PfSense is blocking L2TP/IPSec even when Port Forwarding / NAT is enabled.

  • Helle everyone.

    As per the title, my question is about port forwarding issues.

    To describe the situation:

    • Windows Server 2012 as PPTP/L2TP+IPSec/IKEv2 VPN Server (named EUROPA)

    • Works fine if pfSense is not between client and server (hint: multiple devices between server and client)

    • Tried looking at firewall logs, triple checked rules/entries, searched for possible solutions, nothing

    To illustrate the network setup:

    WAN<public ip="">---<[WAN NIC]ROUTER[LAN NIC]>-+-DMZ to pfSense---<[WAN NIC] pfSense [LAN NIC]>--- <all other="" networking="" devices="" servers="" etc="">|
                                                              +--WiFi Clients</all></public> 

    So everything works nicely, webserver, ftp server, <any service="" here="">server behind pfSense, just L2TP/IPSec doesn't work. I get a 809 error which means timeout / packets don't get through. Everything behind the LAN NIC can connect to the L2TP/IPSec server just fine too. Just this one specific case doesn't work. PPTP is nicely accessible from the internet so at least that works (but there's no encryption so this is a bit scar, and would like to move away from it, also Windows Phone users don't have the option to use OpenVPN or PPTP, so L2TP/IPSec or IKEv2 needs to work).

    This are the NAT + Firewall rules:

    Does anyone have some tips as to what to check for or how to approach the solution to this issue?

    Thanks in advance!

    I have done wireshark captures & compare on the client (both on successful and unsuccesful attempts) and it seems that ESP packets are not being let through pfSense:

    Also, both L2TP and IPSec are disabled on pfSense (in VPN category)</any>

  • L2TP/IPSec VPN is tricky.

    1.) Stop using PPTP, please!
    2.) Try forwarding AH (protocol 50)

    I found that depending on the setup, L2TP takes awhile to start working. Every time I setup a new pfSense box (dozens of times) I have to try a couple of times, wait a few hours, try again… it does eventually work.

    I use it now and have been using it for over a year on, as I've said, dozens of pfSense installs.

  • Alright, after a very painful update to the newest pfSense (on XenServer, 2.1.5 to 2.2.5), resolving multiple issues with networking adapters being very slow, comparable to complete halt, crashes and other small issues… finally when stable we have retried to setup the firewall to allow IPSec+L2TP from the outside to our Windows Server, and again, it is not passing through the traffic. Forwarded GRE, AH, ESP, L2TP, PPTP, IPSec NAT-T, ISAKMP and Ident/Auth to the Windows Server with no avail. also completely disabled the firewall temporarily on the windows server (on all profiles) just to be sure MS did not screw something up. PPTP works fine, SSTP works fine (yes we have a certificate for this purpose from a global CA), just not L2TP VPN (it does work when pfSense is not between the client and windows server).

    Problem is.. PPTP is insecure, SSTP is not supported by many devices. IKEv2 is a real pain to setup (read: many failed attempts) and also requires to install certs on clients (which is a definite no-go), the only globally supported vpn, and which is reasonably secure is L2TP... which won't work because pfSense does not route it.

    I did try to go to the NAT Outbound rule table and select AON, removed all entries with explicit port 500 and retried. To no avail, too. Please also note thet 1:1 and NPt do not have any entries, they are empty.

    Is there anything more that can be done, checked, changed, tested?

  • Alright status update time!

    So we figured, maybe it is because of xenserver or some networking settings. So we ordered a physical firewall with pfSense on it, imported our old config. Powered off the pfSense VM and gues what… exactly the same issue. Is there some hidden option that needs to be enabled to allow NAT-ing of IPSec/L2TP?

    The pfSense version is 2.2.6

  • I'm not sure if I undestrand what you write, but is your problem similar to mine?

  • well it is probably that the IPSec layer doesn't go through. If our findings are true then the issues could be indeed related.

  • @Balaena:

    well it is probably that the IPSec layer doesn't go through. If our findings are true then the issues could be indeed related.

    I've found that my problem is NAT-T related:

    Anyway I wasn't able to fix my problem

  • Any1 has been able to solve this issue ?

  • Hm so we're not the only ones with this issue? Any idea where we could look? if needed we do have a few experienced C++, PHP and C programmers.

    ByTheWay we do have the WAN directly on PFSense now, still same issue (so one router less).

  • I have tried everything but nothing working :(

  • Hello everyone!

    I have had the same error, the only way I found to solve it has been to configure my router in transparent mode, which has given pfSense my router's public IP.

    So now, my pfSense has got a free public IP address and everything is working fine! Hope you manage to resolve your problem!

  • "How to configure an L2TP/IPsec server behind a NAT-T" MS KB did not work for us.
    Running 2.2.4-RELEASE (i386). Not planning the upgrade yet.
    We're unable to forward L2TP traffic to the server behind NAT.

    We're seeing traffic coming on port 4500, VPN connection is estabilished, however there is no routed traffic. All NPS polices seems to be fine. No firewall rules blocking. No ACLs blocking.
    We're not seeing anything behind this server.

    Forwarded traffic:
    TCP/UDP 1701 WAN -> server
    TCP/UDP 500 WAN -> server
    TCP/UDP 4500 WAN -> server
    AH protocol WAN -> server
    ESP protocol WAN -> server

    Issue seems to be covering this thread.

    Next step is to sniff some traffic and check what is going on.
    Any ideas?

Log in to reply