[strongSwan] L2TP/IPSec NAT-T FreeBSD related issue

Victor Volpe victor_volpe at bol.com.br
Tue Sep 5 20:54:43 CEST 2017 

Hi,

I'm a week, trying to figure out why FreeBSD L2TP over IPSec cannot work with Windows/Android boxes, that are behind NAT. I readed in this mailing list that L2TP/IPSec NAT-T protocol is "broken by design", but this problem only occour at FreeBSD server, no issues with Cisco, MikroTik or OpenBSD! How this can be explained? I had to try it myself, then I ran L2TP/IPSec in my office MikroTik router, and the Windows/Android boxes at my home, that are behind NAT, were connected succesfuly. What the heck is that? There is no conclusive answer for that on the web...

# uname -a
FreeBSD web.***.com.br 10.3-RELEASE-p21 FreeBSD 10.3-RELEASE-p21 #2: Sat Sep  2 23:53:31 BRT 2017     victor at web.***.com.br:/usr/obj/usr/src/sys/CUSTOM  amd64

/usr/src/sys/amd64/conf/CUSTOM
options IPSEC
options IPSEC_NAT_T
device crypto
device enc

/usr/local/etc/ipsec.conf
conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   leftauth = psk
   rightauth = psk
   left = %defaultroute
   right = %any
   auto = add

/usr/local/etc/ipsec.secrets
: PSK "My_Secret_Phrase"

/usr/local/etc/mpd5/mpd.conf
startup:
        set user admin MYPASSWORD admin
        set console self 127.0.0.1 5005
        set console open
        set web self 192.168.0.1 5006
        set web open
default:
        load l2tp_server
l2tp_server:
        set ippool add pool_l2tp 192.168.0.100 192.168.0.110
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
        set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
        set ipcp dns 192.168.0.1
        create link template L_l2tp l2tp
        set link action bundle B_l2tp
        set link mtu 1230
        set link keep-alive 0 0
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap-msv2
        set l2tp self 0.0.0.0
        set l2tp disable dataseq
        set link enable incoming

Tcpdump
# tcpdump -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
12:15:07.704792 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:08.705074 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:10.705948 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)
12:15:14.714536 (authentic,confidential): SPI 0xce261b24: IP 191-193-29-***.user.vivozap.com.br.l2f > web.***.com.br.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() FIRM_VER(2560) *HOST_NAME(VICTOR-PC) VENDOR_NAME(Microsoft) *ASSND_TUN_ID(1) *RECV_WIN_SIZE(8)

Thanks!

More information about the Users mailing list