fehlfunktion im VPN Aufbau mit älteren Smartphones, Chromebooks und einigen Android Modellen hier statt 14 dann DH key group = 2 (1024 bit) verwenden !)

Einrichtung IPsec Phase 2

"Mode" = Transport
"Protocol" = ESP
"Encryption algorithms" = nur AES 128
"Hash algorithms" = nur SHA1
"PFS Key Group" = off (muss auf AUS sein !)

Setzen des globalen Pre Shared Key (vorinstallierter Schlüssel)

Im Menü VPN -> IPsec, Pre-Shared Keys

"Identifier" = MUSS hier immer allusers sein ! Der String allusers ist eine Wildcard für den vorinstallierten L2TP Schlüssel. Er darf nicht verändert werden !

Hat man alles richtig konfiguriert sieht die Übersicht des IPsec Tunnel Protokolls so aus:

Firewall Regeln richtig einstellen

Es sind 3 Regelwerke einzustellen damit der VPN Zugriff klappt !
Einmal den Zugriff von L2TP auf die WAN IP Adresse der Firewall:
FW Regel WAN Port:
Hier definiert man die L2TP Ports idealerweise, der Übersicht halber, vorher in einem Firewall Port Alias Eintrag mit UDP 500, 4500 und 1701. Zusätzlich ist das ESP Protokoll freizugeben.

(Anmerkung: UDP 1701 ist mit der IPsec Verschlüsselung nicht zwingend nötig und muss nur sein wenn man auch natives L2TP nutzt. Er kann also auch komplett entfallen. Es schadet aber auch nicht ihn zu belassen, da so auch natives L2TP in der FW Regel mitberücksichtigt wird.)

FW Regel L2TP Tunnel Port:
Hier nutzt man meist die bekannte "Scheunentor" Regel. Bei Bedarf kann (und sollte) sie später aber strikter eingestellt werden.

FW Regel IPsec Tunnel Port:

L2TP Client Setup für alle Plattformen

Windows Client Setup

(Achtung !: Unbedingt Patch KB5010793 einspielen ! Siehe dazu auch HIER !)

Den Windows Client legt man mit dem bordeigenen Windows Setup an:

WICHTIG: Im Windows L2TP Client müssen zusätzlich noch ein paar spezifische Einstellungen vorgenommen werden !:

Apple Mac OS Client Setup

Analog funktioniert die Einrichtung des Apple MacOS L2TP Clients:

Authentifizierungseinstellungen:

Apple iPhone/iPad Setup

Der Apple iOS Client hat als einziger L2TP Client die Option "Split Tunneling" zu machen oder alles in den Tunnel zu senden:

Android Client Setup

Achtung:
Einige ältere und einfache Android Smartphones (und vereinzelt alte Apple iPhones) supporten keine DH Key Gruppe 14 (2048 Bit) und dann scheitert der L2TP Verbindungsversuch.
In diesem Falle muss man für den Support älterer Geräte oben in den IPsec Settings auf DH key group = 2 (1024 bit) umstellen !

Linux Client Setup (CLI)

Eine detailierte Anleitung zur Anbindung eines Linux Clients (Server etc.) an ein L2TP VPN findet man HIER.
Die GUI Variante über die grafische Oberfläche hier.

Weiterführende Links

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-Key: 585307

Url: https://administrator.de/contentid/585307

Ausgedruckt am: 17.05.2022 um 20:05 Uhr

10 Kommentare

Neuester Kommentar

Hat jemand eine Anpassung parat, damit das unter Big Sur funktioniert?

Funktioniert auch unter Big Sur fehlerlos.
Eben grad auf einer pfSense (Ver. 2.5.2) und als Crosscheck auch auf einem Mikrotik (Ver. 6.48.4) und auch Cisco Meraki MX64 problemlos getestet.

Ich bekomme das hier nicht zum laufen.

