Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0-RC3 L2TP AND IPSEC CANT BE USED AT SAME TIME

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    9 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      macafee
      last edited by

      My Pfsense's version is 2.0-RC3 nanobsd (4g) (i386) built on Tue Jun 21 18:21:10 EDT 2011.
      I have a pppoe connection to my isp. I have setup a ipsec vpn tunnel to connect my office, and I setup a l2tp vpn server on my pfsense. But I find that only my ipsec vpn tunnel is working and I cant use xp or win7 l2tp client to connect my pfsense at same time. On the other hand, I can connect to my pfsense with xp or win7 pptp client if I disable the l2tp server and setup a pptp vpn on my pfsense.ย  Does the pfsense not support using ipsec and l2tp server at same time?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        L2TP and IPsec work - separately. They do not work as an IPsec+L2TP endpoint. At least not with how most clients expect it to work.

        In order to make that work, our IPsec daemon would have to be patched to accept anonymous IPsec pre-shared keys, which is a security risk. So it won't be happening for 2.0.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          macafee
          last edited by

          So you mean that I can use ipsec and l2tp server on difference interface at same time?

          Btw, does the pfsense2.0-release resolve the PPTP problem that user cant connect to the other pptp server on the LAN when the PPTP server is enable on the pfsense?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @macafee:

            So you mean that I can use ipsec and l2tp server on difference interface at same time?

            Or the same interface even, just not together by the same client trying to combine the two functions.

            @macafee:

            Btw, does the pfsense2.0-release resolve the PPTP problem that user cant connect to the other pptp server on the LAN when the PPTP server is enable on the pfsense?

            No, there is a PPTP proxy we had tried to make work but the code was causing panics and hangs, and had to be backed out again.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              macafee
              last edited by

              @jimp:

              @macafee:

              So you mean that I can use ipsec and l2tp server on difference interface at same time?

              Or the same interface even, just not together by the same client trying to combine the two functions.

              I'm confused. You mean that I can setup ipsec and l2tp server on same interface and they can work together at same time if they are not used by same client. But I had tested it, it can't work together. You can view my image file attached. In my circumstance, I use two pfsens to connect each other via ipsec tunnle vpn. At that time, the 195.112.172.xxx/24 client cant use xp or win7 l2tp client to connect to the pfsense.

              pfsense.png
              pfsense.png_thumb

              1 Reply Last reply Reply Quote 0
              • M
                Metu69salemi
                last edited by

                If i calculated right ip's from your image. clients and server is in different subnet

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  I'm saying you can do just IPsec for client access, you can do just L2TP for different clients to access, but you can't do IPsec+L2TP together for client access.

                  L2TP on its own provides no encryption, it's just a tunneling protocol. If something connects with purely L2TP, it would work fine, just doesn't get encrypted. That's why people want L2TP+IPsec, IPsec handles the encryption (in transport mode), and L2TP handles the tunneling of client data.

                  So if you have, say, an iPhone connecting with IPsec, and an Android phone connecting separately to L2TP, they could both connect and work. You just really wouldn't want to do that since the L2TP client would have no encryption.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    macafee
                    last edited by

                    @Metu69salemi:

                    If i calculated right ip's from your image. clients and server is in different subnet

                    sorry, the CIDR 28 should be 24. My problem is that the client cant connect to the pfsense.

                    1 Reply Last reply Reply Quote 0
                    • M
                      macafee
                      last edited by

                      @jimp:

                      I'm saying you can do just IPsec for client access, you can do just L2TP for different clients to access, but you can't do IPsec+L2TP together for client access.

                      L2TP on its own provides no encryption, it's just a tunneling protocol. If something connects with purely L2TP, it would work fine, just doesn't get encrypted. That's why people want L2TP+IPsec, IPsec handles the encryption (in transport mode), and L2TP handles the tunneling of client data.

                      So if you have, say, an iPhone connecting with IPsec, and an Android phone connecting separately to L2TP, they could both connect and work. You just really wouldn't want to do that since the L2TP client would have no encryption.

                      Oh, I see. Thank you for your reply.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.