Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    L2TP IPSec VPN client behind pfsense 2.1 not working?

    Scheduled Pinned Locked Moved
    IPv6
    2
    5
    8.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      BTW – this has nothing to do with ipv6, but not sure were else to post problems with the 2.1 line.

      Ok this use to work, at a loss to what would of changed?

      Not currently in a place to test, but could someone point me to manual settings to make this work on

      2.1-DEVELOPMENT (i386)
      built on Fri Nov 25 17:45:38 EST 2011
      FreeBSD 8.1-RELEASE-p6

      Do I need to set the Manual Outbound NAT rule generation vs Automatic in firewall NAT outbound?  Its currently not working if set to automatic.  If so what specific rules do I need to setup?  If I set to manual only these rules are created

      WAN   192.168.1.0/24 * * 500 * * YES Auto created rule for ISAKMP - LAN to WAN

      WAN   192.168.1.0/24 * * * * * NO Auto created rule for LAN to WAN

      WAN   127.0.0.0/8 * * * * 1024:65535 NO Auto created rule for localhost to WAN

      WAN   10.0.200.0/24 * * * * * NO Auto created rule for OpenVPN server

      Shouldn't I need something with GRE? What about ports 1701 and 4500 - do these need to be set to static?

      Been looking for some docs on how to allow L2TP IPSec client behind pfsense connect to external server but can not find anything on what rules need to be setup.

      Clearly see from states that connections are on ports 500, 4500 and 1701  But not seeing anything in the logs showing something being blocked.  But the client just hangs.

      Again this use to work, not sure when it stopped.  I noticed it yesterday that its not working but with thanksgiving holiday and such I did not have to make any connections.  Verified client is working at another location.  So its not the client.  And going to double check that tonight by connecting directly to my modem.

      BTW - only running openvpn server on pfsense. IPSEC, L2TP and PPTP servers are off or not enabled.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.03 | Lab VMs 2.7.2, 24.03

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Ok well had sometime this morning before I had to leave, and if I put the box outside the pfsense and directly connected to my cable modem so it gets a public IP - vpn client connects no problem.

        I have tried manual outbound, forwarding the ports to the clients private IP, just not working when behind pfsense - and I know for a fact it use to without any special settings.

        Not sure exactly when it broke, but I am guess after I when with the nov 25 version.  I can try going back to the one in oct.  Or if need be to 2.0 line - but I really don't want to do that.  But I have to have this working.

        Any help insight would be great!  I can allow access to pfsense to troubleshoot.  I can provide sniffs from outside and inside at same time, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Ok – very strange??  Could someone explain

          If I UNCHECK - Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.

          Then it works fine, if CHECKED then it just hangs..

          Now I know for sure I have not changed this setting recently, it use to work with it checked.  Now I have to uncheck it.  Just to be clear on what option I am talking about see attached.

          If checked L2TP IPsec vpn client can not finish connection to outside pfsense server.  If I uncheck it the client on my laptop works just fine.

          In this current setting when checked, then my vpn client on the laptop just hangs.  Can someone point to exactly what this setting does when it scrubs.

          edit:  ok from this
          http://docstore.mik.ua/manuals/openbsd/faq/pf/scrub.html

          I would say you would normally want scrubbing on - now I did not fragmented packets, which maybe the client doesn't like??  So I would have to do a sniff to verify, but I am guessing that now that I allowed scrubbing pfsense would fix some of these packets and client then likes them ;)

          PFscrub.jpg
          PFscrub.jpg_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

          1 Reply Last reply Reply Quote 0
          • V
            VanIol
            last edited by

            Thats most likely the problem then. If xl2tpd is not started, then the client connection is not going to work. Any information when you commit the L2TP/IPsec configuration? Anything in the log if you lower the log level to debug?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              I think your confusing my setup with running l2tp ipsec on pfsense?

              As I thought I clearly stated this is not have anything to do with pfsense acting as any part of the l2tp ipsec connection, not a client not server.  The l2tp server is not setup or on or enabled at all.

              This is a client behind pfsense connecting to a server on the public internet outside pfsense.

              If I enabled, ie uncheck pfscrub then it works.. If I disable pfscrub then it hangs.  It use to work just fine with pfscrub disabled - but now it is not.

              It is currently working, I don't have any issues with pfscrub being enabled.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.03 | Lab VMs 2.7.2, 24.03

              1 Reply Last reply Reply Quote 0
              • First post
                Last post