IPSec/L2TP with pfSense 2.2

stoofz

Same issue here with the L2TP / IPsec VPN, sigh. PPTP and OpenVPN both work flawless.

farion

Spent the last 3 days trying to get IPSec/L2TP on pfSense get working with no success.
Correctly followed this instructions, and some others, but got the same issue – clean logs on L2TP log tab, but IPsec tunnel seems to be working (no error in IPSec log tab).

I hope the community will find a solution to the problem, I REALLY need VPN working without third party apps and I don't want to use OpenVPN for the enterprise right now (not my decision).

@stoofz:

Same issue here with the L2TP / IPsec VPN, sigh. PPTP and OpenVPN both work flawless.

PPTP works, but, unfortunately, only for one connection (on pfSense 2.2.1 x64). More than one connection not working.

almabes

Not to hijack the topic, but PPTP can be made to work for multiple people if you have multiple public IPs (or ISPs).

Back to L2TP/IPSec, I tried by plugging my windows box directly into my cable modem, there by getting a public IP. Still no luck. IPSec SA would come up, but no L2TP traffic.

I enabled logging on my rules that pass traffic on the WAN interface. I saw where the rules would pass traffic on UDP 500, 1500 and 1701.
I'm almost to the point of dropping $400 to have the Electric Sheep Fencers take a look.

mikesm

I can't seem to make it work either.

Is there a pointer to an up to date walkthrough about setting up L2TP/IPSEC passthrough to an internal windows server? I have a couple machines that should work fine for this until this is all worked out with pfsense.

stoofz

I don't think IPsec / L2TP is currently working with 2.2.1

viniciusferrao

I don't think L2TP/IPsec is broken under 2.2.1, but things isn't working here too.

I've followed the guides, but when I try to connect it hangs with those messages on IPsec log:

Mar 22 05:26:11	charon: 10[NET] sending packet: from 179.210.144.237[500] to 191.247.226.162[56312] (180 bytes)
Mar 22 05:26:12	charon: 10[NET] received packet: from 191.247.226.162[56312] to 179.210.144.237[500] (228 bytes)
Mar 22 05:26:12	charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 22 05:26:12	charon: 10[IKE] <12> remote host is behind NAT
Mar 22 05:26:12	charon: 10[IKE] remote host is behind NAT
Mar 22 05:26:12	charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 22 05:26:12	charon: 10[NET] sending packet: from 179.210.144.237[500] to 191.247.226.162[56312] (244 bytes)
Mar 22 05:26:41	charon: 10[JOB] deleting half open IKE_SA after timeout

It's really strange, since I can connect using the local IP address, but when I came from WAN this thing happens.

All the firewall rules are to "allow everything".

daereth

Hi all,

I'm also experiencing an issue with setting up L2TP/IPsec on pfSense 2.2, I have tried both pfSense 2.2.1 and also downgraded to 2.2 to see if it produced any better result unfortunately nogo.

I followed the guide at https://doc.pfsense.org/index.php/L2TP/IPsec and am finding the same troubles as other people in this forum, L2TP doesn't seem to do anything at all (L2TP Raw doesn't show anything when trying to connect with a client), I do see the IPsec establish fine so I know it's not a problem there.

I've tried Android, Windows 7 and Windows 8.1 from multiple locations.

Is there anyone out there that got this to work?? You would think if there is a howto that exists showing it working that it should work for others as well? :)

Appreciate any help in the matter! I'll provide some logs, etc if requested.

MitchMiller

I am having the exact same issues. I cannot get IPSEC/L2TP to connect following the guides.

micksel

Same problem here, I can see the IPSec tunnels created and then timeout but noting under L2TP.

I’ve tried with a Win7 client (behind NAT) and my Android Phone (Not NAT), none of them gets longer that IPSec. It seems that the traffic doesn’t get to the L2TP service?

I’s there anyone that has any ideas I really need to have this working asap

But this is very interesting If I try to connect to the VPN when I’m on my local LAN (any to my Local PFSense IP) than everything works okay? The L2TP/IPSec tunnel is created and I can see the established connection under IPsec and L2TP

So It must be some firewall-rule or something like that I’m missing

micksel

No luck with the Firewall rule, I create a Allow Everything rule but no success, almost seems like a bug…
anyone?

jimp

It may be a bug in strongSwan.

