IPsec/LT2TP and Windows 7
-
Hi,
I am trying to setup a IPsec/L2TP with a Windows 7 client.
I followed the information in https://forum.pfsense.org/index.php?topic=83321 however it doesn't seem to get a connection. From what I can tell from the pfSense logs that IPsec connects but nothing is showing in the L2TP logs.
Has anyone got this working since it went in to RC?
Version: 2.2-RC (amd64) built on Thu Dec 11 03:41:41 CST 2014 FreeBSD 10.1-RELEASE-p1
Below is my config
IPsec Phase 1
IKEv1
Authentication method: Mutual PSK
Negotiation mode: main
My identifier: My IP address
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH Key group: 2
Lifetime: 28800
NAT Traversal: Force
DPD EnabledPhase 2:
Mode: Transport
Protocol: ESP
Encryption algorithms: 3DES, AES Auto
Hash algorithms: MD5, SHA1
PFS Key group: off
Lifetime: 28800L2TP:
Interface WAN
Server Address and Remote Address range set
Secret: Same as IPsec PSK (tried with and without)
Authentication Type: CHAPTried with Pre-Shared Keys Identifiers of allusers and any
Firewall rules set to allow the following to "This Firewall"
UDP 500, 1701 and 4500
AH and ESPAny idea on what it might not be working?
Thanks
-
I've got it working (well sort of) using Windows 7. Below are my settings for IPsec (I found all my problems were with IPsec and L2TP well doesn't have that many settings)
Phase 1:
Key Exchange version: auto
Authentication method: Mutual PSK
Negotiation mode: Main
My identifier: My IP address
Encryption algorithm: AES 256
Hash alborithm: SHA1
DH key group: 14 (2048 bit) {this seemed to be the key setting}The rest are all default
Phase 2:
Mode: Transport
Protocol: ESP
Encryption algorithms: AES, AES128-GCM, AES192-GCM, AES256-GCM (all auto)
Hash algorithms: SHA1, SHA256, SHA384, SHA512, AES-XCBC
PFS key group: offThe rest are default
Make sure you have a Pre-Shared keys defined with the identifier "allusers" then make sure that the pre-shared key is entered into the Windows 7 client.
Now here is where I'm stuck. It connects and authenticates perfectly fine now. I can ping local resources by local domain name and by ip though I can't access any local resources (either remote desktop or network file share). I'm looking at the firewall and can see traffic is being blocked though I can't figure out what rule I'm missing or how to set it up.
I've got it working using PPTP and it works great but over L2TP it seems to be blocking the local traffic (except pings and dns resolutions).
Hope this helps you get a little further and maybe someone can point out what I'm doing wrong.
-
Hi Com DAC,
Thanks, tried with those settings and still doesn't seem to connect.
Your issue sounds like the firewall rules might be blocking the connection.I have done some TCPdumps and looking at the logs the IPsec part is working fine but there doesn't seem to be any response from L2TP.
I have mine set to listen on the WAN interface, is that right?
The L2TP log doesn't show any connection attempts and nothing shows up in the states for L2TP.
Do you use the "Enable IPsec Mobile Client Support" option or do have IPsec setup a different way?
Thanks
-
Yes I am using the mobile client setting. Below are screenshots of my IPsec setup.
As for the firewall I've tried opening it wide up by putting allow rules on all sides of it for everything and it still won't work. This has me thinking it might be something with my IPsec setup. I'm wondering if it's one of the logged issues that I might be running into.
-
Mine looks the same, Tested with a Linux client as well as a Windows client same issue.
I can't see what could be wrong.Here are my settings.
 -
I have a similar problem a year ago and I found this:
http://support2.microsoft.com/kb/926179
Hope this info help you.
-
Nope, that didn't help.
