L2TP Troubleshooting

This section covers troubleshooting steps for the most common problems users encounter with L2TP.

Cannot connect

Check that firewall rules have been added to the external interface where the L2TP traffic enters the firewall. Also make sure the client is connecting to the interface IP address chosen on the L2TP settings.

Connected to L2TP but cannot pass traffic

Ensure firewall rules have been added to the L2TP VPN interface as described in Configure firewall rules for L2TP clients.

Also ensure the remote subnet across the VPN is different from the local subnet. It is not possible to reach a 192.168.1.0/24 network across the VPN when the local subnet where the client resides is also 192.168.1.0/24, traffic destined for that subnet will never traverse the VPN because it is on the local network. This is why it is important to choose a relatively obscure LAN subnet when using a VPN.

Connection Fails with a Windows Client

If the IPsec layer appears to complete, but no L2TP traffic passes, it is likely a known incompatibility between Windows and the strongSwan daemon used on pfSense. There is currently no known workaround except to move the Windows system out from behind NAT, or to use a different style VPN such as IKEv2.

L2TP Traffic Blocked Outbound

In some cases, such as when combined with IPsec, L2TP traffic may also require special handling via floating rules. This appears as blocked traffic in the outbound direction in the firewall logs, showing an L2TP server interface.

If this happens, add a floating rule as follows:

  • Navigate to Firewall > Rules, Floating tab
  • Click fa-level-up Add to add a new rule to the top of the list
  • Set Action to Pass
  • Check Quick
  • Select L2TP VPN for the Interface
  • Set Direction to Out
  • Set Protocol to TCP
  • Set Source/Destination as needed, or set to any
  • Advanced Features:
    • Set TCP Flags to Any flags
    • Set State Type to Sloppy State