• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Split Tunnel with L2TP over IPSec in pfSense

Scheduled Pinned Locked Moved IPsec
2 Posts 2 Posters 2.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sirozha Banned
    last edited by Aug 28, 2016, 1:48 PM Aug 28, 2016, 1:42 PM

    Hi,

    I configured L2TP over IPSEc in pfSense and was able to connect from a macOS built-in L2TP over IPSec Client to pfSense. However, only traffic to "Server address" specified in pfSense in VP N/ L2TP / Configuration gets inside the L2TP over IPSec tunnel; hence I can only ping that "Server address". The reason for this is that once the L2TP over IPSec tunnel connection is established from macOS, the only specific route that is installed in the macOS routing table that points out of the ppp0 interface is the route to the "Server address". There's also the default route that's installed in the macOS routing table that points out of the ppp0 interface, but that default route is listed second in the routing table. The first default route listed in the macOS routing table points to the active network interface configured in macOS. Because of the way routing is done in macOS, only the first default route is used when the interface that it points out of is active.

    In order to be able to send traffic from the macOS host connected to pfSense via the L2TP over IPSec tunnel to any host located off pfSense LAN interface (or to the IP of the pfSense LAN interface itself), I had to select the "Send all traffic over VPN connection" check box in the macOS L2TP over IPSec client. This results in the default pointing out of the ppp0 interface in the macOS routing table be placed first on the list of default routes, and therefore, all traffic is routed across the VPN connection. This, however, results in the phenomenon that macOS generated traffic that is bound to the Internet has to first arrive in pfSense, be decapsulated from IPSec and then from L2TP, and only then be routed out of the pfSense WAN interface to the Internet.

    So, is there a way to configure in pfSense specific subnets to which traffic should be routed by the L2TP over IPSec client into the tunnel, so that routes to these subnets are installed in the macOS routing table to point out of the ppp0 interface and so that traffic to all other networks is routed by macOS outside of the L2TP tunnel – directly out of the MacOS active network interface unencrypted and unencapsulated?

    Thank you.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Sep 7, 2016, 5:47 PM

      No, there is no mechanism in L2TP for this – It's 100% up to the client. You can probably script some routing to happen on connect on the client side, but the firewall (or any L2TP server) can't send routes.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        [[user:consent.lead]]
        [[user:consent.not_received]]