Looking for either L2TP or PPTP passthrough support - $150 bounty



  • Hello, I love pfsense but am a bit discouraged that it won't allow pptp or l2tp connections out from behind the firewall.  I understand pptp is a bug in the pf part of freebsd, so maybe l2tp would be a better fit?  I am willing to put out $150 to get either pptp or l2tp implemented.  Thank you!

    Chad



  • Bump…..is my bounty too small, or is this an insanely huge undertaking?  I understand Sullrich wants pptp to go away (which is fine), is l2tp just as bad?  This seems like an important aspect of having a firewall (being able to vpn OUT from behind it).



  • @rockbochs:

    Bump…..is my bounty too small, or is this an insanely huge undertaking?  I understand Sullrich wants pptp to go away (which is fine), is l2tp just as bad?  This seems like an important aspect of having a firewall (being able to vpn OUT from behind it).

    What's wrong with l2tp (I've never used it…so this is a serious question)?  Also, pptp does work, with limitations...one client at a time to any given endpoint (two clients to two different destinations should work) and you can't also have the pptp server running at the same time.

    --Bill



  • @billm:

    @rockbochs:

    Bump…..is my bounty too small, or is this an insanely huge undertaking?  I understand Sullrich wants pptp to go away (which is fine), is l2tp just as bad?  This seems like an important aspect of having a firewall (being able to vpn OUT from behind it).

    What's wrong with l2tp (I've never used it…so this is a serious question)?  Also, pptp does work, with limitations...one client at a time to any given endpoint (two clients to two different destinations should work) and you can't also have the pptp server running at the same time.

    --Bill

    Agreed, I don't have any experience with l2tp, just that it is included with the builtin windows client.  However, from doing some reading about pfsense it looks like l2tp should work from behind the firewall.  Having to disable the pptp server in order to vpn to another location just doesn't make sense (I understand it's a limitation in pf).  I'm not trying to be "that guy", just hoping that with the right amount of money, this small bug could be squashed ;D  I love pfsense, and would love to donate some money to make it even better!



  • @rockbochs:

    I'm not trying to be "that guy", just hoping that with the right amount of money, this small bug could be squashed

    Unfortunately his is not a small bug and we have already invested really a LOT of time and testing into this. From our point of view it's a freebsd issue and not a pfsense one and thus not easy to fix at our end. We have to do some more tests with the frickin package and disabled SCRUB (setting at system>advanced in newer snapshots) to see if we can work around it though.



  • @hoba:

    @rockbochs:

    I'm not trying to be "that guy", just hoping that with the right amount of money, this small bug could be squashed

    Unfortunately his is not a small bug and we have already invested really a LOT of time and testing into this. From our point of view it's a freebsd issue and not a pfsense one and thus not easy to fix at our end. We have to do some more tests with the frickin package and disabled SCRUB (setting at system>advanced in newer snapshots) to see if we can work around it though.

    Just for clarification, I was under the impression that this was a bug involving pptp, however NOT l2tp?  Is that a correct assumption, or am I way off?  For some reason I remember reading a post that said l2tp does NOT have the same limitation as pptp.



  • The bug is with the GRE protocol. I'm not familiar with L2TP either, if it doesn't use GRE then it shouldn't be affected.



  • I have many servers runing L2TP/IPSEC VPN servers (openswan+l2tpd). L2TP is another layer 2 tunneling protocol used to add authentication to ipsec encrypted data. In fact, when using L2TP/ipsec for roadwarrior connexions, ipsec encrypt the data using a PSK or a certificate over a tunneled session created with L2TP wich needs a username/login to be established. L2TP is encapsulated within UDP flows on port 1701.
    The only thing to be careful with is the MTU size…since it is UDP encapsulated you have to ensure that big packets won't be fragmented, this is a server side configuration.
    It's better than PPTP in all ways...

    I really hope that pfsense will soon have a L2TP/ipsec vpn server ;-)



  • Please test the frickin pptp proxy package with the recent 1.2-BETA-1 or a recent snapshot.  It might work now.



  • Just did a whole bunch of testing and the frickin pptp package does not work…  :'(

    Well, back to IPSEC testing...



  • This doesn't seem to work for me either.  Is there configuration required other than installing the package?

