PfSense 2.2, IPSec + L2TP - no useful traffic out from VPN Client
-
I'm currently testing pfSense internally, with the aim of deploying it as a DMZ firewall + VPN server to replace a router with some ACLs and 1:1 NAT.
My setup looks like:
Testing LAN range: 192.168.0.0/24
Regular LAN range: 10.0.0.0/24
PfSense's Regular LAN IP: 10.0.0.100 (i.e. "WAN", to pfSense)
Internal Gateway (i.e. pfSense LAN IP): 192.168.0.1The setup itself is in VMware: it's a vSwitch with no external NICs assigned (called NoNet), 2 VMs with an interface on NoNet, and 1 VM running pfSense 2.2with an interface on NoNet and an interface on my regular LAN.
I can get the basic setup working; machines inside the 192.168.0.0 range can use pfSense as their gateway and NAT to the outside world successfully.
I want to be able to VPN to the pfSense firewall and get access to the VMs behind it. I've configured an IPSec + L2TP VPN following the instructions at https://doc.pfsense.org/index.php/L2TP/IPsec, and I can connect to the VPN fine from a windows box on the 10.0.0.0 LAN. L2TP server address: 192.168.4.1, L2TP remote address range: 192.168.4.128; the VPN client gets the IP 192.168.4.128.
Once I'm connected to the VPN, I can ping machines on the testing LAN fine, and I can ping IPs outside the testing LAN (i.e. it's passing traffic both behind the firewall and NATting it out to the 10.0.0.0 LAN).
But, I can't pass any useful traffic from the VPN client to the VMs on the internal LAN. Trying to ssh from the VPN client machine to the VMs on 192.168.0.2 or .3 just results in a timeout. I can, however, pass traffic the other way - pinging the VPN client on 192.168.4.128 works, and telnet 192.168.4.128 139 works (the VPN client is a windows laptop).
i.e.:
- Works: LAN -> VPN client
- Fails: VPN Client -> LAN
That suggests that it's some kind of firewall blockage, or possibly a routing issue?
I've got lots of allow-everything firewalls on the various interfaces:
- Floating, All interfaces: Allow IPv4 ICMP to/from any, Allow TCP to/from any
- LAN: Allow IPv4 any to/from any
- L2TP: Allow IPv4 any to/from any
- IPSec: Allow IPv4 any to/from any
I can't see what I've got wrong in there. Can anyone help?
In case it's relevant:
pfSense: 2.2-RELEASE (amd64)
VMs: CentOS 7.0 running on VMware 5.1 hosts
VPN Client: Windows 7 laptop (all patches applied) -
Anyone got any idea?
-
Does anything show as blocked in the firewall logs?
Did you add the special TCP-specific rules with the extra settings (Any flags, sloppy state) mentioned in the guide?
-
Did you add the special TCP-specific rules with the extra settings (Any flags, sloppy state) mentioned in the guide?
I hadn't done this! Once I added a TCP rule for L2TP Out with the Any flags and sloppy state it's working.
Now I just need to get it so that I can connect with Windows and OSX. If I set the DH Key group to 2 (1024), OSX can connect & works fine, but Windows 7 doesn't connect (Error 788). if I set it to DH group 14 (2048), Windows 7 works fine but OSX won't connect. Yay VPNs.
-
Did you add the special TCP-specific rules with the extra settings (Any flags, sloppy state) mentioned in the guide?
I hadn't done this! Once I added a TCP rule for L2TP Out with the Any flags and sloppy state it's working.
Now I just need to get it so that I can connect with Windows and OSX. If I set the DH Key group to 2 (1024), OSX can connect & works fine, but Windows 7 doesn't connect (Error 788). if I set it to DH group 14 (2048), Windows 7 works fine but OSX won't connect. Yay VPNs.
This is my post for this problem.
https://forum.pfsense.org/index.php?topic=83321.msg496600#msg496600
You can set it to 3DES/SHA1/DH group 2, it'll work for both Mac/Win.