Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec/L2TP with pfSense 2.2

    Scheduled Pinned Locked Moved IPsec
    118 Posts 48 Posters 111.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      themaninblack
      last edited by

      I've been playing with this all day, and have it working with both Windows 7 and OS X (Yosemite) clients.

      My settings are as follows:

      IPSec is enabled  ;)

      PHASE 1 SETTINGS

      Phase 1 proposal (Authentication):
      Authentication method: Mutual PSK
      Negotiation mode: Main
      My Identifier: My IP address

      Phase 1 proposal (Algorithms):
      Encryption algorithm: 3DES
      Hash algroithm: SHA1
      Dh key group: 2 (1024 bit)
      Lifetime: 28800 seconds

      NOTE: there are other p1 algorithm combinations that will work, but this is the only combination that works for both win7 and OS X
      for example: AES256, SHA1, and DH 14 (2048 bit) also work for windows 7, but not os x

      Advanced options:
      Disable rekey is off
      Disable reauth is off
      NAT Traversal is Auto (this should only matter if your VPN SERVER itself is behind another nat)
      Dead Peer Detection is enabled (but both win 7 and OS X don't seem to support DPD0)

      PHASE 2 SETTINGS

      Phase 2 settings are all the defaults except MODE which should be transport so:

      MODE: Transport (this one f'd me up for a while, I kept setting it to tunnel)
      Protocol: ESP
      Encryption algrithms:AES (auto), blowfish (auto), 3DES, CAST128 all checked, (these are the defaults for p2)
      Hash algorithems: MD5, SHA1 both checked (again this is the default)
      PFS key group: off
      Lifetime: 3600 seconds

      On the mobile clients tab:

      Enable IPsec mobile client support is checked
      Everything else on this tab is unchecked
      User Authentication is set to "Local Database" (which isn't actually used because Xauth isn't on in P1)
      Group Authentication is set to none

      On the Pre-Shared Keys tabs:
      Add a single PSK with the identifier "allusers", set this to something strong

      Firewall NAT:

      • No special NAT rules added, outbound NAT is automatic

      Firewall rules:

      • No special WAN rules added
      • No IPSec rules added
      • L2TP VPN, add a rule for the VPN traffic you want to allow.  I have a "pass-everything" rule here.  Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.

      L2TP VPN setup: (These are my settings, tweak to meet your needs:)
      L2TP server is Enabled
      Interface: LAN
      Remote address range: a range that is a subset of the LAN subnet, that starts on a /29 boundary.  I picked 192.168.x.208
      Subnet mask: /29
      Number of l2tp users: 8
      Secret: (blank)
      Authentication type: CHAP
      Server address: is the next ip outside the remote address range, 192.168.x.216 in my case.

      The "secret" specified here is not the pre-shared key needed by the L2TP/IPSec clients.  I'm not even sure this is used at all I don't see this value being passed on to the mpd config file in any way.

      The subnet mask and number of users, seems redundant to me… L2TP is a PPP protocol so I'm not sure why there's a subnet mask at all.  In my case I've picked /29 which corresponds to exactly 8 hosts matching my number of users, and made sure to start my range on a /29 boundary.  The UI complains if put the server address in the remote address range / subnet mask.  But the mpd.conf file that's generated only cares about the number of L2TP users, it doesn't seem to matter what you put in the subnet.

      1 Reply Last reply Reply Quote 0
      • C
        Cloudscout
        last edited by

        I've spent the whole day digging into this as well and had reached essentially the same configuration options as you, however, I still can't connect.

        The IPsec piece seems to be working alright but nothing ever appears in the L2TP logs and the connection fails with "Error 809".

        1 Reply Last reply Reply Quote 0
        • E
          els
          last edited by

          I get the same error code. I tried a number of different configurations and would get different error codes such as "789". There are some inconsistencies in terms of how L2TP / IPSEC should be configured. Some have set interface to LAN for L2TP while others say they set it to WAN.

          Hopefully there will be a recommended / working configuration shortly.

          Maybe some more context on LAN configuration e.g. IP subnet and such so we get a better idea how to configure L2TP? One of the configurations I tried did spawn child SA entry on IPSEC status page however I see out being zero. I already set the rule for L2TP VPN to allow any to any. I suspect it may have to do with IP / subnet we set for L2TP.

          1 Reply Last reply Reply Quote 0
          • D
            dstroot
            last edited by

            I have tried for several weeks off and on to get a stable working configuration for iOS devices to VPN back in using the built-in VPN client on iOS 8.1.2.  At one point I could connect and browse LAN resources but never have I been able to pass traffic out to the Internet.

            I would REALLY love it if someone could share a good, secure working config for iOS clients that passes all traffic, and allows access to local LAN resources as well as traffic out to the Internet.

