L2TP with IPsec¶
On current versions of pfSense, L2TP/IPsec may be configured for mobile clients, though it is not a configuration we recommend.
As warned at the start of the chapter, the Windows client, among others, and the strongSwan IPsec daemon are not always compatible, leading to failure in many cases. We strongly recommend using another solution such as IKEv2 instead of L2TP/IPsec.
Example IKEv2 Server Configuration contains a walkthrough for configuring IKEv2.
Before configuring the IPsec portion, setup the L2TP server as described in L2TP Server Configuration and add users, firewall rules, etc, as covered there.
These settings have been tested and found to work with some clients, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc.
Mobile Clients Tab¶
- Navigate to VPN > IPsec, Mobile Clients tab on pfSense
- Check Enable IPsec Mobile Client Support
- Set User Authentication to Local Database (Not used, but the option must have something selected)
- Uncheck Provide a virtual IP address to clients
- Uncheck Provide a list of accessible networks to clients
- Click Save
Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1
- If there is no Phase 1, and the Create Phase1 button does not appear, navigate back to the Mobile Clients tab and click it there.
Set Key Exchange version to v1
Enter an appropriate Description
Set Authentication method to Mutual PSK
Set Negotiation Mode to Main
Set My Identifier to My IP address
Set Encryption algorithm to AES 256
Set Hash algorithm to SHA1
Set DH key group to 14 (2048 bit)
iOS and other platforms may work with a DH key group of 2 instead.
Set Lifetime to
Uncheck Disable Rekey
Set NAT Traversal to Auto
Check Enable DPD, set for 10 seconds and 5 retries
- Click Show Phase 2 Entries to show the Mobile IPsec Phase 2 list
- Click Add P2 to add a new Phase 2 entry if one does not exist, or click to edit an existing entry
- Set Mode to Transport
- Enter an appropriate Description
- Set Protocol to ESP
- Set Encryption algorithms to ONLY AES 128
- Set Hash algorithms to ONLY SHA1
- Set PFS Key Group to off
- Set Lifetime to
- Click Save
IPsec Firewall Rules¶
Firewall rules are necessary to pass traffic from the client host over IPsec to establish the L2TP tunnel, and inside L2TP to pass the actual tunneled VPN traffic to systems across the VPN. Adding the L2TP rules was covered in the previous section. To add IPsec rules:
Navigate to Firewall > Rules, IPsec tab
Review the current rules. If there is an “allow all” style rule, then there is no need to add another. Continue to the next task.
Click Add to add a new rule to the top of the list
Set the Protocol to any
Set the Source and Destination to any
This does not have to pass all traffic, but must at least pass L2TP (UDP port
1701) to the WAN IP address of the firewall
Click Apply Changes
If DNS servers are supplied to the clients and the Unbound DNS Resolver is used, then the subnet chosen for the L2TP clients must be added to its access list.
- Navigate to Services > DNS Resolver, Access Lists tab
- Click Add to add a new access list
- Enter an Access List Name, such as VPN Users
- Set Action to Allow
- Click Add Network under Networks to add a new network
- Enter the VPN client subnet into the Network box, e.g.
- Choose the proper CIDR, e.g.
- Click Save
- Click Apply Changes
When configuring clients, there are a few points to look for:
- Ensure that the client operating system configuration is set to connect to the proper external address for the VPN.
- It may be necessary to force the VPN type to L2TP/IPsec on the client if it has an automatic mode.
- The client authentication type must match what is configured on the L2TP server (e.g. CHAP)