Known issues with L2TP/IPSEC PSK on pfSense v2.2.x ????
-
Hi there,
Due to the recent apple release, a couple of remote dev's for a client of ours are no longer able to connect using the PPTP VPN we had setup to a pair of HA pfSense boxes that sit on the edge of their environment giving access to the management subnet.
We are trying to configure L2TP/IPSEC however we have had zero luck. I remember this was also the case around a year or so ago when we first deployed these FW's (hence why we left them on PPTP, as they needed to work).
Is there some sort of deep seated bug or incomparability with L2TP/IPSEC PSK VPN's and pfSense 2.2.x (specifically 2.2.3 and 2.2.6). I only ask as we aren't new to this, and we aren't stupid either, and collectively we have around 15-20 engineer hours into this over the last couple days and have made absolutely no progress.
Any suggestions or guidance past the "read the lt2p/ipsec guide in the wiki" is appreciated. (The (multiple) guide(s) do not work, even when followed to the letter).
Thanks.
-
works fine for me (and my customers). also had to move to L2TP over IPsec due to the uprade to macOS Sierra. I followed the instructions from here: https://doc.pfsense.org/index.php/L2TP/IPsec
I didn't get the tunnel up and running until I configured the floating rule mentioned at the bottom (troubleshooting)!
regards,
michael -
Ignore L2TP/IPsec, move directly to IKEv2. If you have an SG device from us, use the profile exporter. Otherwise get the VPN profile builder from Apple and create a profile to easily import the VPN into your OS X and iOS devices.
-
Ignore L2TP/IPsec, move directly to IKEv2. If you have an SG device from us, use the profile exporter. Otherwise get the VPN profile builder from Apple and create a profile to easily import the VPN into your OS X and iOS devices.
wait, what? there's a profile exporter in the appliances? I did not find any hints about this on the website or in the storeโฆ this for sure would be a strong reason to buy turn-key ready systems. where can I find information about this? also I didn't find a feature comparison chart where I can see the differences between the commercial and community editions of pfSense...
regards,
michael -
We don't have a document like that at the moment, but one is in the works.
The SG units ship with several extras, two of which are:
- The AWS wizard to completely automate the setup of VPN tunnels to AWS (IPsec+BGP setup on pfSense, AWS setup using their API, etc) (VPN > AWS VPC VPN Wizard)
- The IPsec profile exporter which puts out a profile based on the current mobile IPsec configuration, which can be imported into iOS and OS X easily. It's full automated (VPN > Apple IPsec Profile)
If the factory firmware is installed and those do not show up, they can be reinstalled using the package manager. Search for "wizard" and you'll see them.
-
very interesting! thanks for clearing this up. is there a way to try this wizard or do I have to buy an appliance? or is it possible to get this add-on as a (paid) option for the community edition?
regards,
michael -
Currently, there is no path to get it other than buying one of our SG devices.
-
I followed this guide too but it does not seem to work for OS X:
https://doc.pfsense.org/index.php/L2TP/IPsec
So if I did not buy a pre-built unit from you guys, how can I mimic this exporter feature?
-
It doesn't work for L2TP/IPsec, just IPsec, and it's mainly geared toward IKEv2.
Apple has a VPN profile creation tool that you can use to craft a file that can be imported into OS X and iOS, you'd need to get that and use it.
-
I followed this guide too but it does not seem to work for OS X:
https://doc.pfsense.org/index.php/L2TP/IPsec
So if I did not buy a pre-built unit from you guys, how can I mimic this exporter feature?
it works fine with OS X and macOS. just make sure that you configure the floating rule mentioned at the bottom (troubleshooting)!
