Can't connect to Pfsense behind NAT.



  • Hello,I have installed L2TP over IPsec and now from clients side can't connect to server behind NAT.Any suggestion?


  • LAYER 8 Global Moderator

    Well did you forward the ports/protocols needed through the NAT device in front of pfsense?  Normally for ipsec through a nat you need NAT-T which uses port 4500.

    Much easier to use just say openvpn which is just one port be it tcp or udp that makes it easier to use through a nat.. Especially when nat is being done on both sides (client and server side)



  • Yes I forward 4500 port on NAT device.Unfortunately I can't use OpenVPN instead L2TP.I can attach more files if needed.There is attached all my config files.

    ![2016-05-23_1140 - Copy.png](/public/imported_attachments/1/2016-05-23_1140 - Copy.png)
    ![2016-05-23_1140 - Copy.png_thumb](/public/imported_attachments/1/2016-05-23_1140 - Copy.png_thumb)
    ![2016-05-18_1127_002 - Copy.png](/public/imported_attachments/1/2016-05-18_1127_002 - Copy.png)
    ![2016-05-18_1127_002 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1127_002 - Copy.png_thumb)
    ![2016-05-18_1127_001 - Copy.png](/public/imported_attachments/1/2016-05-18_1127_001 - Copy.png)
    ![2016-05-18_1127_001 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1127_001 - Copy.png_thumb)
    ![2016-05-18_1127 - Copy.png](/public/imported_attachments/1/2016-05-18_1127 - Copy.png)
    ![2016-05-18_1127 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1127 - Copy.png_thumb)






    ![2016-05-18_1125_001 - Copy.png](/public/imported_attachments/1/2016-05-18_1125_001 - Copy.png)
    ![2016-05-18_1125_001 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1125_001 - Copy.png_thumb)
    ![2016-05-18_1125 - Copy.png](/public/imported_attachments/1/2016-05-18_1125 - Copy.png)
    ![2016-05-18_1125 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1125 - Copy.png_thumb)
    ![2016-05-18_1124 - Copy.png](/public/imported_attachments/1/2016-05-18_1124 - Copy.png)
    ![2016-05-18_1124 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1124 - Copy.png_thumb)
    ![2016-05-18_1123_002 - Copy.png](/public/imported_attachments/1/2016-05-18_1123_002 - Copy.png)
    ![2016-05-18_1123_002 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1123_002 - Copy.png_thumb)
    ![2016-05-18_1123 - Copy.png](/public/imported_attachments/1/2016-05-18_1123 - Copy.png)
    ![2016-05-18_1123 - Copy.png_thumb](/public/imported_attachments/1/2016-05-18_1123 - Copy.png_thumb)


  • LAYER 8 Global Moderator

    Where is your phase1, did you forward port 500?

    What is your client in this?  And why can you not use openvpn..  There are openvpn clients for pretty much every OS that I can think of.  Windows, Linux, MAC, bsd, android, IOS, etc. etc.



  • Previous last screenshot is Phase 1.In screenshots you can see,that I forward port 500.I created 2 phases,and the first image which I attached is from client side.I installed from this link`
    https://doc.pfsense.org/index.php/L2TP/IPsec.

    P.S.
    I can't setup OpenVPN,because this vpn server will use for Counting Cash Machine (they use windows 2000 or 2003) And they don't support OpenVPN.



  • LAYER 8 Global Moderator

    Openvpn installs and works just fine on 2k and 2k3 machines.  As to anyone using 2k or 2k3 still..  WTF??  For a cash machine - I would think their last concern would be vpn anywhere ;)

    One thing that jumps out at me is your L2TP server setup the IP address that is used as the gateway is outside the IP address your giving to your clients.. Your saying to use 10.20.16.1 as gateway but your clients network is 10.20.17/25, and then in your ipsec firewall rules tab your source is 10.20.16 but again it looks like your clients are on 10.20.17/25

    This is pretty clear walk through..
    https://doc.pfsense.org/index.php/L2TP/IPsec



  • Sorry,it is google translator :D I mean POS terminal.I fixed this issue.When I try to connect to VPN server not behind NAT,it is connecting without any problem.But when I try to connect behind NAT,it shows me this error.



  • And I configured via this link.


  • LAYER 8 Global Moderator

    What link?  And if your saying it works when not behind nat.  Then clearly its the device in front of pfsense causing you your grief.  I don't understand how it would work with your misconfiguration of the IP and network your giving your clients.

    Don't use nat would be my suggestion ;)  What is doing that nat in front of pfsense?  Do you have the pfsense wan in a DMZ host sort of setup, or are you forwarding what?  Ipsec likes that port 500 to be static for example.


Log in to reply