Mac:
Thu Sep  9 11:52:22 2021 : publish_entry SCDSet() failed: Success!
Thu Sep  9 11:52:22 2021 : publish_entry SCDSet() failed: Success!
Thu Sep  9 11:52:22 2021 : l2tp_get_router_address
Thu Sep  9 11:52:22 2021 : l2tp_get_router_address 172.20.10.1 from dict 1
Thu Sep  9 11:52:22 2021 : L2TP connecting to server 'vpn.xxxx.de' (xxx.yz.148.51)...
Thu Sep  9 11:52:22 2021 : IPSec connection started
Thu Sep  9 11:52:22 2021 : IPSec phase 1 client started
Thu Sep  9 11:52:22 2021 : IPSec phase 1 server replied
Thu Sep  9 11:52:23 2021 : IPSec phase 2 started
Thu Sep  9 11:52:24 2021 : IPSec phase 2 established
Thu Sep  9 11:52:24 2021 : IPSec connection established
Thu Sep  9 11:52:24 2021 : L2TP sent SCCRQ
Thu Sep  9 11:52:44 2021 : L2TP cannot connect to the server



PFsense:
Sep 9 11:52:22 	charon 	13353 	06[NET] <6> received packet: from xyz.abc.116.238[500] to def.ijk.148.51[500] (788 bytes)
Sep 9 11:52:22 	charon 	13353 	06[ENC] <6> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> looking for an IKEv1 config for def.ijk.148.51...xyz.abc.116.238
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> candidate: 0.0.0.0/0, ::/0...0.0.0.0/0, ::/0, prio 28
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> found matching ike config: 0.0.0.0/0, ::/0...0.0.0.0/0, ::/0 with prio 28
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received NAT-T (RFC 3947) vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received FRAGMENTATION vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> received DPD vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> xyz.abc.116.238 is initiating a Main Mode IKE_SA
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> IKE_SA (unnamed)[6] state change: CREATED => CONNECTING
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable DIFFIE_HELLMAN_GROUP found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable DIFFIE_HELLMAN_GROUP found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selecting proposal:
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> proposal matches
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 9 11:52:22 	charon 	13353 	06[CFG] <6> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> sending XAuth vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> sending DPD vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> sending FRAGMENTATION vendor ID
Sep 9 11:52:22 	charon 	13353 	06[IKE] <6> sending NAT-T (RFC 3947) vendor ID
Sep 9 11:52:22 	charon 	13353 	06[ENC] <6> generating ID_PROT response 0 [ SA V V V V ]
Sep 9 11:52:22 	charon 	13353 	06[NET] <6> sending packet: from def.ijk.148.51[500] to xyz.abc.116.238[500] (160 bytes)
Sep 9 11:52:23 	charon 	13353 	06[NET] <6> received packet: from xyz.abc.116.238[500] to def.ijk.148.51[500] (228 bytes)
Sep 9 11:52:23 	charon 	13353 	06[ENC] <6> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 9 11:52:23 	charon 	13353 	06[IKE] <6> remote host is behind NAT
Sep 9 11:52:23 	charon 	13353 	06[CFG] <6> candidate "con-mobile", match: 1/1/28 (me/other/ike)
Sep 9 11:52:23 	charon 	13353 	06[ENC] <6> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 9 11:52:23 	charon 	13353 	06[NET] <6> sending packet: from def.ijk.148.51[500] to xyz.abc.116.238[500] (244 bytes)
Sep 9 11:52:23 	charon 	13353 	06[NET] <6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (108 bytes)
Sep 9 11:52:23 	charon 	13353 	06[ENC] <6> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 9 11:52:23 	charon 	13353 	06[CFG] <6> looking for pre-shared key peer configs matching def.ijk.148.51...xyz.abc.116.238[172.20.10.2]
Sep 9 11:52:23 	charon 	13353 	06[CFG] <6> candidate "con-mobile", match: 1/1/28 (me/other/ike)
Sep 9 11:52:23 	charon 	13353 	06[CFG] <6> selected peer config "con-mobile"
Sep 9 11:52:23 	charon 	13353 	06[IKE] <con-mobile|6> IKE_SA con-mobile[6] established between def.ijk.148.51[def.ijk.148.51]...xyz.abc.116.238[172.20.10.2]
Sep 9 11:52:23 	charon 	13353 	06[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: CONNECTING => ESTABLISHED
Sep 9 11:52:23 	charon 	13353 	06[IKE] <con-mobile|6> scheduling reauthentication in 23393s
Sep 9 11:52:23 	charon 	13353 	06[IKE] <con-mobile|6> maximum IKE_SA lifetime 26273s
Sep 9 11:52:23 	charon 	13353 	06[ENC] <con-mobile|6> generating ID_PROT response 0 [ ID HASH ]
Sep 9 11:52:23 	charon 	13353 	06[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (76 bytes)
Sep 9 11:52:24 	charon 	13353 	10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (396 bytes)
Sep 9 11:52:24 	charon 	13353 	10[ENC] <con-mobile|6> parsed QUICK_MODE request 1176519332 [ HASH SA No ID ID NAT-OA NAT-OA ]
Sep 9 11:52:24 	charon 	13353 	10[IKE] <con-mobile|6> changing received traffic selectors 172.20.10.2/32|/0[udp/61568]=== def.ijk.148.51/32|/0[udp/l2f] due to NAT
