IPSEC / L2TP VPN with Windows Client and Active Dircetory


  • Hello all - this is my first post here, so I hope that I follow protocol by asking for assistance on this issue that I've encountered with our newly installed pfSense box.

    I have having issues getting the IPSec/L2TP VPN working while also using LDAP Authentication against an Active Directory Domain Controller

    1. VPN over IPSec and L2TP is working as long as I use the Local Database for Authentication
    2. I have followed several guides in setting up the LDAP part to work with Active Directory
    3. When I do the Diagnostics/Authentication test against the VPN from in the GUI of the pfSense, the authentication for the expected user ID works

    When I attempt to connect via a Windows built-in VPN client I recieve an error message that indicates that there is either an error with the ID/Password or with the encryption method used to connect.  When I look to the Domain Controller on the domain, I do not see any logs that indicate that there was any authentication attempt, failed or otherwise.

    Based on this info, I feel that my login info works from the pfSense to the DC (diag test).  I know that the ID and password I'm using is valid on the domain.  I know that the pfSense can talk to the OU on the Domain.

    I have tried PAP, MSCHAP, and MSCHAP v2.  I have tried with Just PSK and with PSK + XAuth.
    It FEELS like the pfSense is not passing my credentials back to the AD Domain Controller since I'm not seeing any logs getting to the DC
    It works when I connect using the exact same setup, but from an iPhone instead of a Windows PC.

    I am looking for help to troubleshoot the connection.  While I am "ok" with the idea of logging into the VPN at MY shop with the L2TP ID only (even though the password HAS to be weak), I'd like to understand how to make this work for my own implementation, but also for clients who I am planning on tuirning on to the the pfSense devices.

    Any help with what I've presented would be greatly appreciated.