IPSec/L2TP with pfSense 2.2

MitchMiller

I am having the exact same issues. I cannot get IPSEC/L2TP to connect following the guides.

micksel

Same problem here, I can see the IPSec tunnels created and then timeout but noting under L2TP.

I’ve tried with a Win7 client (behind NAT) and my Android Phone (Not NAT), none of them gets longer that IPSec. It seems that the traffic doesn’t get to the L2TP service?

I’s there anyone that has any ideas I really need to have this working asap

But this is very interesting If I try to connect to the VPN when I’m on my local LAN (any to my Local PFSense IP) than everything works okay? The L2TP/IPSec tunnel is created and I can see the established connection under IPsec and L2TP

So It must be some firewall-rule or something like that I’m missing

micksel

No luck with the Firewall rule, I create a Allow Everything rule but no success, almost seems like a bug…
anyone?

jimp

It may be a bug in strongSwan.

Client without NAT - works fine. Move the same client behind NAT, and the traffic never makes it through properly. IPsec layer connects, ESP traffic arrives, packets even show up on enc0 but somehow never make it to the L2TP daemon.

It's not exclusive to pfSense, either… https://lists.strongswan.org/pipermail/users/2014-September/006638.html

Judging by responses to other similar issues by the strongSwan folks, it sounds like they really don't like L2TP/IPsec with NAT and probably won't fix it since people have moved on to other things.

Switching to IKEv2 is probably best.

micksel

Thanks for your answer,
Seems that I will need to into that or look at placing a Windows RAS IPSec/L2TP behind PFsense With NAT (seems like a headeche to be)

mwp821

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

jimp

@mwp821:

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

It's mentioned in the guide: https://doc.pfsense.org/index.php/L2TP/IPsec

mwp821

@jimp:

@mwp821:

@jimp:

Looks like the rules are somehow not matching as expected. Maybe inbound L2TP traffic is actually bypassing pf and not receiving a state?

If you add a Floating rule (quick=checked, dir=out, interface=l2tp, source=any, destination=any, TCP Flags=Any Flags, State Type=Sloppy State) it works.

This was so critical to getting a brand new L2TP/IPsec VPN working on a fresh install of 2.2.1 that I feel like it should be in a sticky at the top!

It's mentioned in the guide: https://doc.pfsense.org/index.php/L2TP/IPsec

Yes, but I couldn't even connect (via TCP) to any of my internal systems without it. Maybe change the description and/or move it out of "Troubleshooting" and into the main "Firewall Rules and NAT" section? Just a suggestion.

meta4

after upgrading to 2.2.2 i lost t2tp ipsec vpn connectivity.

nothing is showing up in logs when i attempt to connect.

was working fine on 2.2.1 using osx and ios clients.

any changes after the update that i should check?

ive gone through my config twice and cant find anything wrong

yassen

@jimp:

It may be a bug in strongSwan.

Client without NAT - works fine. Move the same client behind NAT, and the traffic never makes it through properly. IPsec layer connects, ESP traffic arrives, packets even show up on enc0 but somehow never make it to the L2TP daemon.

Guys, why not putting a sticky on top of the How-To (https://doc.pfsense.org/index.php/L2TP/IPsec) that this works ONLY for clients not behind nat? I lost days banging my head against the wall … terrible experience. And a simple note would have saved me that.

jimp

I forgot to drop a note here but I did put a warning on the wiki doc.

roaldhoolwerf

Hello everybody,

I've tried my hand today at getting a IPSec/L2TP config running on my freshly installed pfSense box. After a tad of tinkering, I've managed to get my macbook-tethered-via-iPhone connected, but I cannot access any servers after I've been connected. As far as I can tell, I've set up my firewall rules properly (please see attached images). I've been rifling through the logs but I cannot make anything of it yet. I've added the L2TP and IPsec logs as well, although my untrained eye hasn't seen anything wrong.

Can anyone advice me on how to get this bit running? Any help would be hugely appreciated.
If anyone needs any more information, I'll be happy to oblige!

Kind regards,
Roald


killmasta93

@jimp i just wanted to point out this other post I have been troubleshooting and realized really odd things.

https://forum.pfsense.org/index.php?topic=100600.msg561269#msg561269

I was able to connect behind NAT only on ios 7.1.2 and i get a log on and i can ping 8.8.8.8 (high pings) but no navigation even following step by step of the wiki  , but on windows 8.1 cannot get a logon nor windows 7 x32 , x64 and windows xp also on MAC  :(

https://doc.pfsense.org/index.php/L2TP/IPsec

Thank you

Panja

I've got this all to work and I can connect with my iPhone and MacBook without problems now.
Thanks to this guide: https://doc.pfsense.org/index.php/L2TP/IPsec

One question though.
I have enabled the IPsec widget on the dashboard page.
But when someone connects to my VPN I do not see any changes in the widget?
Active tunnels stays on 0. Mobile users stays on 0.
Shouldn't that change to 1 (or more) when users connect?

When I go to status –> IPsec --> overview
I do see that users are connected.

Isn't there a more detailed status page for VPN connected users?
For instance what (internal) IP they have etc, computer/hostname etc.

killmasta93

@panja i have followed that guide on 2.2 and on 2.2.4 and nothing I also tried other configuration and nothing But I was able to to get on IOS but not on windows. I just gave up and did L2TP without IPsec

Panja

I did not try Windows yet.
Will do later on and post back.

The problem is I want a VPN connection that is supported natively on machines.
OpenVPN is great but on all machines (Windows, Mac, iOS etc) you'll have to download an app before you can connect.

jimp

L2TP is not good, really. Move on to IKEv2. It will work on Windows 7+ Natively, Ubuntu with network manager, OS X 10.11+, iOS 9+, and Android with the strongSwan app. That's as close as you're going to get. Requiring a native VPN client is a silly requirement anyhow, but if you insist, IKEv2 is the answer.

Panja

@Panja:

One question though.
I have enabled the IPsec widget on the dashboard page.
But when someone connects to my VPN I do not see any changes in the widget?
Active tunnels stays on 0. Mobile users stays on 0.
Shouldn't that change to 1 (or more) when users connect?

When I go to status –> IPsec --> overview
I do see that users are connected.

Isn't there a more detailed status page for VPN connected users?
For instance what (internal) IP they have etc, computer/hostname etc.

Does anyone know this?

jimp

There isn't a good way to represent L2TP/IPsec in the IPsec wizard. The IPsec side has no knowledge of the username, that's in L2TP not IPsec.

Anything done with L2TP/IPsec is likely a wasted effort. IKEv2 is so much easier and smoother, it's just not worth the headache to keep pounding away at L2TP/IPsec when it's not going to work right in most cases.