2.0-RC3 L2TP AND IPSEC CANT BE USED AT SAME TIME



  • My Pfsense's version is 2.0-RC3 nanobsd (4g) (i386) built on Tue Jun 21 18:21:10 EDT 2011.
    I have a pppoe connection to my isp. I have setup a ipsec vpn tunnel to connect my office, and I setup a l2tp vpn server on my pfsense. But I find that only my ipsec vpn tunnel is working and I cant use xp or win7 l2tp client to connect my pfsense at same time. On the other hand, I can connect to my pfsense with xp or win7 pptp client if I disable the l2tp server and setup a pptp vpn on my pfsense.  Does the pfsense not support using ipsec and l2tp server at same time?


  • Rebel Alliance Developer Netgate

    L2TP and IPsec work - separately. They do not work as an IPsec+L2TP endpoint. At least not with how most clients expect it to work.

    In order to make that work, our IPsec daemon would have to be patched to accept anonymous IPsec pre-shared keys, which is a security risk. So it won't be happening for 2.0.



  • So you mean that I can use ipsec and l2tp server on difference interface at same time?

    Btw, does the pfsense2.0-release resolve the PPTP problem that user cant connect to the other pptp server on the LAN when the PPTP server is enable on the pfsense?


  • Rebel Alliance Developer Netgate

    @macafee:

    So you mean that I can use ipsec and l2tp server on difference interface at same time?

    Or the same interface even, just not together by the same client trying to combine the two functions.

    @macafee:

    Btw, does the pfsense2.0-release resolve the PPTP problem that user cant connect to the other pptp server on the LAN when the PPTP server is enable on the pfsense?

    No, there is a PPTP proxy we had tried to make work but the code was causing panics and hangs, and had to be backed out again.



  • @jimp:

    @macafee:

    So you mean that I can use ipsec and l2tp server on difference interface at same time?

    Or the same interface even, just not together by the same client trying to combine the two functions.

    I'm confused. You mean that I can setup ipsec and l2tp server on same interface and they can work together at same time if they are not used by same client. But I had tested it, it can't work together. You can view my image file attached. In my circumstance, I use two pfsens to connect each other via ipsec tunnle vpn. At that time, the 195.112.172.xxx/24 client cant use xp or win7 l2tp client to connect to the pfsense.




  • If i calculated right ip's from your image. clients and server is in different subnet


  • Rebel Alliance Developer Netgate

    I'm saying you can do just IPsec for client access, you can do just L2TP for different clients to access, but you can't do IPsec+L2TP together for client access.

    L2TP on its own provides no encryption, it's just a tunneling protocol. If something connects with purely L2TP, it would work fine, just doesn't get encrypted. That's why people want L2TP+IPsec, IPsec handles the encryption (in transport mode), and L2TP handles the tunneling of client data.

    So if you have, say, an iPhone connecting with IPsec, and an Android phone connecting separately to L2TP, they could both connect and work. You just really wouldn't want to do that since the L2TP client would have no encryption.



  • @Metu69salemi:

    If i calculated right ip's from your image. clients and server is in different subnet

    sorry, the CIDR 28 should be 24. My problem is that the client cant connect to the pfsense.



  • @jimp:

    I'm saying you can do just IPsec for client access, you can do just L2TP for different clients to access, but you can't do IPsec+L2TP together for client access.

    L2TP on its own provides no encryption, it's just a tunneling protocol. If something connects with purely L2TP, it would work fine, just doesn't get encrypted. That's why people want L2TP+IPsec, IPsec handles the encryption (in transport mode), and L2TP handles the tunneling of client data.

    So if you have, say, an iPhone connecting with IPsec, and an Android phone connecting separately to L2TP, they could both connect and work. You just really wouldn't want to do that since the L2TP client would have no encryption.

    Oh, I see. Thank you for your reply.


Locked