IPSec/L2TP with pfSense 2.2
-
Basically, I followed themaninblack's config from earlier in this thread. The only changes I made are…
Phase 1 Algorithms:
Encryption: AES 256
Hash: SHA1
DH key group: 2 (1024 bit)Phase 2 Proposal:
Encryption: Only AES checked, 256 bit selected
Hash: Only SHA1 checkedThe IP Addresses I used in L2TP settings are a subset of my LAN subnet, just as mentioned by themaninblack. My LAN is 192.168.1.1/24, my L2TP is 192.168.1.208/29 and my server address is 192.168.1.216. If I use addresses outside of my LAN subnet (i.e. 192.168.51.208/29 and 192.168.51.216) then I get ping responses, but no TCP or UDP traffic (so no DNS).
-
Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?
If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.
-
Yep, that rule definitely fixed it for me. Works much better now!
-
For those having trouble getting it going, I started from scratch and got this to work, pfSense 2.2 vs Windows 8.1 client:
https://doc.pfsense.org/index.php/L2TP/IPsec
-
OK, I've deleted my previous config and followed the guide. Result is the same:
IPSec:Jan 21 01:57:26 charon: 08[KNL] 192.168.32.1 appeared on l2tp0 Jan 21 01:57:26 charon: 08[KNL] interface l2tp0 activatedL2TP:
Jan 21 01:57:26 l2tps: [l2tp0] rec'd unexpected protocol IP Jan 21 01:57:26 l2tps: [l2tp0] no interface to proxy arp on for 192.168.32.128 Jan 21 01:57:26 l2tps: [l2tp0] IFACE: Up event Jan 21 01:57:26 l2tps: 192.168.32.1 -> 192.168.32.128 Jan 21 01:57:26 l2tps: [l2tp0] IPCP: LayerUp Jan 21 01:57:26 l2tps: [l2tp0] IPCP: state change Ack-Rcvd --> Opened Jan 21 01:57:26 l2tps: PRIDNS 192.168.5.1 Jan 21 01:57:26 l2tps: IPADDR 192.168.32.128 Jan 21 01:57:26 l2tps: [l2tp0] IPCP: SendConfigAck #3 Jan 21 01:57:26 l2tps: PRIDNS 192.168.5.1 Jan 21 01:57:26 l2tps: 192.168.32.128 is OK Jan 21 01:57:26 l2tps: IPADDR 192.168.32.128Nothing in firewall log, cannot access LAN. Tested from iPad. pfsense on nanobsd.
-
I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:
IPsec Phase 1:
- DH key group: 2 (1024)
~~Firewall - Rules, WAN tab
- see attached pic~~
(works without these rules)
Services - DNS Resolver - Access Lists
- allow 192.168.32.128/25
 -
I managed to get a connection and I'm able to browse LAN and internet from my iPhone (iOS 8.1.2) by following that guide, but I had to make the following modifications:
I added those notes to https://doc.pfsense.org/index.php/L2TP/IPsec
-
Nothing in firewall log, cannot access LAN. Tested from iPad. pfsense on nanobsd.
What version of iOS? If you see anything at all in the L2TP log then the IPsec portion must be OK.
-
Services - DNS Resolver - Access Lists
- allow 192.168.32.128/25
This might be my issue - none of the guides I have seen so far have mentioned anything about DNS resolver…
-
What version of iOS? If you see anything at all in the L2TP log then the IPsec portion must be OK.
iOS 8.1.2
I mean the Firewall log has no records related to L2TP, but I do have something in both IPsec and L2TP logs, I mentioned this earlier in this thread.
Could it be related to nanobsd build? -
Not likely related to NanoBSD, but it could be related to the client configuration and/or L2TP settings. I don't have any devices with iOS 7.x or 8.x to test. I could try 6.x but that may have other unrelated issues.
-
I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.
