Route L2TP/IPSEC to Windows 2012 Server

  • I can't seem to get this to work. It works with SSTP and PPTP but not IPSEC.I know these are totally different , just means that something has gone wrong in IPSEC clearly.

    I port forwarded UDP 4500 , 500 and 1701 but nothing seems to work . I also used ESP and AH and nothing seems to work out. I read that IPSEC cannot be passed through a NAT without global NAT-T setting.

    Anyone have any idea why this doesn't work?

  • I am currently trying to do the same but only to SBS2011 and had the same problem!

    You might have pfsense configured correctly, but It seems Microsoft disabled NAT-T for L2TP/IPsec from Vista onwards. The following KB article has the steps to create a registry key that will re-enable it .

    In summary create a DWORD (32bit) with the name "AssumeUDPEncapsulationContextOnSendRule" and a value of 2 under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent" and reboot.

    This worked for me when i had the ESP protocol and UDP ports 500+4500 forwarded by NAT rules to the SBS2011 server in pfsense. The VPN client (Windows 7) was on a remote network also behind NAT.

    Hope this solves your problem!

    PS Although i could deploy this registry key to all of our clients through group policy i am trying another method. Our ISP gives a small IPv4 subnet so I am currently trying to get forwarding working without the registry key by using Virtual IP's and 1 to 1 NAT in pfsense (no luck yet, seems to have the same problem, no idea if it will ever work but i will post in this thread if it does).

  • Thanks for the reply. I was playing with it for a few days and came across your suggestion a few times. It does work but the way things are setup right now it is not possible for me to implement that change in the registry .

    Right now I am using PPTP and can hardly sleep at night because of it . This is a production environment with 20 employees and I do not feel safe AT ALL with PPTP. Windows Server is acting as the VPN server and pfSense just forwards the requests. I have had no connection issues but still am actively looking for  another way. L2TP/IPSEC is just not happening , sstp requires I either purchase a cert OR I manually change all the users home computers registry and add the cert.

    The computers are not part of the domain but the users are so I am limited by my options for polices . I think I may end up going the SSTP route and buying a cert . I did switch to Astaro and Zentyal for some time since they offer L2TP/IPSEC but even then it is still not ideal because the users are not authenticated by the Windows server and can only access VPN and if I really wanted the exact same thing with pfSense its possible with a public facing NIC … I don't want to do that .

    If anyone comes across a more secure way of doing this I would love to hear , but it must be one of Windows native clients other than PPTP which I use now (L2TP/IPSEC , SSTP , IKEV2 ).

    I also used Wireshark and pfSense to packet capture and try and see if it was possible for me to stop the routed packets from becoming manipulated since apparently it is possible by encapsulating with IP proto 50 but I have had no luck... All of the packets come in malformed .

  • Off topic a little bit but I would like to explain my needs and maybe someone has a better suggestion all together (no vpn?)

    I am running one VMware server with 30 Windows 7 x64  machines . I am also running Proxmox on another server with 15 linux servers for various uses ( task management , website , mail proxy , sstp , ftp etc etc). The last machine is a Windows 2012 server acting as the AD , DNS , VPN and File Sharing . I would have virtualized the server but the company I work for said they would prefer the Windows server be physical since it is the most valued machine and if something went wrong it would be easier to find someone to fix it if I am unavailable .

    Anyway , the way it is right now , a user logs in remotely using a VPN . When they login they get a Shared drive on their local computer with their files. The VPN also allows them to resolve the names of the machines they need to connect to. They open RDP and type in "PAT1"  or something similar and are automatically connected to the machine via RDP. This is a big step since before it was VNC and FTP for data transfer…

    I basically need users to be able to access their own drive , their own VM's and have it be very secure / fast . The machines are changing as we put up new machines and take down old machines almost asking people to remember which ones are active is too difficult. When I take a machine down now I name the new one the exact same as the old one .. that way it will always be "PAT1".

    Sorry if this is confusing , I just have no idea how to go about this any better than I already have ... the issue being security. One option is SharePoint but I don't really want to get into that boat right now.

  • I don't think i can help, but how are you planning to instruct the users to setup the vpn client? I would want something that requires next to no instructions, with that in mind…

    I have not done, or ever attempted, any of the following! (may not even be possible)

    Windows seems to store all VPN connections/settings in C:\Users<username>\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk (open it with notepad). There should be a relative path which would allow you to (over)write to this file for the current user, if you can give the user a executable/script that does this should also add the required registry key allowing you to use l2tp/ipsec etc. Setup instructions would be along the lines of run my script, double click on the newly configured vpn and it will prompt for your username/password.

    pfsense can use LDAP (and RADIUS) as an authentication backend, i think this means you can run the vpn server on pfsense but authenticate the users using their AD accounts on the Windows 2012 server. This might let you run openVPN on pfsense and make use of the client export utility (creates a openvpn client installer which comes with the required configuration for your vpn server, available as a add on package for pfsense). I have not yet looked into any nat/etc issues with openVPN.

    I would keep on asking around, somebody might have some useful suggestions somewhere (perhaps a more windows focused forum might yield better results?). Best of luck!</username>

  • You do not need public cert
    I don't see in your environment AD CS, and this is bad configuration AD+VPN+File Sharing (for users files) on one server, also physical AD this is very bad solution, today you can clone AD!

    Use microsoft tool CMAK, with this tool you can create Installer for VPN user connection and all needed scripts, adding certs, registry modifications, routes etc.
    Users just need to install that.
    Don't see a problem using pfSense + Srv 2012 VPN L2TP/IPSec + Adding registry keys using CMAK (Connection Manager Administration Kit)
    Or pfSense + Srv 2012 + SSTP VPN + Adding Root CA certificate using CMAK (Connection Manager Administration Kit)


    In server 2012 R2 you can setup Work Folders, this is exactly for your needs…

Log in to reply