SpecialistOff.NET / Вопросы / Статьи / Фрагменты кода / Резюме / Метки / Помощь / Файлы

L2TP/IPsec

L2TP/IPsec is a common VPN type that wraps L2TP, an insecure tunneling protocol, inside a secure channel built using transport mode IPsec.

L2TP/IPsec is supported starting with pfSense 2.2-RELEASE. This article will explain how to configure the service and setup clients.

**WARNING**
Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, Windows clients will most likely not function. Consider an IKEv2 implementation instead.

Lines marked with are of extra importance to follow correctly.

Setup L2TP

Configure L2TP Server

Navigate to VPN > L2TP
Select Enable L2TP server
Set Interface to WAN
Set Server Address to an unused private subnet IP, such as 192.168.32.1
- NOTE: This is not a public IP address or "listen" IP for the L2TP service, it is a local IP address set as the "gateway" on the clients
Set Remote Address Range to an unused private subnet, such as 192.168.32.128
Set Subnet Mask to an appropriate value for the client address range, such as 25
Set Number of L2TP Users to the highest concurrent number of expected L2TP users, such as 8
Leave Secret blank
Set Authentication Type to CHAP
Set 'L2TP DNS Servers as needed, or leave blank
Set RADIUS options if desired

Add L2TP Users

If RADIUS is not being used, add L2TP users to pfSense.

Navigate to VPN > L2TP, Users tab
Click To add a new user
Fill in Username, Password/Confirmation
Set a static IP address if needed, in the chosen subnet
Click Save

Repeat as needed for additional users.

Setup IPsec

With the L2TP server prepared, the next task is to configure the necessary IPsec settings. The settings below have been tested and found to work, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc. Report any additional combinations found to work or not work on the forum.

Mobile Clients Tab

Navigate to VPN > IPsec, Mobile Clients tab on pfSense
Check Enable IPsec Mobile Client Support
Set User Authentication to Local Database (Not used, but the option must have something selected)
Uncheck Provide a virtual IP address to clients
Uncheck Provide a list of accessible networks to clients
Click Save

Phase 1

Click the Tunnels Tab
Check Enable IPsec
Click Save
Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1
- If there is no Phase 1, and the Create Phase1 button does not appear, navigate back to the Mobile Clients tab and click it there.
Set Key Exchange version to v1
Enter an appropriate Description
Set Authentication method to Mutual PSK
Set Negotiation Mode to Main
Set My Identifier to My IP address
Set Encryption algorithm to AES 256
Set Hash algorithm to SHA1
Set DH key group to 14 (2048 bit)
- NOTE: iOS and other platforms may work with a DH key group of 2 instead.
Set Lifetime to 28800
Uncheck Disable Rekey
Uncheck Disable Reauth
Set NAT Traversal to Auto
Check Enable DPD, set for 10 seconds and 5 retries
Click Save

Phase 2

Click to show the Mobile IPsec Phase 2 list
Click to add a new Phase 2 entry if one does not exist, or click to edit an existing entry
Set Mode to Transport
Enter an appropriate Description
Set Protocol to ESP
Set Encryption algorithms to ONLY AES 128
Set Hash algorithms to ONLY SHA1
Set PFS Key Group to off
Set Lifetime to 3600
Click Save

Pre-Shared Key

With the IPsec tunnel itself ready, now the pre-shared key must be configured in a special way, which is common for all clients.

Navigate to VPN > IPsec, Pre-Shared Keys tab on pfSense
Click to add a new PSK
Set the Identifier to allusers
- NOTE: The "allusers" name is a special keyword used by pfSense to configure a wildcard PSK, which is necessary for L2TP/IPsec to function. Do not use any other Identifierfor this PSK!
Set Secret Type to PSK
Enter a Pre-Shared Key, such as aaabbbccc -- ideally one a lot longer and more random/secure than this example!
Click Save
Click Apply Changes

Firewall Rules and NAT

Firewall rules are necessary to pass traffic from the client host over IPsec to establish the L2TP tunnel, and inside L2TP to pass the actual tunneled VPN traffic to systems across the VPN.

IPsec Rules

Navigate to Firewall > Rules, IPsec tab
Review the current rules. If there is an "allow all" style rule, then there is no need to add another. Continue to the next task.
Click to add a new rule
Set the Protocol to any, and set the Source and Destination to any as well
- NOTE: This does not have to pass all traffic, but must at least pass L2TP (UDP port 1701) to the WAN IP address of the firewall
Click Save
Click Apply Changes

L2TP Rules

Navigate to Firewall > Rules, L2TP VPN tab
Review the current rules. If there is an "allow all" style rule, then there is no need to add another. Continue to the next task.
Click to add a new rule
Set the Protocol to any, and set the Source and Destination to any as well
- NOTE: This does not have to pass all traffic, stricter rules are possible to limit where clients can go
Click Save
Click Apply Changes

Outbound NAT

If clients must pass over the VPN and then back out to the Internet, outbound NAT will most likely be necessary.

Navigate to Firewall > NAT, Outbound tab
Check the rules and see if they will apply to L2TP clients. In automatic or hybrid modes, the L2TP subnet should be listed in the automatic rules section.
Add rule(s) to cover the L2TP clients if Manual Outbound NAT is enabled and none are present.

DNS Configuration

If DNS servers are supplied to the clients, and if the Unbound DNS Resolver is used, then the subnet chosen for the L2TP clients must be added to its access list.

Navigate to Services > DNS Resolver, Access Lists tab
Click to add a new access list
Enter an Access List Name, such as VPN Users
Set Action to Allow
Click under Networks to add a new network
Enter the VPN client subnet into the Network box, e.g. 192.168.32.128
Choose the proper CIDR, e.g. 25
Click Save
Click Apply Changes

Client Setup

Windows

Now it is time to create the client VPN connection. There are several ways to add such a connection, depending on the version of Windows being used. Adapt as needed.

Open Network and Sharing Center on the client PC
Click Set up a new connection or network
Select Connect to a workplace
Click Next
Select No, create a new connection
Click Next
Click Use my Internet Connection (VPN)
Enter the IP address or hostname of the server into the Internet address field
Enter a Destination Name to identify the connection
Click Create

The connection has been added but with several undesirable defaults. For example the type defaults to automatic and it will latch onto a PPTP connection if one exists, which is very bad. So a few settings should be set by hand first:

In Network Connection / Adapter Settings in Windows, find the connection created above
Right click the connection
Click Properties
Click the Security tab
Set Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)
Click Advanced settings
Select Use preshared key for authentication
Enter the Key used above, e.g. aaabbbccc
Click OK
Set Data Encryption to Require Encryption (disconnect if server declines)
Set Authentication / Allow these protocols to Challenge Handshake Authentication Protocol (CHAP) -- set to match the value chosen in L2TP
Click OK

Try it Out

It should now be possible to connect to the VPN

Troubleshooting

Firewall traffic blocked outbound

If the firewall logs show traffic blocked "out" on L2TP, then add a floating firewall rule to work around the block:

Navigate to Firewall > Rules, Floating tab
Click to add a new rule
Set 'Action to Pass
Check Quick
Select L2TP VPN for the Interface
Set Direction to Out
Set Protocol to TCP
Set Source/Destination as needed, or set to any
Advanced Features:
- Set TCP Flags to Any flags
- Set State Type to Sloppy State