IPsec/LT2TP and Windows 7

  • Hi,

    I am trying to setup a IPsec/L2TP with a Windows 7 client.

    I followed the information in https://forum.pfsense.org/index.php?topic=83321 however it doesn't seem to get a connection. From what I can tell from the pfSense logs that IPsec connects but nothing is showing in the L2TP logs.

    Has anyone got this working since it went in to RC?

    Version: 2.2-RC (amd64) built on Thu Dec 11 03:41:41 CST 2014 FreeBSD 10.1-RELEASE-p1

    Below is my config

    IPsec Phase 1

    Authentication method: Mutual PSK
    Negotiation mode: main
    My identifier: My IP address
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    DH Key group: 2
    Lifetime: 28800
    NAT Traversal: Force
    DPD Enabled

    Phase 2:
    Mode: Transport
    Protocol: ESP
    Encryption algorithms: 3DES, AES Auto
    Hash algorithms: MD5, SHA1
    PFS Key group: off
    Lifetime: 28800

    Interface WAN
    Server Address and Remote Address range set
    Secret: Same as IPsec PSK (tried with and without)
    Authentication Type: CHAP

    Tried with Pre-Shared Keys Identifiers of allusers and any

    Firewall rules set to allow the following to "This Firewall"
    UDP 500, 1701 and 4500
    AH and ESP

    Any idea on what it might not be working?


  • I've got it working (well sort of) using Windows 7. Below are my settings for IPsec (I found all my problems were with IPsec and L2TP well doesn't have that many settings)

    Phase 1:
    Key Exchange version: auto
    Authentication method: Mutual PSK
    Negotiation mode: Main
    My identifier: My IP address
    Encryption algorithm: AES 256
    Hash alborithm: SHA1
    DH key group: 14 (2048 bit) {this seemed to be the key setting}

    The rest are all default

    Phase 2:
    Mode: Transport
    Protocol: ESP
    Encryption algorithms: AES, AES128-GCM, AES192-GCM, AES256-GCM (all auto)
    Hash algorithms: SHA1, SHA256, SHA384, SHA512, AES-XCBC
    PFS key group: off

    The rest are default

    Make sure you have a Pre-Shared keys defined with the identifier "allusers" then make sure that the pre-shared key is entered into the Windows 7 client.

    Now here is where I'm stuck. It connects and authenticates perfectly fine now. I can ping local resources by local domain name and by ip though I can't access any local resources (either remote desktop or network file share). I'm looking at the firewall and can see traffic is being blocked though I can't figure out what rule I'm missing or how to set it up.

    I've got it working using PPTP and it works great but over L2TP it seems to be blocking the local traffic (except pings and dns resolutions).

    Hope this helps you get a little further and maybe someone can point out what I'm doing wrong.

  • Hi Com DAC,

    Thanks, tried with those settings and still doesn't seem to connect.
    Your issue sounds like the firewall rules might be blocking the connection.

    I have done some TCPdumps and looking at the logs the IPsec part is working fine but there doesn't seem to be any response from L2TP.

    I have mine set to listen on the WAN interface, is that right?

    The L2TP log doesn't show any connection attempts and nothing shows up in the states for L2TP.

    Do you use the "Enable IPsec Mobile Client Support" option or do have IPsec setup a different way?


  • Yes I am using the mobile client setting. Below are screenshots of my IPsec setup.

    As for the firewall I've tried opening it wide up by putting allow rules on all sides of it for everything and it still won't work. This has me thinking it might be something with my IPsec setup. I'm wondering if it's one of the logged issues that I might be running into.

  • Mine looks the same, Tested with a Linux client as well as a Windows client same issue.
    I can't see what could be wrong.

    Here are my settings.

    ![Firewall - IPsec.png](/public/imported_attachments/1/Firewall - IPsec.png)
    ![Firewall - IPsec.png_thumb](/public/imported_attachments/1/Firewall - IPsec.png_thumb)
    ![Firewall - L2TP.png](/public/imported_attachments/1/Firewall - L2TP.png)
    ![Firewall - L2TP.png_thumb](/public/imported_attachments/1/Firewall - L2TP.png_thumb)
    ![Firewall - WAN.png](/public/imported_attachments/1/Firewall - WAN.png)
    ![Firewall - WAN.png_thumb](/public/imported_attachments/1/Firewall - WAN.png_thumb)
    ![IPsec - Mobile clients.png](/public/imported_attachments/1/IPsec - Mobile clients.png)
    ![IPsec - Mobile clients.png_thumb](/public/imported_attachments/1/IPsec - Mobile clients.png_thumb)
    ![IPsec - Phase 1.png](/public/imported_attachments/1/IPsec - Phase 1.png)
    ![IPsec - Phase 1.png_thumb](/public/imported_attachments/1/IPsec - Phase 1.png_thumb)
    ![IPsec - Phase 2.png](/public/imported_attachments/1/IPsec - Phase 2.png)
    ![IPsec - Phase 2.png_thumb](/public/imported_attachments/1/IPsec - Phase 2.png_thumb)
    ![IPsec - Pre-shared keys.png](/public/imported_attachments/1/IPsec - Pre-shared keys.png)
    ![IPsec - Pre-shared keys.png_thumb](/public/imported_attachments/1/IPsec - Pre-shared keys.png_thumb)
    ![L2TP - Settings.png](/public/imported_attachments/1/L2TP - Settings.png)
    ![L2TP - Settings.png_thumb](/public/imported_attachments/1/L2TP - Settings.png_thumb)

  • I have a similar problem a year ago and I found this:


    Hope this info help you.

  • Nope, that didn't help.

Log in to reply