Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.2, IPSec + L2TP - no useful traffic out from VPN Client

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      benw01
      last edited by

      I'm currently testing pfSense internally, with the aim of deploying it as a DMZ firewall + VPN server to replace a router with some ACLs and 1:1 NAT.

      My setup looks like:

      Testing LAN range: 192.168.0.0/24
      Regular LAN range: 10.0.0.0/24
      PfSense's Regular LAN IP: 10.0.0.100 (i.e. "WAN", to pfSense)
      Internal Gateway (i.e. pfSense LAN IP): 192.168.0.1

      The setup itself is in VMware: it's a vSwitch with no external NICs assigned (called NoNet), 2 VMs with an interface on NoNet, and 1 VM running pfSense 2.2with an interface on NoNet and an interface on my regular LAN.

      I can get the basic setup working; machines inside the 192.168.0.0 range can use pfSense as their gateway and NAT to the outside world successfully.

      I want to be able to VPN to the pfSense firewall and get access to the VMs behind it. I've configured an IPSec + L2TP VPN following the instructions at https://doc.pfsense.org/index.php/L2TP/IPsec, and I can connect to the VPN fine from a windows box on the 10.0.0.0 LAN. L2TP server address: 192.168.4.1, L2TP remote address range: 192.168.4.128; the VPN client gets the IP 192.168.4.128.

      Once I'm connected to the VPN, I can ping machines on the testing LAN fine, and I can ping IPs outside the testing LAN (i.e. it's passing traffic both behind the firewall and NATting it out to the 10.0.0.0 LAN).

      But, I can't pass any useful traffic from the VPN client to the VMs on the internal LAN. Trying to ssh from the VPN client machine to the VMs on 192.168.0.2 or .3 just results in a timeout. I can, however, pass traffic the other way - pinging the VPN client on 192.168.4.128 works, and telnet 192.168.4.128 139 works (the VPN client is a windows laptop).

      i.e.:

      • Works: LAN -> VPN client
      • Fails: VPN Client -> LAN

      That suggests that it's some kind of firewall blockage, or possibly a routing issue?

      I've got lots of allow-everything firewalls on the various interfaces:

      • Floating, All interfaces: Allow IPv4 ICMP to/from any, Allow TCP to/from any
      • LAN: Allow IPv4 any to/from any
      • L2TP: Allow IPv4 any to/from any
      • IPSec: Allow IPv4 any to/from any

      I can't see what I've got wrong in there. Can anyone help?

      In case it's relevant:
      pfSense: 2.2-RELEASE (amd64)
      VMs: CentOS 7.0 running on VMware 5.1 hosts
      VPN Client: Windows 7 laptop (all patches applied)

      1 Reply Last reply Reply Quote 0
      • B
        benw01
        last edited by

        Anyone got any idea?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Does anything show as blocked in the firewall logs?

          Did you add the special TCP-specific rules with the extra settings (Any flags, sloppy state) mentioned in the guide?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • B
            benw01
            last edited by

            @jimp:

            Did you add the special TCP-specific rules with the extra settings (Any flags, sloppy state) mentioned in the guide?

            I hadn't done this! Once I added a TCP rule for L2TP Out with the Any flags and sloppy state it's working.

            Now I just need to get it so that I can connect with Windows and OSX. If I set the DH Key group to 2 (1024), OSX can connect & works fine, but Windows 7 doesn't connect (Error 788). if I set it to DH group 14 (2048), Windows 7 works fine but OSX won't connect. Yay VPNs.

            1 Reply Last reply Reply Quote 0
            • I
              i1052
              last edited by

              @benw01:

              @jimp:

              Did you add the special TCP-specific rules with the extra settings (Any flags, sloppy state) mentioned in the guide?

              I hadn't done this! Once I added a TCP rule for L2TP Out with the Any flags and sloppy state it's working.

              Now I just need to get it so that I can connect with Windows and OSX. If I set the DH Key group to 2 (1024), OSX can connect & works fine, but Windows 7 doesn't connect (Error 788). if I set it to DH group 14 (2048), Windows 7 works fine but OSX won't connect. Yay VPNs.

              This is my post for this problem.
              https://forum.pfsense.org/index.php?topic=83321.msg496600#msg496600
              You can set it to 3DES/SHA1/DH group 2, it'll work for both Mac/Win.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.