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> looking for a child config for def.ijk.148.51/32|/0[udp/l2f] === xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> proposing traffic selectors for us:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> def.ijk.148.51/32|/0
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> proposing traffic selectors for other:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> xyz.abc.116.238/32|/0
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> candidate "con-mobile" with prio 1+1
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> found matching child config "con-mobile" with prio 2
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting traffic selectors for other:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> config: xyz.abc.116.238/32|/0, received: xyz.abc.116.238/32|/0[udp/61568] => match: xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting traffic selectors for us:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> config: def.ijk.148.51/32|/0, received: def.ijk.148.51/32|/0[udp/l2f] => match: def.ijk.148.51/32|/0[udp/l2f]
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> no acceptable ENCRYPTION_ALGORITHM found
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> no acceptable ENCRYPTION_ALGORITHM found
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> no acceptable ENCRYPTION_ALGORITHM found
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> no acceptable INTEGRITY_ALGORITHM found
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selecting proposal:
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> proposal matches
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ
Sep 9 11:52:24 	charon 	13353 	10[CFG] <con-mobile|6> selected proposal: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ
Sep 9 11:52:24 	charon 	13353 	10[ENC] <con-mobile|6> generating QUICK_MODE response 1176519332 [ HASH SA No ID ID NAT-OA NAT-OA ]
Sep 9 11:52:24 	charon 	13353 	10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (204 bytes)
Sep 9 11:52:24 	charon 	13353 	10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (60 bytes)
Sep 9 11:52:24 	charon 	13353 	10[ENC] <con-mobile|6> parsed QUICK_MODE request 1176519332 [ HASH ]
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: CREATED => INSTALLING
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> using AES_CBC for encryption
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> using HMAC_MD5_96 for integrity
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> adding inbound ESP SA
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> SPI 0xced0dc9e, src xyz.abc.116.238 dst def.ijk.148.51
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> adding outbound ESP SA
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> SPI 0x03595e06, src def.ijk.148.51 dst xyz.abc.116.238
Sep 9 11:52:24 	charon 	13353 	10[IKE] <con-mobile|6> CHILD_SA con-mobile{5} established with SPIs ced0dc9e_i 03595e06_o and TS def.ijk.148.51/32|/0[udp/l2f] === xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:24 	charon 	13353 	10[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: INSTALLING => INSTALLED
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:25 	charon 	13353 	06[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 3401304144 [ HASH N(DPD) ]
Sep 9 11:52:25 	charon 	13353 	06[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:25 	charon 	13353 	06[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:25 	charon 	13353 	06[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2200524928 [ HASH N(DPD_ACK) ]
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:25 	charon 	13353 	06[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:26 	charon 	13353 	10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 3125698663 [ HASH N(DPD) ]
Sep 9 11:52:26 	charon 	13353 	10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:26 	charon 	13353 	10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:26 	charon 	13353 	10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1412957240 [ HASH N(DPD_ACK) ]
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:26 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:27 	charon 	13353 	10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 3169018633 [ HASH N(DPD) ]
Sep 9 11:52:27 	charon 	13353 	10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:27 	charon 	13353 	10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:27 	charon 	13353 	10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 161370408 [ HASH N(DPD_ACK) ]
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:27 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:28 	charon 	13353 	10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2846347057 [ HASH N(DPD) ]