Daemon is started as follows:
/usr/local/sbin/mpd4 -b -d /var/etc/l2tp-vpn -p /var/run/l2tp-vpn.pid -s l2tps l2tpsConfiguration file /var/etc/l2tp-vpn/mpd.conf
l2tps: load l2tp0 load l2tp1 load l2tp2 load l2tp3 load l2tp4 load l2tp5 load l2tp6 load l2tp7 l2tp0: new -i l2tp0 l2tp0 l2tp0 set ipcp ranges 192.168.32.1/32 192.168.32.128/32 load l2tp_standard l2tp1: new -i l2tp1 l2tp1 l2tp1 set ipcp ranges 192.168.32.1/32 192.168.32.129/32 load l2tp_standard l2tp2: new -i l2tp2 l2tp2 l2tp2 set ipcp ranges 192.168.32.1/32 192.168.32.130/32 load l2tp_standard l2tp3: new -i l2tp3 l2tp3 l2tp3 set ipcp ranges 192.168.32.1/32 192.168.32.131/32 load l2tp_standard l2tp4: new -i l2tp4 l2tp4 l2tp4 set ipcp ranges 192.168.32.1/32 192.168.32.132/32 load l2tp_standard l2tp5: new -i l2tp5 l2tp5 l2tp5 set ipcp ranges 192.168.32.1/32 192.168.32.133/32 load l2tp_standard l2tp6: new -i l2tp6 l2tp6 l2tp6 set ipcp ranges 192.168.32.1/32 192.168.32.134/32 load l2tp_standard l2tp7: new -i l2tp7 l2tp7 l2tp7 set ipcp ranges 192.168.32.1/32 192.168.32.135/32 load l2tp_standard l2tp_standard: set bundle disable multilink set bundle enable compression set bundle yes crypt-reqd set ipcp yes vjcomp # set ipcp ranges 131.188.69.161/32 131.188.69.170/28 set ccp yes mppc set iface disable on-demand set iface enable proxy-arp set iface up-script /usr/local/sbin/vpn-linkup set iface down-script /usr/local/sbin/vpn-linkdown set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 180 set ipcp dns 192.168.5.1 -
I don't think the client is guilty… I will try to find another client to test. This error - [l2tp0] no interface to proxy arp on for 192.168.32.128' - make me suspicious regarding the L2TP server config or behavior.
That is normal. It only comes into play if you make the client subnet overlap another interface such as LAN, the firewall will proxy arp for the overlapping addresses so the clients can function. It's not related to any problem.
-
Guys,
I have been playing with the lastest build and trying to get the this to work.This is the logs i get when trying to connect using windows 7.
According to the Ipsec logs I get this far and it just fails to connect
Jan 22 03:50:05 charon: 09[IKE] <con1|24>CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 03:50:05 charon: 09[IKE] CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]If i connect using my iphone 6
it connects and gets a proper ip address.
I can ping the phone from my network but cannot connect anywhere from the phone (dns names or ip addresses)I found an articale why windows may not be connecting but haven't had any luck getting it to work.
AssumeUDPEncapsulationContextOnSendRule
http://support2.microsoft.com/?kbid=947234
It appears to be valid for windows Vista - 8</con1|24>
-
Jan 22 03:50:05 charon: 09[IKE] <con1|24>CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]
Jan 22 03:50:05 charon: 09[IKE] CHILD_SA con1{24} established with SPIs c5c7bc2a_i 1c3b1126_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]</con1|24>That means the IPsec portion connected. From there, look in the L2TP settings/logs.
-
I don't think the IPSEC tunnel is completly working though.
I suspect it may be NAT-T relatedOn the windows client it connects but never gets to the L2TP connection. It generates these logs and then drops with a 809 error.
Jan 22 09:13:19 charon: 09[IKE] <con1|27>closing CHILD_SA con1{27} with SPIs cb8d4f49_i (774 bytes) c223e6e8_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 09:13:19 charon: 09[IKE] closing CHILD_SA con1{27} with SPIs cb8d4f49_i (774 bytes) c223e6e8_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 09:13:19 charon: 15[IKE] <con1|27>Hash => 20 bytes @ 0x80d545540 Jan 22 09:13:19 charon: 15[IKE] <con1|27>0: 00 F2 7E 7F 5D 3A C0 86 3F D1 78 60 08 82 8B 6C ..~.]:..?.x`...l Jan 22 09:13:19 charon: 15[IKE] <con1|27>16: C8 DD FE 22 ..." Jan 22 09:13:19 charon: 15[IKE] Hash => 20 bytes @ 0x80d545540 Jan 22 09:13:19 charon: 15[IKE] 0: 00 F2 7E 7F 5D 3A C0 86 3F D1 78 60 08 82 8B 6C ..~.]:..?.x`...l Jan 22 09:13:19 charon: 15[IKE] 16: C8 DD FE 22 ..." Jan 22 09:13:19 charon: 15[IKE] <con1|27>received DELETE for IKE_SA con1[27] Jan 22 09:13:19 charon: 15[IKE] received DELETE for IKE_SA con1[27] Jan 22 09:13:19 charon: 15[IKE] <con1|27>deleting IKE_SA con1[27] between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 09:13:19 charon: 15[IKE] deleting IKE_SA con1[27] between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 09:13:19 charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: ESTABLISHED => DELETING Jan 22 09:13:19 charon: 15[IKE] IKE_SA con1[27] state change: ESTABLISHED => DELETING Jan 22 09:13:19 charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: DELETING => DELETING Jan 22 09:13:19 charon: 15[IKE] IKE_SA con1[27] state change: DELETING => DELETING Jan 22 09:13:19 charon: 15[IKE] <con1|27>IKE_SA con1[27] state change: DELETING => DESTROYING Jan 22 09:13:19 charon: 15[IKE] IKE_SA con1[27] state change: DELETING => DESTROYING</con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27></con1|27> -
Here is the complete log when the ipsec established but i see nothing on the l2tp side.
