Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking for either L2TP or PPTP passthrough support - $150 bounty

    Scheduled Pinned Locked Moved Expired/Withdrawn Bounties
    19 Posts 8 Posters 15.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rockbochs
      last edited by

      Hello, I love pfsense but am a bit discouraged that it won't allow pptp or l2tp connections out from behind the firewall.  I understand pptp is a bug in the pf part of freebsd, so maybe l2tp would be a better fit?  I am willing to put out $150 to get either pptp or l2tp implemented.  Thank you!

      Chad

      Creator of world class Linux/FreeBSD appliances, including the popular StrongBochs pfSense appliance.

      1 Reply Last reply Reply Quote 0
      • R
        rockbochs
        last edited by

        Bump…..is my bounty too small, or is this an insanely huge undertaking?  I understand Sullrich wants pptp to go away (which is fine), is l2tp just as bad?  This seems like an important aspect of having a firewall (being able to vpn OUT from behind it).

        Creator of world class Linux/FreeBSD appliances, including the popular StrongBochs pfSense appliance.

        1 Reply Last reply Reply Quote 0
        • B
          billm
          last edited by

          @rockbochs:

          Bump…..is my bounty too small, or is this an insanely huge undertaking?  I understand Sullrich wants pptp to go away (which is fine), is l2tp just as bad?  This seems like an important aspect of having a firewall (being able to vpn OUT from behind it).

          What's wrong with l2tp (I've never used it…so this is a serious question)?  Also, pptp does work, with limitations...one client at a time to any given endpoint (two clients to two different destinations should work) and you can't also have the pptp server running at the same time.

          --Bill

          pfSense core developer
          blog - http://www.ucsecurity.com/
          twitter - billmarquette

          1 Reply Last reply Reply Quote 0
          • R
            rockbochs
            last edited by

            @billm:

            @rockbochs:

            Bump…..is my bounty too small, or is this an insanely huge undertaking?  I understand Sullrich wants pptp to go away (which is fine), is l2tp just as bad?  This seems like an important aspect of having a firewall (being able to vpn OUT from behind it).

            What's wrong with l2tp (I've never used it…so this is a serious question)?  Also, pptp does work, with limitations...one client at a time to any given endpoint (two clients to two different destinations should work) and you can't also have the pptp server running at the same time.

            --Bill

            Agreed, I don't have any experience with l2tp, just that it is included with the builtin windows client.  However, from doing some reading about pfsense it looks like l2tp should work from behind the firewall.  Having to disable the pptp server in order to vpn to another location just doesn't make sense (I understand it's a limitation in pf).  I'm not trying to be "that guy", just hoping that with the right amount of money, this small bug could be squashed ;D  I love pfsense, and would love to donate some money to make it even better!

            Creator of world class Linux/FreeBSD appliances, including the popular StrongBochs pfSense appliance.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              @rockbochs:

              I'm not trying to be "that guy", just hoping that with the right amount of money, this small bug could be squashed

              Unfortunately his is not a small bug and we have already invested really a LOT of time and testing into this. From our point of view it's a freebsd issue and not a pfsense one and thus not easy to fix at our end. We have to do some more tests with the frickin package and disabled SCRUB (setting at system>advanced in newer snapshots) to see if we can work around it though.

              1 Reply Last reply Reply Quote 0
              • R
                rockbochs
                last edited by

                @hoba:

                @rockbochs:

                I'm not trying to be "that guy", just hoping that with the right amount of money, this small bug could be squashed

                Unfortunately his is not a small bug and we have already invested really a LOT of time and testing into this. From our point of view it's a freebsd issue and not a pfsense one and thus not easy to fix at our end. We have to do some more tests with the frickin package and disabled SCRUB (setting at system>advanced in newer snapshots) to see if we can work around it though.

                Just for clarification, I was under the impression that this was a bug involving pptp, however NOT l2tp?  Is that a correct assumption, or am I way off?  For some reason I remember reading a post that said l2tp does NOT have the same limitation as pptp.

                Creator of world class Linux/FreeBSD appliances, including the popular StrongBochs pfSense appliance.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  The bug is with the GRE protocol. I'm not familiar with L2TP either, if it doesn't use GRE then it shouldn't be affected.

                  1 Reply Last reply Reply Quote 0
                  • J
                    Juve
                    last edited by

                    I have many servers runing L2TP/IPSEC VPN servers (openswan+l2tpd). L2TP is another layer 2 tunneling protocol used to add authentication to ipsec encrypted data. In fact, when using L2TP/ipsec for roadwarrior connexions, ipsec encrypt the data using a PSK or a certificate over a tunneled session created with L2TP wich needs a username/login to be established. L2TP is encapsulated within UDP flows on port 1701.
                    The only thing to be careful with is the MTU size…since it is UDP encapsulated you have to ensure that big packets won't be fragmented, this is a server side configuration.
                    It's better than PPTP in all ways...

                    I really hope that pfsense will soon have a L2TP/ipsec vpn server ;-)

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by

                      Please test the frickin pptp proxy package with the recent 1.2-BETA-1 or a recent snapshot.  It might work now.