Sep 9 11:52:28 	charon 	13353 	10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:28 	charon 	13353 	10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:28 	charon 	13353 	10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 3166884827 [ HASH N(DPD_ACK) ]
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:28 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:29 	charon 	13353 	10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 1399713983 [ HASH N(DPD) ]
Sep 9 11:52:29 	charon 	13353 	10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:29 	charon 	13353 	10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:29 	charon 	13353 	10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1972336736 [ HASH N(DPD_ACK) ]
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:29 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:30 	charon 	13353 	10[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 652951414 [ HASH N(DPD) ]
Sep 9 11:52:30 	charon 	13353 	10[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:30 	charon 	13353 	10[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:30 	charon 	13353 	10[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 404915874 [ HASH N(DPD_ACK) ]
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:30 	charon 	13353 	10[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:31 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 920528892 [ HASH N(DPD) ]
Sep 9 11:52:31 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:31 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:31 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 3285350641 [ HASH N(DPD_ACK) ]
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:31 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:32 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2256793496 [ HASH N(DPD) ]
Sep 9 11:52:32 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:32 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:32 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1455714175 [ HASH N(DPD_ACK) ]
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:32 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:33 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 331134726 [ HASH N(DPD) ]
Sep 9 11:52:33 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:33 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:33 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2640606474 [ HASH N(DPD_ACK) ]
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:33 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:34 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 1247638940 [ HASH N(DPD) ]
Sep 9 11:52:34 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:34 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:34 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2530195038 [ HASH N(DPD_ACK) ]
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:34 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:35 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2079041617 [ HASH N(DPD) ]
Sep 9 11:52:35 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:35 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:35 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2914855772 [ HASH N(DPD_ACK) ]
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:35 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:36 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 860455598 [ HASH N(DPD) ]
Sep 9 11:52:36 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:36 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:36 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 841506726 [ HASH N(DPD_ACK) ]
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:36 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:37 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2252303055 [ HASH N(DPD) ]
Sep 9 11:52:37 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:37 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:37 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2173860112 [ HASH N(DPD_ACK) ]
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:37 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:38 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2162668809 [ HASH N(DPD) ]
Sep 9 11:52:38 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:38 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:38 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2263478134 [ HASH N(DPD_ACK) ]
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:38 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:39 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2611093714 [ HASH N(DPD) ]
