L2TP IPSec VPN client behind pfsense 2.1 not working?


  • LAYER 8 Global Moderator

    BTW – this has nothing to do with ipv6, but not sure were else to post problems with the 2.1 line.

    Ok this use to work, at a loss to what would of changed?

    Not currently in a place to test, but could someone point me to manual settings to make this work on

    2.1-DEVELOPMENT (i386)
    built on Fri Nov 25 17:45:38 EST 2011
    FreeBSD 8.1-RELEASE-p6

    Do I need to set the Manual Outbound NAT rule generation vs Automatic in firewall NAT outbound?  Its currently not working if set to automatic.  If so what specific rules do I need to setup?  If I set to manual only these rules are created

    WAN   192.168.1.0/24 * * 500 * * YES Auto created rule for ISAKMP - LAN to WAN

    WAN   192.168.1.0/24 * * * * * NO Auto created rule for LAN to WAN

    WAN   127.0.0.0/8 * * * * 1024:65535 NO Auto created rule for localhost to WAN

    WAN   10.0.200.0/24 * * * * * NO Auto created rule for OpenVPN server

    Shouldn't I need something with GRE? What about ports 1701 and 4500 - do these need to be set to static?

    Been looking for some docs on how to allow L2TP IPSec client behind pfsense connect to external server but can not find anything on what rules need to be setup.

    Clearly see from states that connections are on ports 500, 4500 and 1701  But not seeing anything in the logs showing something being blocked.  But the client just hangs.

    Again this use to work, not sure when it stopped.  I noticed it yesterday that its not working but with thanksgiving holiday and such I did not have to make any connections.  Verified client is working at another location.  So its not the client.  And going to double check that tonight by connecting directly to my modem.

    BTW - only running openvpn server on pfsense. IPSEC, L2TP and PPTP servers are off or not enabled.


  • LAYER 8 Global Moderator

    Ok well had sometime this morning before I had to leave, and if I put the box outside the pfsense and directly connected to my cable modem so it gets a public IP - vpn client connects no problem.

    I have tried manual outbound, forwarding the ports to the clients private IP, just not working when behind pfsense - and I know for a fact it use to without any special settings.

    Not sure exactly when it broke, but I am guess after I when with the nov 25 version.  I can try going back to the one in oct.  Or if need be to 2.0 line - but I really don't want to do that.  But I have to have this working.

    Any help insight would be great!  I can allow access to pfsense to troubleshoot.  I can provide sniffs from outside and inside at same time, etc.


  • LAYER 8 Global Moderator

    Ok – very strange??  Could someone explain

    If I UNCHECK - Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.

    Then it works fine, if CHECKED then it just hangs..

    Now I know for sure I have not changed this setting recently, it use to work with it checked.  Now I have to uncheck it.  Just to be clear on what option I am talking about see attached.

    If checked L2TP IPsec vpn client can not finish connection to outside pfsense server.  If I uncheck it the client on my laptop works just fine.

    In this current setting when checked, then my vpn client on the laptop just hangs.  Can someone point to exactly what this setting does when it scrubs.

    edit:  ok from this
    http://docstore.mik.ua/manuals/openbsd/faq/pf/scrub.html

    I would say you would normally want scrubbing on - now I did not fragmented packets, which maybe the client doesn't like??  So I would have to do a sniff to verify, but I am guessing that now that I allowed scrubbing pfsense would fix some of these packets and client then likes them ;)




  • Thats most likely the problem then. If xl2tpd is not started, then the client connection is not going to work. Any information when you commit the L2TP/IPsec configuration? Anything in the log if you lower the log level to debug?


  • LAYER 8 Global Moderator

    I think your confusing my setup with running l2tp ipsec on pfsense?

    As I thought I clearly stated this is not have anything to do with pfsense acting as any part of the l2tp ipsec connection, not a client not server.  The l2tp server is not setup or on or enabled at all.

    This is a client behind pfsense connecting to a server on the public internet outside pfsense.

    If I enabled, ie uncheck pfscrub then it works.. If I disable pfscrub then it hangs.  It use to work just fine with pfscrub disabled - but now it is not.

    It is currently working, I don't have any issues with pfscrub being enabled.


Log in to reply