I have tried setting the NAT-T to force and auto.
Last 500 IPsec log entries Jan 22 10:21:32 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> received NAT-T (RFC 3947) vendor ID Jan 22 10:21:32 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 22 10:21:32 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> received FRAGMENTATION vendor ID Jan 22 10:21:32 charon: 16[IKE] received FRAGMENTATION vendor ID Jan 22 10:21:32 charon: 16[IKE] <40> 68.196.152.146 is initiating a Main Mode IKE_SA Jan 22 10:21:32 charon: 16[IKE] 68.196.152.146 is initiating a Main Mode IKE_SA Jan 22 10:21:32 charon: 16[IKE] <40> remote host is behind NAT Jan 22 10:21:32 charon: 16[IKE] remote host is behind NAT Jan 22 10:21:32 charon: 16[IKE] <con1|40>IKE_SA con1[40] established between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 10:21:32 charon: 16[IKE] IKE_SA con1[40] established between 162.217.144.166[162.217.144.166]...68.196.152.146[192.168.1.9] Jan 22 10:21:32 charon: 16[IKE] <con1|40>DPD not supported by peer, disabled Jan 22 10:21:32 charon: 16[IKE] DPD not supported by peer, disabled Jan 22 10:21:32 charon: 07[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 07[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 07[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 07[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c2ac3083_i 791710e4_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 07[IKE] CHILD_SA con1{40} established with SPIs c2ac3083_i 791710e4_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 09[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 09[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:32 charon: 09[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 09[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:32 charon: 09[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:32 charon: 09[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:32 charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs ce98b678_i f53a2b36_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 07[IKE] CHILD_SA con1{40} established with SPIs ce98b678_i f53a2b36_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 14[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI 791710e4 Jan 22 10:21:32 charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI 791710e4 Jan 22 10:21:32 charon: 14[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c2ac3083_i (0 bytes) 791710e4_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:32 charon: 14[IKE] closing CHILD_SA con1{40} with SPIs c2ac3083_i (0 bytes) 791710e4_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 14[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:35 charon: 14[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:35 charon: 14[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:35 charon: 14[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:35 charon: 14[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:35 charon: 14[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:35 charon: 14[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c51633fb_i ca4d941f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 14[IKE] CHILD_SA con1{40} established with SPIs c51633fb_i ca4d941f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 16[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI f53a2b36 Jan 22 10:21:35 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI f53a2b36 Jan 22 10:21:35 charon: 16[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs ce98b678_i (0 bytes) f53a2b36_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:35 charon: 16[IKE] closing CHILD_SA con1{40} with SPIs ce98b678_i (0 bytes) f53a2b36_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 16[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:39 charon: 16[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:39 charon: 16[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:39 charon: 16[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:39 charon: 16[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:39 charon: 16[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:39 charon: 16[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c0f69931_i fff6c3f5_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 16[IKE] CHILD_SA con1{40} established with SPIs c0f69931_i fff6c3f5_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 10[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI ca4d941f Jan 22 10:21:39 charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI ca4d941f Jan 22 10:21:39 charon: 