Sep 9 11:52:39 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:39 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:39 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2556323718 [ HASH N(DPD_ACK) ]
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:39 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:40 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 4040646048 [ HASH N(DPD) ]
Sep 9 11:52:40 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:40 	charon 	13353 	09[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:40 	charon 	13353 	09[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1484630634 [ HASH N(DPD_ACK) ]
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:40 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:41 	charon 	13353 	09[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:41 	charon 	13353 	09[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:41 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:41 	charon 	13353 	09[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:41 	charon 	13353 	09[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 830103228 [ HASH N(DPD) ]
Sep 9 11:52:41 	charon 	13353 	09[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:41 	charon 	13353 	09[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:41 	charon 	13353 	09[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:41 	charon 	13353 	12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:41 	charon 	13353 	12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 3661340784 [ HASH N(DPD_ACK) ]
Sep 9 11:52:41 	charon 	13353 	12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:41 	charon 	13353 	12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:42 	charon 	13353 	12[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 2881913898 [ HASH N(DPD) ]
Sep 9 11:52:42 	charon 	13353 	12[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:42 	charon 	13353 	12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:42 	charon 	13353 	12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 1867954662 [ HASH N(DPD_ACK) ]
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:42 	charon 	13353 	12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> sending DPD request
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> queueing ISAKMP_DPD task
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> activating ISAKMP_DPD task
Sep 9 11:52:43 	charon 	13353 	12[ENC] <con-mobile|6> generating INFORMATIONAL_V1 request 1763851670 [ HASH N(DPD) ]
Sep 9 11:52:43 	charon 	13353 	12[NET] <con-mobile|6> sending packet: from def.ijk.148.51[4500] to xyz.abc.116.238[15557] (92 bytes)
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:43 	charon 	13353 	12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:43 	charon 	13353 	12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 291869909 [ HASH N(DPD_ACK) ]
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> activating new tasks
Sep 9 11:52:43 	charon 	13353 	12[IKE] <con-mobile|6> nothing to initiate
Sep 9 11:52:44 	charon 	13353 	12[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (76 bytes)
Sep 9 11:52:44 	charon 	13353 	12[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 742545670 [ HASH D ]
Sep 9 11:52:44 	charon 	13353 	12[IKE] <con-mobile|6> received DELETE for ESP CHILD_SA with SPI 03595e06
Sep 9 11:52:44 	charon 	13353 	12[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: INSTALLED => DELETING
Sep 9 11:52:44 	charon 	13353 	12[IKE] <con-mobile|6> closing CHILD_SA con-mobile{5} with SPIs ced0dc9e_i (660 bytes) 03595e06_o (0 bytes) and TS def.ijk.148.51/32|/0[udp/l2f] === xyz.abc.116.238/32|/0[udp/61568]
Sep 9 11:52:44 	charon 	13353 	12[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: DELETING => DELETED
Sep 9 11:52:44 	charon 	13353 	12[CHD] <con-mobile|6> CHILD_SA con-mobile{5} state change: DELETED => DESTROYING
Sep 9 11:52:44 	charon 	13353 	11[NET] <con-mobile|6> received packet: from xyz.abc.116.238[15557] to def.ijk.148.51[4500] (92 bytes)
Sep 9 11:52:44 	charon 	13353 	11[ENC] <con-mobile|6> parsed INFORMATIONAL_V1 request 2500915748 [ HASH D ]
Sep 9 11:52:44 	charon 	13353 	11[IKE] <con-mobile|6> received DELETE for IKE_SA con-mobile[6]
Sep 9 11:52:44 	charon 	13353 	11[IKE] <con-mobile|6> deleting IKE_SA con-mobile[6] between def.ijk.148.51[def.ijk.148.51]...xyz.abc.116.238[172.20.10.2]
Sep 9 11:52:44 	charon 	13353 	11[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: ESTABLISHED => DELETING
Sep 9 11:52:44 	charon 	13353 	11[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: DELETING => DELETING
Sep 9 11:52:44 	charon 	13353 	11[IKE] <con-mobile|6> IKE_SA con-mobile[6] state change: DELETING => DESTROYING 

