L2TP/IPsec


pfsense  l2tp  ipsec  vpn 

L2TP/IPsec is a common VPN type that wraps L2TP, an insecure tunneling protocol, inside a secure channel built using transport mode IPsec.

L2TP/IPsec is supported starting with pfSense 2.2-RELEASE. This article will explain how to configure the service and setup clients.

Important30.png WARNING Important30.png
Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, Windows clients will most likely not function. Consider an IKEv2 implementation instead.

Lines marked with Important30.png are of extra importance to follow correctly.

Setup L2TP

Configure L2TP Server

  • Navigate to VPN > L2TP
  • Select Enable L2TP server
  • Set Interface to WAN
  • Important30.png Set Server Address to an unused private subnet IP, such as 192.168.32.1
    • NOTE: This is not a public IP address or "listen" IP for the L2TP service, it is a local IP address set as the "gateway" on the clients
  • Set Remote Address Range to an unused private subnet, such as 192.168.32.128
  • Set Subnet Mask to an appropriate value for the client address range, such as 25
  • Set Number of L2TP Users to the highest concurrent number of expected L2TP users, such as 8
  • Important30.png Leave Secret blank
  • Set Authentication Type to CHAP
  • Set 'L2TP DNS Servers as needed, or leave blank
  • Set RADIUS options if desired

Add L2TP Users

If RADIUS is not being used, add L2TP users to pfSense.

  • Navigate to VPN > L2TPUsers tab
  • Click "+" To add a new user
  • Fill in UsernamePassword/Confirmation
  • Set a static IP address if needed, in the chosen subnet
  • Click Save

Repeat as needed for additional users.

Setup IPsec

With the L2TP server prepared, the next task is to configure the necessary IPsec settings. The settings below have been tested and found to work, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc. Report any additional combinations found to work or not work on the forum.

Mobile Clients Tab

  • Navigate to VPN > IPsecMobile Clients tab on pfSense
  • Check Enable IPsec Mobile Client Support
  • Set User Authentication to Local Database (Not used, but the option must have something selected)
  • Important30.png Uncheck Provide a virtual IP address to clients
  • Important30.png Uncheck Provide a list of accessible networks to clients
  • Click Save

Phase 1

  • Click the Tunnels Tab
  • Check Enable IPsec
  • Click Save
  • Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1
    • If there is no Phase 1, and the Create Phase1 button does not appear, navigate back to the Mobile Clients tab and click it there.
  • Set Key Exchange version to v1
  • Enter an appropriate Description
  • Set Authentication method to Mutual PSK
  • Set Negotiation Mode to Main
  • Set My Identifier to My IP address
  • Set Encryption algorithm to AES 256
  • Set Hash algorithm to SHA1
  • Set DH key group to 14 (2048 bit)
    • NOTE: iOS and other platforms may work with a DH key group of 2 instead.
  • Set Lifetime to 28800
  • Important30.png Uncheck Disable Rekey
  • Important30.png Uncheck Disable Reauth
  • Set NAT Traversal to Auto
  • Check Enable DPD, set for 10 seconds and 5 retries
  • Click Save

Phase 2

  • Click "+" to show the Mobile IPsec Phase 2 list
  • Click "+" to add a new Phase 2 entry if one does not exist, or click "e" to edit an existing entry
  • Important30.png Set Mode to Transport
  • Enter an appropriate Description
  • Set Protocol to ESP
  • Set Encryption algorithms to ONLY AES 128
  • Set Hash algorithms to ONLY SHA1
  • Set PFS Key Group to off
  • Set Lifetime to 3600
  • Click Save

Pre-Shared Key

With the IPsec tunnel itself ready, now the pre-shared key must be configured in a special way, which is common for all clients.

