Re: L2TP VPN / pf

Wed, 26 Feb 2014 20:46:29 -0800 

Hi,

On Wed, 26 Feb 2014 16:32:34 -0800
"Paul B. Henson" <hen...@acm.org> wrote:
> I currently have the following in pf.conf:
> 
> -----
> pass quick proto { esp, ah } from any to any
> pass in quick on em1 proto udp from any to 96.251.22.154 port {500, 4500,
> 1701} keep state
> set skip on enc0
> set skip on pppx0
> -----

"set skip on pppx0" needs to be improved because npppd may use pppx1,
or pppx2 ...

> I'm pretty sure I have the ipsec/npppd pieces correct, as I am successfully
> able to connect to the VPN:
> 
> -----
> 2014-02-26 15:35:01:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ
> from=134.71.203.230:644
(snip)
> 2014-02-26 15:35:04:NOTICE: ppp id=1 layer=base logtype=TUNNELSTART
> user="henson" duration
> =4sec layer2=L2TP_ipv4 layer2from=134.71.203.230:64468 auth=MS-CHAP-V2
> ip=10.128.120.160 
> iface=pppx0

L2TP/IPsec seems to be established successfully.  This means your
ipsec.conf, npppd.conf and pf.conf are ok.

> However, from the VPN client I cannot ping 10.128.120.1, the server
> endpoint, and from the server I cannot ping 10.128.120.160, the client
> endpoint. When I try to ping the client, I can see traffic on the ethernet
> interface:
(snip)
> Am I missing something in either the ipsec, npppd, or pf configuration?

Did you do

  sysctl net.pipex.enable=1

?  This is required to pass packets through the VPN tunnel.

> For this rule "pass quick proto { esp, ah } from any to any", does it really
> need to be any to any with no interface defined?

I think it is required only from/to the listening address of L2TP.

> Wouldn't all of the ipsec traffic be on the WAN interface to/from
> the WAN IP? While I think this piece is working, I'd rather have the
> rule exactly match what is needed than be extra generic.
> 
> Regarding this rule "pass in quick on em1 proto udp from any to
> 96.251.22.154 port {500, 4500, 1701} keep state", it looks like the
> connection to the l2tp port is over the ipsec tunnel and hence via enc0, not
> em1? So it doesn't seem 1701 needs to be allowed in on this rule, I removed
> it and it continued to work, at least as far as successfully connecting but
> not passing traffic over the VPN link <sigh>.

In L2TP/IPsec, "transport mode" IPsec is used instead of tunnel mode.
This means enc(4) is not used.  And de-capsulated L2TP packets are
received on the same interface which receives IPsec packet.

--yasuoka

Reply via email to