IPsec L2TP port forwarding not working



  • IPsec L2TP pass-through seems to be broke since 2.2.3.  I use a Synology NAS as my VPN server because it works great with iOS devices as a L2TP VPN appliance.  Ever since I updated from 2.2.2 to 2.2.3 and now 2.2.4 it will no longer pass udp ports 500 & 4500 through to the VPN 3rd party VPN device.  I have my backup config from 2.2.2 that the VPN works and restored in on 2.2.3 and 2.2.4 and VPN will not pass.  I downgrade pfSense to 2.2.2 and magically it works again.

    Below are the state tables differences between the two versions.  All restored from same config file.  In 2.2.3 & 2.2.4 I can not even see the request hit my VPN server.

    State Table in 2.2.2


    WAN udp 10.0.1.3:500 (24.x.x.x:500) <- 70.x.x.x:9972 MULTIPLE:MULTIPLE
    WAN udp 10.0.1.3:4500 (24.x.x.x:4500) <- 70.x.x.x:9961 MULTIPLE:MULTIPLE

    State Table in 2.2.3 & 2.2.4


    WAN udp 10.0.1.3:500 (24.x.x.x:500) <- 70.x.x.x:9958 NO_TRAFFIC:SINGLE

    Any idea what code updates that occurred in 2.2.3+ that might have broke this?
    BTW: 24.x.x.x is a Virtual IP Alias and not the same public IP of the pfSense appliance.



  • There is no "L2TP passthrough", you're just using port forwards, moved to NAT.

    What you're showing is the traffic is being passed through the same as before, but the NAS isn't answering. Packet capture on LAN, port 500, while trying to connect to confirm. From that, I'm sure you'll see the traffic going to the NAS, and nothing coming back in reply. Check the NAS for why it's not replying.



  • Thanks Chris for getting me pointed in the right direction.  I will setup SPAN on the port facing the NAS and throw wireshark on it to see what I can see.  I still am scratching my head as to why the same configuration works in v2.2.2 and not v2.2.3 or .4.  I guess it is more of a port forwarding issue then VPN since I don't have pfSense participating in any of the negotiations.



  • I configured SPAN on my switch to toss the packets between the pfSense box and NAS over to Wireshark.  When running v2.2.2 I was able to establish a VPN with my iPhone no problem.  I can see the IPsec packets on the wire capture as well.

    After this I simply updated the pfSense box to 2.2.4 via auto-update (no config changes), pfSense reboots and comes up at v2.2.4 and not nothing again.  Keeping all the packet capture setup EXACTLY the same (filtering on "udpencap") as well I see no messages at all on the wire being passed to the NAS now.

    I checked the ARP table on the pfSense box to make sure the virtual IP's were still alive a well and they are there.  I even did a ping to the public gateway sourcing from the virtual IP I use for the VPN to the NAS and that was 0% loss.

    I really think there is some bug going on with UDP VPN ports in 2.2.3 and greater.  My other SNMP port forwarding for remote monitoring is working fine.

    Attached is the packet capture of v2.2.2.  The packet capture for 2.2.4 is blank.

    Ideas?

    ![Wireshark v2.2.2.png](/public/imported_attachments/1/Wireshark v2.2.2.png)
    ![Wireshark v2.2.2.png_thumb](/public/imported_attachments/1/Wireshark v2.2.2.png_thumb)
    [L2TP VPN pfSense v2.2.2.pcapng](/public/imported_attachments/1/L2TP VPN pfSense v2.2.2.pcapng)



  • I did get this working now in version 2.2.4 after doing a lot of packet captures and troubleshooting.  I have another different virtual IP address setup for IPsec and L2TP (both enabled) on the pfSense box itself.  When I disabled those it started to work.

    This leads me to believe that there might be a bug is IPsec & L2TP services on pfSense.  When enabled they will not forward udp port 500 traffic on other virtual IP's.  Once disabled they do pass the traffic.