Client without NAT - works fine. Move the same client behind NAT, and the traffic never makes it through properly. IPsec layer connects, ESP traffic arrives, packets even show up on enc0 but somehow never make it to the L2TP daemon.

It's not exclusive to pfSense, either… https://lists.strongswan.org/pipermail/users/2014-September/006638.html

Judging by responses to other similar issues by the strongSwan folks, it sounds like they really don't like L2TP/IPsec with NAT and probably won't fix it since people have moved on to other things.

Switching to IKEv2 is probably best.

micksel

Thanks for your answer,
Seems that I will need to into that or look at placing a Windows RAS IPSec/L2TP behind PFsense With NAT (seems like a headeche to be)

mwp821

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

jimp

@mwp821:

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

It's mentioned in the guide: https://doc.pfsense.org/index.php/L2TP/IPsec

mwp821

@jimp:

@mwp821:

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

It's mentioned in the guide: https://doc.pfsense.org/index.php/L2TP/IPsec

Yes, but I couldn't even connect (via TCP) to any of my internal systems without it. Maybe change the description and/or move it out of "Troubleshooting" and into the main "Firewall Rules and NAT" section? Just a suggestion.

meta4

after upgrading to 2.2.2 i lost t2tp ipsec vpn connectivity.

nothing is showing up in logs when i attempt to connect.

was working fine on 2.2.1 using osx and ios clients.

any changes after the update that i should check?

ive gone through my config twice and cant find anything wrong

yassen

@jimp:

It may be a bug in strongSwan.

Client without NAT - works fine. Move the same client behind NAT, and the traffic never makes it through properly. IPsec layer connects, ESP traffic arrives, packets even show up on enc0 but somehow never make it to the L2TP daemon.

Guys, why not putting a sticky on top of the How-To (https://doc.pfsense.org/index.php/L2TP/IPsec) that this works ONLY for clients not behind nat? I lost days banging my head against the wall … terrible experience. And a simple note would have saved me that.

jimp

I forgot to drop a note here but I did put a warning on the wiki doc.

roaldhoolwerf

Hello everybody,

I've tried my hand today at getting a IPSec/L2TP config running on my freshly installed pfSense box. After a tad of tinkering, I've managed to get my macbook-tethered-via-iPhone connected, but I cannot access any servers after I've been connected. As far as I can tell, I've set up my firewall rules properly (please see attached images). I've been rifling through the logs but I cannot make anything of it yet. I've added the L2TP and IPsec logs as well, although my untrained eye hasn't seen anything wrong.

Can anyone advice me on how to get this bit running? Any help would be hugely appreciated.
If anyone needs any more information, I'll be happy to oblige!

Kind regards,
Roald

![Screen Shot 2015-06-21 at 16.52.12.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.52.12.png_thumb)
![Screen Shot 2015-06-21 at 16.52.12.png](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.52.12.png)
![Screen Shot 2015-06-21 at 16.51.25.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.51.25.png_thumb)
![Screen Shot 2015-06-21 at 16.51.25.png](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.51.25.png)
![Screen Shot 2015-06-21 at 16.43.34.png](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.43.34.png)
![Screen Shot 2015-06-21 at 16.43.29.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.43.29.png_thumb)
![Screen Shot 2015-06-21 at 16.43.34.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.43.34.png_thumb)
![Screen Shot 2015-06-21 at 16.43.29.png](/public/imported_attachments/1/Screen Shot 2015-06-21 at 16.43.29.png)

killmasta93

@jimp i just wanted to point out this other post I have been troubleshooting and realized really odd things.

https://forum.pfsense.org/index.php?topic=100600.msg561269#msg561269

I was able to connect behind NAT only on ios 7.1.2 and i get a log on and i can ping 8.8.8.8 (high pings) but no navigation even following step by step of the wiki , but on windows 8.1 cannot get a logon nor windows 7 x32 , x64 and windows xp also on MAC :(

https://doc.pfsense.org/index.php/L2TP/IPsec

Thank you