                      1 Reply Last reply Reply Quote 0
                      • R
                        rockbochs
                        last edited by

                        Just did a whole bunch of testing and the frickin pptp package does not work…  :'(

                        Well, back to IPSEC testing...

                        Creator of world class Linux/FreeBSD appliances, including the popular StrongBochs pfSense appliance.

                        1 Reply Last reply Reply Quote 0
                        • N
                          nosborne
                          last edited by

                          This doesn't seem to work for me either.  Is there configuration required other than installing the package?

                          I'm willing to donate more to the bounty if it helps remove the limitation of one concurrent outbound PPTP connection to the same VPN server.  Thanks!

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            Yes, you most likely need to pick the interface and click save in the GUI.

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              I also just fixed a bug.  Please try Frickin again.

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • N
                                nosborne
                                last edited by

                                I'm getting a couple of errors when I try this after selecting the LAN interface.  (I tried on both 1.2 BETA 1 and now under 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007) :

                                Jun 7 00:45:16 Frickin: Network error (Address already in use)
                                Jun 7 00:45:16 Frickin: Network error (Address already in use)
                                Jun 7 00:45:16 Frickin: Frickin v2.0, running as daemon with pid 2091
                                Jun 7 00:45:16 check_reload_status: reloading filter
                                Jun 7 00:45:17 php: : Frickin is installed but not started. Not installing redirect rules.

                                I also tried the reinstall all packages option (frickin is the only package installed) and I get this:
                                Jun 7 00:42:47 php: /pkg_mgr_install.php: XML error: syntax error at line 1
                                Jun 7 00:42:47 check_reload_status: reloading filter
                                Jun 7 00:42:50 php: /pkg_mgr_install.php: Beginning package installation for frickin.
                                Jun 7 00:42:13 dnsmasq[644]: reading /var/dhcpd/var/db/dhcpd.leases
                                Jun 7 00:42:52 Frickin: Frickin v2.0, running as daemon with pid 1531
                                Jun 7 00:42:52 Frickin: Network error (Address already in use)
                                Jun 7 00:42:52 Frickin: Network error (Address already in use)
                                Jun 7 00:42:55 check_reload_status: reloading filter
                                Jun 7 00:42:56 php: : Frickin is installed but not started. Not installing redirect rules.
                                Jun 7 00:42:56 php: : Frickin is installed but not started. Not installing redirect rules.

                                I'm running OpenVPN server and a PPTP server.  Would one of those be conflicting? 
                                Thanks for any help with this.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by

                                  I removed that "is installed but not configured" message so you are still on the old version.

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    nosborne
                                    last edited by

                                    Sorry, do you mean the system version?  I got these errors running 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007
                                    built on Wed Jun 6 21:37:28 EDT 2007.  However, I did restore my backup xml config from 1.2-BETA-1 after the upgrade to the newer snapshot.  Would the restore have caused the version problem?  Or did you mean that I need a newer version of the package?  If so, how do I get that other than reinstalling it through the package manager?

                                    Thanks again.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sullrich
                                      last edited by

                                      Newer version of the package.  Uninstall the package and reinstall it.

                                      1 Reply Last reply Reply Quote 0
                                      • iorxI
                                        iorx
                                        last edited by

                                        Hello!

                                        I can add some "not working" information to this thread.

                                        Everything works very well until someone else from the LAN does a PPTP connection. After another machine has connected and disconnected a PPTP session my machine can't connect to any PPTP server. Reboot of pfSense solves the problem and I can connect again.

                                        I've experimented with PPTP for the last couple of days, and I can't get multiple client connections out through pfSense to work as it should.

                                        I'm running:
                                        .2-BETA-1-TESTING-SNAPSHOT-06-06-2007
                                        built on Sun Jun 10 06:19:22 EDT 2007
                                        +fricking 2.0-BETA2

                                        States when it works:
                                        –---------------
                                        tcp  aaa.bbb.192.132:1723 <- 10.0.5.117:2810  ESTABLISHED:ESTABLISHED 
                                        tcp 10.0.5.117:2810 -> xxx.yyy.143.48:57812 -> aaa.bbb.192.132:1723 ESTABLISHED:ESTABLISHED

                                        gre  aaa.bbb.192.132 <- 10.0.5.117  MULTIPLE:MULTIPLE 
                                        gre 10.0.5.117 -> xxx.yyy.143.48 -> aaa.bbb.192.132 MULTIPLE:MULTIPLE

                                        aaa.bbb. MS PPTP server
                                        xxx.yyy. and 10.0.5.117 MS PPTP client

                                        When it doesn't work:
                                        States look like the NAT is not complete on 1723 and GRE.
                                        Firewall complains about incomming GRE which in not let in.
                                        Windows PPTP client never finnish "Name Password...": Error: 619: The specified port is not connected.

                                        What information can I supply you with to make this more clear?

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          rockbochs
                                          last edited by

                                          We just tested the new Frickin proxy with the newest snapshot, and it still does not appear to be functioning.  Has ANYONE gotten this to work yet?  My bounty still stands!  Thanks.

                                          Creator of world class Linux/FreeBSD appliances, including the popular StrongBochs pfSense appliance.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.