            Cheers!

            1 Reply Last reply Reply Quote 0
            • C
              Cloudscout
              last edited by

              I decided to try connecting via OSX and the configuration themaninblack describes worked fine.  No luck with Windows 7, Windows 8.1 or Windows Phone 8.1, though.  I did some research that implies this might be caused by Windows having poor NAT-T tolerance for L2TP+IPsec connections.

              Hopefully the necessary IKEv2 components get integrated sooner rather than later as that would be a better solution for Windows clients than L2TP+IPsec anyway.

              1 Reply Last reply Reply Quote 0
              • T
                thefink
                last edited by

                @themaninblack:

                I've been playing with this all day, and have it working with both Windows 7 and OS X (Yosemite) clients.

                My settings are as follows:

                IPSec is enabled  ;)

                PHASE 1 SETTINGS

                Phase 1 proposal (Authentication):
                Authentication method: Mutual PSK
                Negotiation mode: Main
                My Identifier: My IP address

                Does this mean that you had to enter your external client's IP as the Phase 1 Peer IP?  Or did you put your external WAN IP as this identifier?
                ~~I feel like this is a stupid question I just asked; but I am trying to figure out how PfSense can operate identically as to say a Cisco ASA or Windows server based VPN for Windows native clients.  Having to enter in the IP of the connecting client is not feasible when dealing with external users; as they could be anywhere.

                So with v2.2, how do I set it up so that I can have a client connect from anywhere using their native clients on their devices?~~

                I received my answer to this.  The identifier is the firewall's IP address.

                1 Reply Last reply Reply Quote 0
                • A
                  AndrewZ
                  last edited by

                  It seems I have IPSec part working but something is still wrong with L2TP part :(
                  The VPN client (iPad) gets the IP but cannot access resources on LAN.
                  Can someone share the working L2TP server config together with L2TP firewall rules?
                  I suspect something is wrong with LAN subnet, server address and VPN subnet combination.
                  Thanks!

                  EDIT
                  Some details about my setup:
                  local LAN 192.168.5.0/24
                  L2TP server interface is WAN as shown in https://doc.pfsense.org/index.php/L2TP/IPsec_on_Android
                  L2TP server ip 192.168.155.254
                  L2TP client subnet 192.168.155.0/24

                  in the log:

                  Jan 13 13:14:33 	l2tps: [l2tp0] no interface to proxy arp on for 192.168.155.0
                  Jan 13 13:14:33 	l2tps: [l2tp0] IFACE: Up event
                  Jan 13 13:14:33 	l2tps: 192.168.155.254 -> 192.168.155.0
                  Jan 13 13:14:33 	l2tps: [l2tp0] IPCP: LayerUp
                  Jan 13 13:14:33 	l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened
                  Jan 13 13:14:33 	l2tps: PRIDNS 192.168.5.1
                  Jan 13 13:14:33 	l2tps: IPADDR 192.168.155.0
                  Jan 13 13:14:33 	l2tps: [l2tp0] IPCP: SendConfigAck #3
                  Jan 13 13:14:33 	l2tps: PRIDNS 192.168.5.1
                  Jan 13 13:14:33 	l2tps: 192.168.155.0 is OK
                  Jan 13 13:14:33 	l2tps: IPADDR 192.168.155.0
                  
                  
                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    You probably have wrongly setup your l2tp seeing that .0 ip assigned.

                    1 Reply Last reply Reply Quote 0
                    • A
                      AndrewZ
                      last edited by

                      Changed client subnet, similar result:

                      Jan 14 03:10:06 	l2tps: [l2tp0] no interface to proxy arp on for 192.168.155.16
                      Jan 14 03:10:06 	l2tps: [l2tp0] IFACE: Up event
                      Jan 14 03:10:06 	l2tps: 192.168.155.254 -> 192.168.155.16
                      Jan 14 03:10:06 	l2tps: [l2tp0] IPCP: LayerUp
                      Jan 14 03:10:06 	l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • MikeV7896M
                        MikeV7896
                        last edited by

                        Same (or similar) issue as Andrew…

                        I followed themaninblack's config (except for IPSec phase 1 proposal, adjusted for my device)... The connection is being made without any problems. After connecting, I can ping, both LAN hosts and external hosts, DNS works as well (since it's from my pfSense box), but anything else seems to get lost, even webconfig access. I created an "allow all" firewall rule for L2TP, but the logs still show things being blocked... is there another rule I need to add somewhere?

                        Could it be blocking all TCP? If I set the DNS client on my phone to force TCP, nothing is able to resolve anymore.

                        EDIT: I noticed in themaninblack's post that he mentions...