Weiss jemand, was da falsch läuft?

An https://support.apple.com/de-at/HT211840 liegt es nicht?

Das hast du beachtet ?
https://administrator.de/forum/l2tp-ipsec-vpn-pfsense-2-3-317353.html

Tip: Am besten einen separaten Thread aufmachen mit den Setup Screenshots um das Tutorial hier nicht "aufzublähen". da können wir dann ins Eingemachte gehen. Du hast irgendwo noch einen Konfig Kinken im Firewall Setup.
Wichtig sind die Crypto Settings. SHA1 (L2TP kann nur das) und ggf. mal mit anderer DH Group testen.
Der Mac kommt nochmalerweise auch mit DH14 klar.

So, Schnellcheck und ums vorweg zu nehmen: Works as designed ! 😉

pfSense Setup:

Connection Status pfSense bei aktivem Mac L2TP Client

Mac L2TP Client Status

Wie gesagt...alles fehlerlos.
(Winblows 10 (21H1) L2TP Client übrigens auch !)
Fazit: Irgendwo hast du einen Setup Fehler in deiner L2TP Konfig !

Hier der komplette L2TP Log Auszug der Connection:

Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Add group l2tp to ng0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Rename interface ng0 to l2tps1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IFACE: No interface to proxy arp on for 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] 10.77.77.1 -> 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: LayerUp
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Ack-Rcvd --> Opened
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigAck #3
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] 10.77.77.192 is OK
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #3 (Ack-Rcvd)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Req-Sent --> Ack-Rcvd
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Ack #2 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigNak #2
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #2 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: LayerFinish
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Req-Sent --> Stopped
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: protocol was rejected by peer
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: protocol CCP was rejected
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Protocol Reject #2 (Opened)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigReq #2
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Reject #1 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] rec'd unexpected protocol Apple Client Server Protocol Control, rejecting
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] rec'd unexpected protocol IPV6CP, rejecting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] SECDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigRej #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] SECDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 192.168.1.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] PRIDNS 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] NAKing with 10.77.77.192
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 0.0.0.0
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: rec'd Configure Request #1 (Req-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: SendConfigReq #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Starting --> Req-Sent
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Protocol mppc disabled as useless for this setup
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPADDR 10.77.77.1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: SendConfigReq #1
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Starting --> Req-Sent
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Got IP 10.77.77.192 from pool "p0" for peer
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Up event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: LayerStart
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: state change Initial --> Starting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] CCP: Open event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: LayerStart
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: state change Initial --> Starting
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] IPCP: Open event
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] Bundle: Status update: up 1 link, total bandwidth 64000 bps
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Link: Join bundle "l2tp_b-1"
Sep 9 14:42:04 l2tps 44792 [l2tp_b-1] Bundle: Interface ng0 created
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Creating new bundle using template "l2tp_b".
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Link: Matched action 'bundle "l2tp_b" ""'
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: authorization successful
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: sending SUCCESS #1 len: 46
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Reply message: S=363EBA31DE02EF8CA838CFC4B4A7A0534566B3B4
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Response is valid
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: Auth return status: undefined
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTH: INTERNAL returned: undefined
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTH: Trying INTERNAL
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] Name: "user1"
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: rec'd RESPONSE #1 len: 59
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: LayerUp
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] CHAP: sending CHALLENGE #1 len: 21
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: auth: peer wants nothing, I want CHAP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: state change Ack-Sent --> Opened
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Ack #3 (Ack-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #3
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Reject #2 (Ack-Sent)
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ENDPOINTDISC [802.1] 00 0d b9 3a 26 61
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:04 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #2
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Req-Sent --> Ack-Sent
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x3259fde5
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACCMAP 0x00000000
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: SendConfigAck #1
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x3259fde5
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACCMAP 0x00000000
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: rec'd Configure Request #1 (Req-Sent)
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ENDPOINTDISC [802.1] 00 0d b9 3a 26 61
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MP SHORTSEQ
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MP MRRU 2048
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] AUTHPROTO CHAP MSOFTv2
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MAGICNUM 0x75e8c0d0
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] MRU 1500
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] PROTOCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] ACFCOMP
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: SendConfigReq #1
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Starting --> Req-Sent
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: Up event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] Link: UP event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] L2TP: Call #1 connected
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: LayerStart
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: state change Initial --> Starting
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] LCP: Open event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] Link: OPEN event
Sep 9 14:42:02 l2tps 44792 [l2tp_l-1] L2TP: Incoming call #1 via control connection 0x800cc3310 accepted
Sep 9 14:42:02 l2tps 44792 L2TP: Incoming call #1 via connection 0x800cc3310 received
Sep 9 14:42:02 l2tps 44792 L2TP: Control connection 0x800cc3310 10.99.1.99 1701 <-> 10.99.1.140 56990 connected
Sep 9 14:42:02 l2tps 44792 Incoming L2TP packet from 10.99.1.140 56990

Der Screenshot VPN/IPsec/Pre-Shared-Keys ist falsch. Bei PSK wird nur der PSK angezeigt. Der Rest (identifyer type etc) wird nur in der Maske EAP angezeigt. Der Rest im anderen Fred. ;)

Der Screenshot VPN/IPsec/Pre-Shared-Keys ist falsch.

Bahnhof ?? WO bitte ist der falsch ?? Das ist ein Screenshot der aktiv laufenden Konfig ?! Aber egal...

Fehler gefunden: Es fehlte in der Firewall eine IPSec-Regel im IPSec-Reiter.

Bei VPN/IPsec/Pre-Shared-Keys zeigst du im Screenshot die Parameter für EAP an. Bei PSK (so wie in deinem Screenshot dargestellt) zeigt er bei mir nur Identier, Secret Type und Pre-Shared-Key an.

Wenn die den Secret-Type auf EAP umstelle, dann wird in der 2.5, so wie in deinem Screenshot zusätzlich die Parameter Identifier type, Virtual Address Pool und DNS Server angezeigt.