Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPsec/LT2TP and Windows 7

    2.2 Snapshot Feedback and Problems - RETIRED
    3
    7
    2844
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PayableOnDeath last edited by

      Hi,

      I am trying to setup a IPsec/L2TP with a Windows 7 client.

      I followed the information in https://forum.pfsense.org/index.php?topic=83321 however it doesn't seem to get a connection. From what I can tell from the pfSense logs that IPsec connects but nothing is showing in the L2TP logs.

      Has anyone got this working since it went in to RC?

      Version: 2.2-RC (amd64) built on Thu Dec 11 03:41:41 CST 2014 FreeBSD 10.1-RELEASE-p1

      Below is my config

      IPsec Phase 1

      IKEv1
      Authentication method: Mutual PSK
      Negotiation mode: main
      My identifier: My IP address
      Encryption algorithm: 3DES
      Hash algorithm: SHA1
      DH Key group: 2
      Lifetime: 28800
      NAT Traversal: Force
      DPD Enabled

      Phase 2:
      Mode: Transport
      Protocol: ESP
      Encryption algorithms: 3DES, AES Auto
      Hash algorithms: MD5, SHA1
      PFS Key group: off
      Lifetime: 28800

      L2TP:
      Interface WAN
      Server Address and Remote Address range set
      Secret: Same as IPsec PSK (tried with and without)
      Authentication Type: CHAP

      Tried with Pre-Shared Keys Identifiers of allusers and any

      Firewall rules set to allow the following to "This Firewall"
      UDP 500, 1701 and 4500
      AH and ESP

      Any idea on what it might not be working?

      Thanks

      1 Reply Last reply Reply Quote 0
      • Com DAC
        Com DAC last edited by

        I've got it working (well sort of) using Windows 7. Below are my settings for IPsec (I found all my problems were with IPsec and L2TP well doesn't have that many settings)

        Phase 1:
        Key Exchange version: auto
        Authentication method: Mutual PSK
        Negotiation mode: Main
        My identifier: My IP address
        Encryption algorithm: AES 256
        Hash alborithm: SHA1
        DH key group: 14 (2048 bit) {this seemed to be the key setting}

        The rest are all default

        Phase 2:
        Mode: Transport
        Protocol: ESP
        Encryption algorithms: AES, AES128-GCM, AES192-GCM, AES256-GCM (all auto)
        Hash algorithms: SHA1, SHA256, SHA384, SHA512, AES-XCBC
        PFS key group: off

        The rest are default

        Make sure you have a Pre-Shared keys defined with the identifier "allusers" then make sure that the pre-shared key is entered into the Windows 7 client.

        Now here is where I'm stuck. It connects and authenticates perfectly fine now. I can ping local resources by local domain name and by ip though I can't access any local resources (either remote desktop or network file share). I'm looking at the firewall and can see traffic is being blocked though I can't figure out what rule I'm missing or how to set it up.

        I've got it working using PPTP and it works great but over L2TP it seems to be blocking the local traffic (except pings and dns resolutions).

        Hope this helps you get a little further and maybe someone can point out what I'm doing wrong.

        1 Reply Last reply Reply Quote 0
        • P
          PayableOnDeath last edited by

          Hi Com DAC,

          Thanks, tried with those settings and still doesn't seem to connect.
          Your issue sounds like the firewall rules might be blocking the connection.

          I have done some TCPdumps and looking at the logs the IPsec part is working fine but there doesn't seem to be any response from L2TP.

          I have mine set to listen on the WAN interface, is that right?

          The L2TP log doesn't show any connection attempts and nothing shows up in the states for L2TP.

          Do you use the "Enable IPsec Mobile Client Support" option or do have IPsec setup a different way?

          Thanks

          1 Reply Last reply Reply Quote 0
          • Com DAC
            Com DAC last edited by

            Yes I am using the mobile client setting. Below are screenshots of my IPsec setup.

            As for the firewall I've tried opening it wide up by putting allow rules on all sides of it for everything and it still won't work. This has me thinking it might be something with my IPsec setup. I'm wondering if it's one of the logged issues that I might be running into.






            1 Reply Last reply Reply Quote 0
            • P
              PayableOnDeath last edited by

              Mine looks the same, Tested with a Linux client as well as a Windows client same issue.
              I can't see what could be wrong.

              Here are my settings.

              ![Firewall - IPsec.png](/public/imported_attachments/1/Firewall - IPsec.png)
              ![Firewall - IPsec.png_thumb](/public/imported_attachments/1/Firewall - IPsec.png_thumb)
              ![Firewall - L2TP.png](/public/imported_attachments/1/Firewall - L2TP.png)
              ![Firewall - L2TP.png_thumb](/public/imported_attachments/1/Firewall - L2TP.png_thumb)
              ![Firewall - WAN.png](/public/imported_attachments/1/Firewall - WAN.png)
              ![Firewall - WAN.png_thumb](/public/imported_attachments/1/Firewall - WAN.png_thumb)
              ![IPsec - Mobile clients.png](/public/imported_attachments/1/IPsec - Mobile clients.png)
              ![IPsec - Mobile clients.png_thumb](/public/imported_attachments/1/IPsec - Mobile clients.png_thumb)
              ![IPsec - Phase 1.png](/public/imported_attachments/1/IPsec - Phase 1.png)
              ![IPsec - Phase 1.png_thumb](/public/imported_attachments/1/IPsec - Phase 1.png_thumb)
              ![IPsec - Phase 2.png](/public/imported_attachments/1/IPsec - Phase 2.png)
              ![IPsec - Phase 2.png_thumb](/public/imported_attachments/1/IPsec - Phase 2.png_thumb)
              ![IPsec - Pre-shared keys.png](/public/imported_attachments/1/IPsec - Pre-shared keys.png)
              ![IPsec - Pre-shared keys.png_thumb](/public/imported_attachments/1/IPsec - Pre-shared keys.png_thumb)
              ![L2TP - Settings.png](/public/imported_attachments/1/L2TP - Settings.png)
              ![L2TP - Settings.png_thumb](/public/imported_attachments/1/L2TP - Settings.png_thumb)

              1 Reply Last reply Reply Quote 0
              • V
                v3v3 last edited by

                I have a similar problem a year ago and I found this:

                http://support2.microsoft.com/kb/926179

                Hope this info help you.

                1 Reply Last reply Reply Quote 0
                • P
                  PayableOnDeath last edited by

                  Nope, that didn't help.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post