Connecting to L2TP/IPsec from Android

The L2TP/IPsec client on Android has the ability to set a custom identifier, which allows L2TP/IPsec to function with the server on pfSense® software using Pre-Shared Keys. Clients on other operating systems do not allow for this, which makes them incompatible with current versions of pfSense software.

IPsec Setup

The setup is similar to a standard IPsec Remote Access VPN Example Using IKEv1 with Xauth setup except that xauth is not used, but rather “Mutual PSK”, and Phase 2 uses Transport mode rather than Tunnel.

Pre-Shared Keys

After the tunnel has been configured, click to the “Pre-Shared Keys” tab in the IPsec settings, and add IPsec keys. A single group key may be used if desired, or make many keys for different users.

That’s it for IPsec!

L2TP Setup

To setup L2TP:

  • Navigate to VPN > L2TP

  • Configure the settings as follows:

    Enable L2TP Server

    Checked

    Interface

    WAN (or the same chosen for IPsec)

    Server Address

    An unused IP address in a new subnet, e.g x.x.x.2.

    Warning

    This MUST NOT overlap any IP address in use on the firewall.

    Remote Address Range

    The starting IP of the clients, e.g. x.x.x.128

    Subnet netmask

    The netmask for the client connection, the server IP address should be included in this subnet, e.g. /24

    Secret

    blank

    This does not appear to work, at least with the Android version tested.

    Encryption Type

    CHAP is recommended

    L2TP DNS Servers

    The LAN IP address of the firewall or another internal DNS server

    RADIUS settings

    Configure if needed, otherwise leave them at defaults

  • Save

  • Navigate to the Users tab

  • Add L2TP user accounts and passwords

  • Navigate to Firewall > Rules on the L2TP VPN tab

  • Add afirewall rule to pass traffic, e.g from any to any or much more restrictive if preferred.

Android Client Setup

On the phone/tablet/device:

  • Navigate to the system settings and VPN settings (varies by device and specific Android version

  • Tap Add VPN Profile

  • Configure the settings as follows:

    Name

    Enter a name

    Type

    Tap L2TP/IPsec PSK

    Server Address

    The WAN IP of the firewall (or the IP address of the interface chosen for IPsec and L2TP)

    L2TP Secret

    blank

    IPsec Identifier

    Enter the identifier for the PSK entered previously, either a per-user or common identifier

    IPsec Pre-Shared Key

    The PSK that goes with the identifier for this user/group

    Advanced Options

    May be used to control which networks will attempt to use the VPN, or specify custom DNS server and domains for this client.

  • Tap Save

  • Tap the newly created VPN entry in the VPN list

  • Enter the username and password from the L2TP Users

  • Check Save account information to save the VPN credentials (not recommended!),

  • Tap Connect

The connection should then connect and function. If it does not work, check the IPsec logs and the Status > System Logs, VPN, L2TP Raw log to see more specific errors.

Other Thoughts

In theory, Mutual RSA should also work, but so far it has not succeeded in testing. In RSA mode, Phase 1 requires main mode, but otherwise should be OK.