10[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c51633fb_i (0 bytes) ca4d941f_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:39 charon: 10[IKE] closing CHILD_SA con1{40} with SPIs c51633fb_i (0 bytes) ca4d941f_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 10[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:47 charon: 10[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:47 charon: 10[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:47 charon: 10[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:47 charon: 10[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:47 charon: 10[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:47 charon: 10[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c9cfefb5_i 4d93f9c0_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 10[IKE] CHILD_SA con1{40} established with SPIs c9cfefb5_i 4d93f9c0_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 07[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI fff6c3f5 Jan 22 10:21:47 charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI fff6c3f5 Jan 22 10:21:47 charon: 07[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c0f69931_i (0 bytes) fff6c3f5_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:47 charon: 07[IKE] closing CHILD_SA con1{40} with SPIs c0f69931_i (0 bytes) fff6c3f5_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 07[IKE] <con1|40>received 3600s lifetime, configured 0s Jan 22 10:21:57 charon: 07[IKE] received 3600s lifetime, configured 0s Jan 22 10:21:57 charon: 07[IKE] <con1|40>received 250000000 lifebytes, configured 0 Jan 22 10:21:57 charon: 07[IKE] received 250000000 lifebytes, configured 0 Jan 22 10:21:57 charon: 07[IKE] <con1|40>detected rekeying of CHILD_SA con1{40} Jan 22 10:21:57 charon: 07[IKE] detected rekeying of CHILD_SA con1{40} Jan 22 10:21:57 charon: 07[IKE] <con1|40>CHILD_SA con1{40} established with SPIs c13e2917_i d30e718f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 07[IKE] CHILD_SA con1{40} established with SPIs c13e2917_i d30e718f_o and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 10[IKE] <con1|40>received DELETE for ESP CHILD_SA with SPI 4d93f9c0 Jan 22 10:21:57 charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI 4d93f9c0 Jan 22 10:21:57 charon: 10[IKE] <con1|40>closing CHILD_SA con1{40} with SPIs c9cfefb5_i (0 bytes) 4d93f9c0_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f] Jan 22 10:21:57 charon: 10[IKE] closing CHILD_SA con1{40} with SPIs c9cfefb5_i (0 bytes) 4d93f9c0_o (0 bytes) and TS 162.217.144.166/32|/0[udp/l2f] === 68.196.152.146/32|/0[udp/l2f]</con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40></con1|40> -
Probably you have to disable rekey on this tunnel.
-
Here are my settings below, and it doesn't work.
PHASE 1 SETTINGS
Phase 1 proposal (Authentication):
Authentication method: Mutual PSK
Negotiation mode: Main
My Identifier: My IP addressPhase 1 proposal (Algorithms):
Encryption algorithm: 3DES
Hash algroithm: SHA1
Dh key group: 2 (1024 bit)
Lifetime: 28800 secondsAdvanced options:
Disable rekey is off
Disable reauth is off
NAT Traversal is Auto
Dead Peer Detection is enabledPHASE 2 SETTINGS
Phase 2 settings are all the defaults except MODE which should be transport so:
MODE: Transport (this one f'd me up for a while, I kept setting it to tunnel)
Protocol: ESP
Encryption algrithms: AES (128 bits), 3DES, CAST128, DES
Hash algorithems: MD5, SHA1, SHA256, SHA384, SHA512, AES-XCBC
PFS key group: off
Lifetime: 3600 secondsOn the mobile clients tab:
Enable IPsec mobile client support is checked
Everything else on this tab is unchecked
User Authentication is set to "Local Database" (which isn't actually used because Xauth isn't on in P1)
Group Authentication is set to noneOn the Pre-Shared Keys tabs:
Add a single PSK with the identifier "allusers", set this to something strongFirewall NAT:
- No special NAT rules added, outbound NAT is automatic
Firewall rules:
- No special WAN rules added
- No IPSec rules added
- L2TP VPN, add a rule for the VPN traffic you want to allow. I have a "pass-everything" rule here. Note that if you add a rule, by default you get a pass all TCP rule, not a pass everything rule.
L2TP VPN setup:
L2TP server is Enabled
Interface: LAN
Remote address range: a range that is a subset of the LAN subnet, that starts on a /29 boundary. I picked 192.168.x.208
Subnet mask: /29
Number of l2tp users: 8
Secret: (blank)
Authentication type: CHAP
Server address: is the next ip outside the remote address range, 192.168.x.216 in my case. -
Interface: LAN
Should be WAN, not LAN (See https://doc.pfsense.org/index.php/L2TP/IPsec )