    I'm willing to donate more to the bounty if it helps remove the limitation of one concurrent outbound PPTP connection to the same VPN server.  Thanks!



  • Yes, you most likely need to pick the interface and click save in the GUI.



  • I also just fixed a bug.  Please try Frickin again.

    Thanks!



  • I'm getting a couple of errors when I try this after selecting the LAN interface.  (I tried on both 1.2 BETA 1 and now under 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007) :

    Jun 7 00:45:16 Frickin: Network error (Address already in use)
    Jun 7 00:45:16 Frickin: Network error (Address already in use)
    Jun 7 00:45:16 Frickin: Frickin v2.0, running as daemon with pid 2091
    Jun 7 00:45:16 check_reload_status: reloading filter
    Jun 7 00:45:17 php: : Frickin is installed but not started. Not installing redirect rules.

    I also tried the reinstall all packages option (frickin is the only package installed) and I get this:
    Jun 7 00:42:47 php: /pkg_mgr_install.php: XML error: syntax error at line 1
    Jun 7 00:42:47 check_reload_status: reloading filter
    Jun 7 00:42:50 php: /pkg_mgr_install.php: Beginning package installation for frickin.
    Jun 7 00:42:13 dnsmasq[644]: reading /var/dhcpd/var/db/dhcpd.leases
    Jun 7 00:42:52 Frickin: Frickin v2.0, running as daemon with pid 1531
    Jun 7 00:42:52 Frickin: Network error (Address already in use)
    Jun 7 00:42:52 Frickin: Network error (Address already in use)
    Jun 7 00:42:55 check_reload_status: reloading filter
    Jun 7 00:42:56 php: : Frickin is installed but not started. Not installing redirect rules.
    Jun 7 00:42:56 php: : Frickin is installed but not started. Not installing redirect rules.

    I'm running OpenVPN server and a PPTP server.  Would one of those be conflicting? 
    Thanks for any help with this.



  • I removed that "is installed but not configured" message so you are still on the old version.



  • Sorry, do you mean the system version?  I got these errors running 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007
    built on Wed Jun 6 21:37:28 EDT 2007.  However, I did restore my backup xml config from 1.2-BETA-1 after the upgrade to the newer snapshot.  Would the restore have caused the version problem?  Or did you mean that I need a newer version of the package?  If so, how do I get that other than reinstalling it through the package manager?

    Thanks again.



  • Newer version of the package.  Uninstall the package and reinstall it.



  • Hello!

    I can add some "not working" information to this thread.

    Everything works very well until someone else from the LAN does a PPTP connection. After another machine has connected and disconnected a PPTP session my machine can't connect to any PPTP server. Reboot of pfSense solves the problem and I can connect again.

    I've experimented with PPTP for the last couple of days, and I can't get multiple client connections out through pfSense to work as it should.

    I'm running:
    .2-BETA-1-TESTING-SNAPSHOT-06-06-2007
    built on Sun Jun 10 06:19:22 EDT 2007
    +fricking 2.0-BETA2

    States when it works:
    –---------------
    tcp  aaa.bbb.192.132:1723 <- 10.0.5.117:2810  ESTABLISHED:ESTABLISHED 
    tcp 10.0.5.117:2810 -> xxx.yyy.143.48:57812 -> aaa.bbb.192.132:1723 ESTABLISHED:ESTABLISHED

    gre  aaa.bbb.192.132 <- 10.0.5.117  MULTIPLE:MULTIPLE 
    gre 10.0.5.117 -> xxx.yyy.143.48 -> aaa.bbb.192.132 MULTIPLE:MULTIPLE

    aaa.bbb. MS PPTP server
    xxx.yyy. and 10.0.5.117 MS PPTP client

    When it doesn't work:
    States look like the NAT is not complete on 1723 and GRE.
    Firewall complains about incomming GRE which in not let in.
    Windows PPTP client never finnish "Name Password...": Error: 619: The specified port is not connected.

    What information can I supply you with to make this more clear?



  • We just tested the new Frickin proxy with the newest snapshot, and it still does not appear to be functioning.  Has ANYONE gotten this to work yet?  My bounty still stands!  Thanks.


Log in to reply