                        • L2TP VPN, add a rule for the VPN traffic you want to allow.  I have a "pass-everything" rule here.  Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.

                        It seems like it's block all TCP, not pass all TCP. And it doesn't appear to be something I can remove as it doesn't show in the rules.

                        fw-l2tp0.PNG
                        fw-l2tp0.PNG_thumb

                        The S in IOT stands for Security

                        1 Reply Last reply Reply Quote 0
                        • E
                          eri--
                          last edited by

                          Probably you have to enable MSS clamping on your tunnel.

                          1 Reply Last reply Reply Quote 0
                          • MikeV7896M
                            MikeV7896
                            last edited by

                            No change. TCP still being blocked, while UDP and ICMP go just fine.

                            The S in IOT stands for Security

                            1 Reply Last reply Reply Quote 0
                            • A
                              AndrewZ
                              last edited by

                              virgiliomi,
                              you're still more lucky than me :)
                              I do not even see l2tp in the firewall log. Could you please share your working config not hiding the private addresses you use.
                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • MikeV7896M
                                MikeV7896
                                last edited by

                                Basically, I followed themaninblack's config from earlier in this thread. The only changes I made are…

                                Phase 1 Algorithms:
                                Encryption: AES 256
                                Hash: SHA1
                                DH key group: 2 (1024 bit)

                                Phase 2 Proposal:
                                Encryption: Only AES checked, 256 bit selected
                                Hash: Only SHA1 checked

                                The IP Addresses I used in L2TP settings are a subset of my LAN subnet, just as mentioned by themaninblack. My LAN is 192.168.1.1/24, my L2TP is 192.168.1.208/29 and my server address is 192.168.1.216. If I use addresses outside of my LAN subnet (i.e. 192.168.51.208/29 and 192.168.51.216) then I get ping responses, but no TCP or UDP traffic (so no DNS).

                                The S in IOT stands for Security

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

                                  If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • MikeV7896M
                                    MikeV7896
                                    last edited by

                                    Yep, that rule definitely fixed it for me. Works much better now!

                                    The S in IOT stands for Security

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      For those having trouble getting it going, I started from scratch and got this to work, pfSense 2.2 vs Windows 8.1 client:

                                      https://doc.pfsense.org/index.php/L2TP/IPsec

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        AndrewZ
                                        last edited by

                                        OK, I've deleted my previous config and followed the guide. Result is the same:
                                        IPSec:

                                        Jan 21 01:57:26 	charon: 08[KNL] 192.168.32.1 appeared on l2tp0
                                        Jan 21 01:57:26 	charon: 08[KNL] interface l2tp0 activated
                                        
                                        

                                        L2TP:

                                        Jan 21 01:57:26 	l2tps: [l2tp0] rec'd unexpected protocol IP
                                        Jan 21 01:57:26 	l2tps: [l2tp0] no interface to proxy arp on for 192.168.32.128
                                        Jan 21 01:57:26 	l2tps: [l2tp0] IFACE: Up event
                                        Jan 21 01:57:26 	l2tps: 192.168.32.1 -> 192.168.32.128
                                        Jan 21 01:57:26 	l2tps: [l2tp0] IPCP: LayerUp
                                        Jan 21 01:57:26 	l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened
                                        Jan 21 01:57:26 	l2tps: PRIDNS 192.168.5.1
                                        Jan 21 01:57:26 	l2tps: IPADDR 192.168.32.128
                                        Jan 21 01:57:26 	l2tps: [l2tp0] IPCP: SendConfigAck #3
                                        Jan 21 01:57:26 	l2tps: PRIDNS 192.168.5.1
                                        Jan 21 01:57:26 	l2tps: 192.168.32.128 is OK
                                        Jan 21 01:57:26 	l2tps: IPADDR 192.168.32.128
                                        
                                        

                                        Nothing in firewall log, cannot access LAN. Tested from iPad. pfsense on nanobsd.

                                        1 Reply Last reply Reply Quote 0
                                        • O
                                          Ocid
                                          last edited by

                                          I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:

                                          IPsec Phase 1:

                                          • DH key group: 2 (1024)

                                          ~~Firewall - Rules, WAN tab

                                          • see attached pic~~
                                            (works without these rules)

                                          Services - DNS Resolver - Access Lists

                                          • allow 192.168.32.128/25

                                          ![Screenshot 2015-01-21 12.32.19.png](/public/imported_attachments/1/Screenshot 2015-01-21 12.32.19.png)
                                          ![Screenshot 2015-01-21 12.32.19.png_thumb](/public/imported_attachments/1/Screenshot 2015-01-21 12.32.19.png_thumb)

                                          1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            @Ocid:

                                            I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:

                                            I added those notes to https://doc.pfsense.org/index.php/L2TP/IPsec

                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.