IPSec/L2TP with pfSense 2.2
-
i'm unable to get a working config using:
https://doc.pfsense.org/index.php?title=L2TP/IPsec&oldid=7045
i also altered the config using the setup posted by themaninblack earlier in this thread without any success.
trying to connect from osx client and ios.
-
Just a data point that I have gotten L2TP/IPsec working in testing with three virtual machines under Parallels, one pfSense 2.2 server, one Mavericks Mac on the LAN acting as a server, and one Mavericks Mac on the WAN acting as a VPN client. I can connect and reach the LAN server to share files over AFP.
I pretty much followed the steps in meta4's link above and made sure to use the 'allusers’ PSK identifier, the Floating Firewall Rule was in place (or AFP connections to the LAN didn't pass), and the DH key group to DH key group to 2 (1024 bit) to support the Macs.
I've not enabled this in production as the existing LAN network would likely be unreachable. If anyone is aware if there is an OpenVPN equivalent of 'push "route 10.0.0.0 255.255.0.0' for the L2TP/IPsec approach, details would be appreciated…
-
Really looking forward to connecting to pfSense with a built-in Win8.1 or Android VPN client.
I followed the directions from the wiki:
https://doc.pfsense.org/index.php?title=L2TP/IPsec&oldid=7045Status: The IPSec tunnel is created successfully, but the L2TP connection times out. No entries in L2TP or firewall logs. Packet capture on IPSec interface comes up empty.
I have allow-all rules in IPSec and L2TP VPN firewall tabs, and added the floating rule from the wiki. Not sure how to diagnose from here, but willing to try if anyone has any suggestions.
-
Hi all,
Same problem here. IPSec tunnel was successfully established with the client but after that there's no l2tp connection.
I've tried many things (as Phoenix and pfSalmon) with no success. -
Got the same problem. IPSec connects but nothing shows up in l2tp-logs. The Client trys and throws error 809 after a while.
Is there any solution yet?
-
Looks like there may be an issue when the client itself is behind NAT. Is that the case for everyone seeing problems?
-
Looks like there may be an issue when the client itself is behind NAT. Is that the case for everyone seeing problems?
It's not true.
The IPSec/L2TP VPN can be established on iOS, no matte it behind NAT or 3G/4G network (actually it's same as behind NAT). But it couldn't work on Win7/8.1 client. -
OK, that's consistent with one of our other tests. The problem seems to be Windows Clients with NAT. iOS seemed to connect OK either way.
-
For me, everything is connecting fine.
However, the address that is entered for Remote Address Range is 192.168.32.0. This is the IP being handed out when I connect. which, of course, doesn't work.
This is not the address I entered. When ever I try to change the address to something like 192.168.32.15, for example, pfSense changes it back to 192.168.32.0.
Am I assuming correctly this is not the desired behavior?
If this is not the correct behavior how to I fix this?
How can I get it to accept an address that ends in something other than .0?Thanks in advance!
-
Fix your subnet mask. It will align the clients to start at the beginning of the entered "subnet".
Since it's a fake subnet anyhow, .0 should work in that context, does it not?
-
As I configure a road warrior setup my clients are always behind NAT. Please note, that I tested Win8.1 and Android - neither works.
-
Looks like there may be an issue when the client itself is behind NAT. Is that the case for everyone seeing problems?
Yes, it is behind NAT.
-
Looks like there may be an issue when the client itself is behind NAT. Is that the case for everyone seeing problems?
Yes, it is behind NAT.
Than you should look at the sent identity from the mobile clients.
Before racoon was tolerant on this identity if the remoteip matched either the one sent by clients or the one retrieved from packet itself. -
I've tried to configure Android 4.1.2 L2TP https://doc.pfsense.org/index.php/L2TP/IPsec_on_Android#L2TP_Setup
Nothing works. If you use IPSEC identifier, then android forces to use aggresive mode and connection fails, because you can not enable aggresive mode in strongwan when no xauth enabled and… you can not use IPSEC without identifier if you don't use xauth. Epic...
Does somebody else running IPSEC with android 4.1 on 2.2?EDIT:
Solution
strongswan app + generated certificate with additional Alternative Name "DNS" that must be similar to Common Name. And connection type is
EAP-TLS, peer identifier is the same as Common Name in Cert. -
Hi there,
I, too, spent the last two days trying to set this up properly, unfortunately with little success.
Like pfSalmon and others I get a working IPSec connection (and it detects my LAN IP behind NAT) but L2TP won't respond at all, leading to a 809 error on windows.
I did everything like in the docs tutorial and added the floating filter (made no difference)
Unfortunately I can't contribute any info that might help to find the solution either, I'm pretty much a noob in that area..
Hope someone will find a fix soon :)
-
I'm also having the same issue. My VPN clients can connect, but they can't access anything inside the network.
-
I hope this doesn't get too messy, as there are people here who get a L2TP connection but can't communicate with local clients while others (like me) get an IPSec connection but no L2TP connection.
On that Note, I noticed something "weird looking" in the L2TP Raw Logs:
Feb 22 17:22:11 l2tps: process 34657 started, version 4.4.1 (root@pfsense-22-amd64-builder 12:58 18-Nov-2014) Feb 22 17:22:11 l2tps: Label 'startup' not found Feb 22 17:22:11 l2tps: [l2tp0] using interface l2tp0 Feb 22 17:22:11 l2tps: L2TP: waiting for connection on 0.0.0.0 1701
Is this "correct" behavior?
-
I am having the same issue across the board with getting ipsec going. I followed this to the letter:
https://doc.pfsense.org/index.php/L2TP/IPsecbut still cant get a tunnel established. The closest i get is possibly the ipsec tunnel being established but no l2tp.
machines tested:
windows 2008 server, android 5.0.1, android 4.4.4
any help would be appreciated as i have been trying to get this going for about a week now.
-
Any updates on this? did anyone find a solution or will this issue be addressed in a future update?
EDIT: More weird stuff.. after experimenting with IKEv2 n other VPN settings, AES doesn't work as encryption method for Phase 1 IPsec anymore, only 3DES does, and I'm very confident that it did beforehand…
-
https://doc.pfsense.org/index.php/L2TP/IPsec
I just fallowed this and did a little different configuration. Now it works on my iPhone/iPad and my MacbookAir(Yosemite 10.10.1).
In Phase 1, iOS only support DH group 2, not 14.
If i change the DH group to 14 (MODP_2048), I'll receive a mismatch error in logs.Mar 3 09:49:39 charon: 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 Mar 3 09:49:39 charon: 10[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
So it shows the iOS/OSX supports AES(128/256) or 3DES with DH group 2 in Phase 1.
If a Windows 2008 R2 client connects , the log shows this:
Mar 3 10:17:54 charon: 13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
It shows the Windows client support AES256 with DH group 14 or 3DES with DH group 2/14. The hash algorithmnly only support SHA1.
An Android 4.1.1 client connects the log is like this:
Mar 3 10:23:47 charon: 08[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
The Android client supports AES(128/256)/3DES/DES , with DH group 2.
At last I configured the Phase 1 use 3DES, SHA1, DH group 2, it works for iOS/Android/MacOS X/Windows. It's less security but that's enough for me.
If your iPhone can connect but you can't access any website, just fallow that guide add a floating firewall rule. It'll works.
But now if the Android and Windows connects, in Status>IPsec it shows a client connected and established a IPsec tunnel, but about half minute the client shows connect failed. And there's no L2TP logs.
Then I tried a Windows client with public IPv4 address, it connected successful.
It seems Android and Windows can't dial L2TP behind NAT now.
Hope someone will find a fix for this.