Official documentation - tutorials and examples - not working on netgate hardware



  • I am studying and and trying for days to make vpn to work but with no luck.
    I had the natural impression that for netgate hardware documentation should GARANTEE that the functionalities are in place, as every produced does. Why is not the case here?
    for example: crappy documentation:
    https://www.netgate.com/docs/pfsense/vpn/ipsec/l2tp-ipsec.html
    or
    https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html


  • LAYER 8 Netgate

    Nice first post. Welcome to the forum.

    L2TP should not be used by anyone any more. Use IKEv2.

    I have personally used that IKEv2 walkthrough dozens of times to spin up mobile IPsec.

    One thing you have to realize is that the client side has been very fluid over the last couple of years. I guarantee if I was to follow that walkthrough to the letter it would work with my iPhone and Mac.

    Better, use OpenVPN for your Remote Access VPN. The clients (especially Viscosity and OpenVPN Connect) have been quite reliable.



  • @Derelict please excuse my attitude of this first post, it was out of frustration :).

    Thing is that, in my personal opinion, if something is explained in the documentation of a product, that means it is guaranteed to work regardless how secure or insecure is. I actually come from a ubiquiti usg, which worked fine, but I want something more, and SG-3100 is perfect for replacement.
    Otherwise, what is the point of having information in the documentation if cannot be used? its just affects the experience of the user. Netgate hardware + pfsense would work as in the documentation of pfsense. Any other custom hardware config is another matter.

    I managed to setup the openVPN and I have a transfer rate of 3.5MB/sec .. kinda low, anyway at least it works.
    Also wanted to have let's say backups in case, open vpn is not an option, as it requires to actually install something on the client machine, which might not be feasible in some environments. IPSec worked as in documentation however NO internet traffic while connected to vpn ...


  • LAYER 8 Netgate

    And IKEv2 will probably require powershell magic, etc to make it work correctly, which is 100% on the administrator of the client system based on their choice of client system and its IKEv2 status.

    Which is more of an administrative burden?



  • my stations are mainly apple macs and some android devices.
    at this moment I don't have any windows machine, but I have colleagues for which I wound want for vpn to work.

    I will remake the IPSec config and comeback when I will encounter issues.


  • LAYER 8 Netgate

    There are some issues with the default, manual configuration on the Mac that doesn't work, but in general it does. You have to be sure to include whatever transforms, hashes, PFS, etc, every device connecting will require.

    The IPsec logs will show what the client is asking for and whether or not your configuration matches.

    It works completely differently when you configure the device using a profile.

    Netgate factory pfSense versions include a profile generator package for IKEv2 on Mac/iOS. When I test I don't use it though.

    Else you can use apple's tools.



  • yepp, that I've been using. Also discovered the apple configurator that seems interesting. I will come back after I recreate the whole ipsec stuff, as i tried few of them and need to take it from scratch.


Log in to reply