IPSEC/L2TP Windows Client

  • I have setup pfSense inside VMWare Workstation. I am attempting to create a IPSEC/L2TP connection with the Windows VPN client.

    I am currently attempting a basic configuration following some of the guides on the site as well as forums. However I cannot get the client to connect.

    From the logs it appears to be trying, I see some back and forth, then finally it deletes out. These are the last few messages each time.

    Mar 25 14:42:29 charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI 67d55650
    Mar 25 14:42:29 charon: 15[IKE] <con1|1>received DELETE for ESP CHILD_SA with SPI 67d55650

    So it appears traffic isn't blocked but something is going on.

    I am also curious if once this is configured correctly if it can be set to use my AD accounts/credentials to log on?</con1|1>

  • Any help with this?

  • +1 for me too!

    my iDevices work perfectly. iOS8 iPhones, MacBook Pro. etc.

    the Windows devices, however don't work. They seem to be trying to connect, but I get the same log entries the OP listed and the Windows device comes back with an Error 809.

    Any assistance would be greatly appreciated.


  • I just re-read a reply on another thread from jimp.

    seems this is a NAT problem and not exclusive to pfSense. https://lists.strongswan.org/pipermail/users/2014-September/006638.html

    I would like to try IKEv2, but there's no built-in GUI support for setting up such a VPN connection on the iDevices.

  • Rebel Alliance Developer Netgate

    The NAT issue appears to be specific to Windows clients (and not every circumstance) – if it works for the other clients (iOS, etc) they could still use it.

  • After much trial and error, I'm finally able to get L2TP/IPsec and IKEv2 working (separately, not at the same time) . However, at this time it seems I need to make a decision.

    My VPN needs to support both Windows & Apple devices. Some of the Windows devices (i.e. tablets) don't have third-party client software available to support straight IPsec VPN. (this means OpenVPN is also not an option)

    The choices are:

    • Support only iDevices using L2TP/IPsec*

    • Support only Windows devices using IKEv2*

    • Unless someone can point me to documentation explaining how to support both protocols at once.

    StrongSwan has an OS X client that is supposed to provide IKEv2 connectivity. However, there is zero documentation, and the GUI completely non-intuitive.

Log in to reply