L2TP/IPsec Remote Access VPN Configuration Example

On current versions of pfSense® software, L2TP/IPsec may be configured for mobile clients, though it is not a desirable configuration.

Warning

Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, Windows clients will most likely not function.

Consider an IKEv2 implementation instead.

As warned at the start of the chapter, the Windows client, among others, and the strongSwan IPsec daemon are not always compatible, leading to failure in many cases. The best practice is to use another solution such as IKEv2 instead of L2TP/IPsec.

See also

IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 contains a walkthrough for configuring IKEv2.

Before configuring the IPsec portion, setup the L2TP server as described in L2TP Server Configuration and add users, firewall rules, etc, as covered there.

Setup IPsec

These settings have been tested and found to work with some clients, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc.

Mobile Clients Tab

  • Navigate to VPN > IPsec, Mobile Clients tab in the pfSense software GUI

  • Configure the settings as follows:

    Enable IPsec Mobile Client Support:

    Checked

    User Authentication:

    Local Database (Not used, but the option must have something selected)

    Provide a virtual IP address to clients:

    Unchecked

    Provide a list of accessible networks to clients:

    Unchecked

  • Click Save

Phase 1

  • Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1

    • If there is no Phase 1, and the Create Phase1 button does not appear, navigate back to the Mobile Clients tab and click it there.

  • Configure the settings as follows:

    Key Exchange version:

    v1 or Auto

    Description:

    Text describing the tunnel

    Authentication method:

    Mutual PSK

    Negotiation Mode:

    Main

    My Identifier:

    My IP address

    Encryption algorithm:

    AES 256

    Hash algorithm:

    SHA1

    DH key group:

    14 (2048 bit)

    Note

    iOS and other platforms may work with a DH key group of 2 instead.

    Lifetime:

    28800

    Disable Rekey:

    Unchecked

    NAT Traversal:

    Auto

    Enable DPD:

    Checked, set for 10 seconds and 5 retries

  • Click Save

Phase 2

  • Click fa-plus-circle Show Phase 2 Entries to show the Mobile IPsec Phase 2 list

  • Click fa-plus Add P2 to add a new Phase 2 entry if one does not exist, or click fa-pencil to edit an existing entry

  • Configure the settings as follows:

    Mode:

    Transport

    Description:

    Text describing the tunnel

    Protocol:

    ESP

    Encryption algorithms:

    ONLY AES 128

    Hash algorithms:

    ONLY SHA1

    PFS Key Group:

    off

    Lifetime:

    3600

  • Click Save

Pre-Shared Key

The Pre-Shared Key for the connection, which is common for all clients, must be configured in a special way.

  • Navigate to VPN > IPsec, Pre-Shared Keys tab on pfSense software

  • Click fa-plus Add to add a new PSK

  • Configure the settings as follows:

    Identifier:

    allusers

    Note

    The allusers name is a special keyword used by pfSense software to configure a wildcard PSK, which is necessary for L2TP/IPsec to function. Do not use any other Identifier for this PSK!

    Secret Type:

    PSK

    Pre-Shared Key:

    A password for the user, such as aaabbbccc – ideally one a lot longer, more random, and secure!

  • Click Save

  • Click Apply Changes

IPsec Firewall Rules

Firewall rules are necessary to pass traffic from the client host over IPsec to establish the L2TP tunnel, and inside L2TP to pass the actual tunneled VPN traffic to systems across the VPN. Adding the L2TP rules was covered in the previous section. To add IPsec rules:

  • Navigate to Firewall > Rules, IPsec tab

  • Review the current rules. If there is an “allow all” style rule, then there is no need to add another. Continue to the next task.

  • Click fa-turn-up Add to add a new rule to the top of the list

  • Configure the options as follows:

    Protocol:

    any

    Source:

    any

    Destination:

    any

    Note

    This does not have to pass all traffic, but must at least pass L2TP (UDP port 1701) to the WAN IP address of the firewall.

  • Click Save

  • Click Apply Changes

DNS Configuration

If DNS servers are supplied to the clients and the Unbound DNS Resolver is used, then the subnet chosen for the L2TP clients must be added to its access list.

  • Navigate to Services > DNS Resolver, Access Lists tab

  • Click fa-plus Add to add a new access list

  • Enter an Access List Name, such as VPN Users

  • Set Action to Allow

  • Click fa-plus Add Network under Networks to add a new network

  • Enter the VPN client subnet into the Network box, e.g. 10.3.177.128

  • Choose the proper CIDR, e.g. 25

  • Click Save

  • Click Apply Changes

Client Setup

When configuring clients, there are a few points to look for:

  • Ensure that the client operating system configuration is set to connect to the proper external address for the VPN.

  • It may be necessary to force the VPN type to L2TP/IPsec on the client if it has an automatic mode.

  • The client authentication type must match what is configured on the L2TP server (e.g. CHAP)