  • Navigate to VPN > IPsecPre-Shared Keys tab on pfSense
  • Click "+" to add a new PSK
  • Important30.png Set the Identifier to allusers
    • NOTE: The "allusers" name is a special keyword used by pfSense to configure a wildcard PSK, which is necessary for L2TP/IPsec to function. Do not use any other Identifierfor this PSK!
  • Set Secret Type to PSK
  • Enter a Pre-Shared Key, such as aaabbbccc -- ideally one a lot longer and more random/secure than this example!
  • Click Save
  • Click Apply Changes

Firewall Rules and NAT

Firewall rules are necessary to pass traffic from the client host over IPsec to establish the L2TP tunnel, and inside L2TP to pass the actual tunneled VPN traffic to systems across the VPN.

IPsec Rules

  • Navigate to Firewall > RulesIPsec tab
  • Review the current rules. If there is an "allow all" style rule, then there is no need to add another. Continue to the next task.
  • Click "+" to add a new rule
  • Set the Protocol to any, and set the Source and Destination to any as well
    • NOTE: This does not have to pass all traffic, but must at least pass L2TP (UDP port 1701) to the WAN IP address of the firewall
  • Click Save
  • Click Apply Changes

L2TP Rules

  • Navigate to Firewall > RulesL2TP VPN tab
  • Review the current rules. If there is an "allow all" style rule, then there is no need to add another. Continue to the next task.
  • Click "+" to add a new rule
  • Set the Protocol to any, and set the Source and Destination to any as well
    • NOTE: This does not have to pass all traffic, stricter rules are possible to limit where clients can go
  • Click Save
  • Click Apply Changes

Outbound NAT

If clients must pass over the VPN and then back out to the Internet, outbound NAT will most likely be necessary.

  • Navigate to Firewall > NATOutbound tab
  • Check the rules and see if they will apply to L2TP clients. In automatic or hybrid modes, the L2TP subnet should be listed in the automatic rules section.
  • Add rule(s) to cover the L2TP clients if Manual Outbound NAT is enabled and none are present.

DNS Configuration

If DNS servers are supplied to the clients, and if the Unbound DNS Resolver is used, then the subnet chosen for the L2TP clients must be added to its access list.

  • Navigate to Services > DNS ResolverAccess Lists tab
  • Click "+" to add a new access list
  • Enter an Access List Name, such as VPN Users
  • Set Action to Allow
  • Click "+" under Networks to add a new network
  • Enter the VPN client subnet into the Network box, e.g. 192.168.32.128
  • Choose the proper CIDR, e.g. 25
  • Click Save
  • Click Apply Changes

Client Setup

Windows

Now it is time to create the client VPN connection. There are several ways to add such a connection, depending on the version of Windows being used. Adapt as needed.

  • Open Network and Sharing Center on the client PC
  • Click Set up a new connection or network
  • Select Connect to a workplace
  • Click Next
  • Select No, create a new connection
  • Click Next
  • Click Use my Internet Connection (VPN)
  • Enter the IP address or hostname of the server into the Internet address field
  • Enter a Destination Name to identify the connection
  • Click Create

The connection has been added but with several undesirable defaults. For example the type defaults to automatic and it will latch onto a PPTP connection if one exists, which is very bad. So a few settings should be set by hand first:

  • In Network Connection / Adapter Settings in Windows, find the connection created above
  • Right click the connection
  • Click Properties
  • Click the Security tab
  • Set Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)
  • Click Advanced settings
  • Select Use preshared key for authentication
  • Enter the Key used above, e.g. aaabbbccc
  • Click OK
  • Set Data Encryption to Require Encryption (disconnect if server declines)
  • Set Authentication / Allow these protocols to Challenge Handshake Authentication Protocol (CHAP) -- set to match the value chosen in L2TP
  • Click OK

Try it Out

It should now be possible to connect to the VPN

Troubleshooting

Firewall traffic blocked outbound

If the firewall logs show traffic blocked "out" on L2TP, then add a floating firewall rule to work around the block:

  • Navigate to Firewall > RulesFloating tab
  • Click "+" to add a new rule
  • Set 'Action to Pass
  • Check Quick
  • Select L2TP VPN for the Interface
  • Set Direction to Out
  • Set Protocol to TCP
  • Set Source/Destination as needed, or set to any
  • Advanced Features:
    • Set TCP Flags to Any flags
    • Set State Type to Sloppy State