L2TP with IPsec

On current versions of pfSense, L2TP/IPsec may be configured for mobile clients, though it is not a configuration we recommend.

As warned at the start of the chapter, the Windows client, among others, and the strongSwan IPsec daemon are not always compatible, leading to failure in many cases. We strongly recommend using another solution such as IKEv2 instead of L2TP/IPsec.

See also

Example IKEv2 Server Configuration contains a walkthrough for configuring IKEv2.

Before configuring the IPsec portion, setup the L2TP server as described in L2TP Server Configuration and add users, firewall rules, etc, as covered there.

Setup IPsec

These settings have been tested and found to work with some clients, but other similar settings may function as well. Feel free to try other encryption algorithms, hashes, etc.

Mobile Clients Tab

  • Navigate to VPN > IPsec, Mobile Clients tab on pfSense
  • Check Enable IPsec Mobile Client Support
  • Set User Authentication to Local Database (Not used, but the option must have something selected)
  • Uncheck Provide a virtual IP address to clients
  • Uncheck Provide a list of accessible networks to clients
  • Click Save

Phase 1

  • Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec Phase 1

    • If there is no Phase 1, and the Create Phase1 button does not appear, navigate back to the Mobile Clients tab and click it there.
  • Set Key Exchange version to v1

  • Enter an appropriate Description

  • Set Authentication method to Mutual PSK

  • Set Negotiation Mode to Main

  • Set My Identifier to My IP address

  • Set Encryption algorithm to AES 256

  • Set Hash algorithm to SHA1

  • Set DH key group to 14 (2048 bit)

    Note

    iOS and other platforms may work with a DH key group of 2 instead.

  • Set Lifetime to 28800

  • Uncheck Disable Rekey

  • Set NAT Traversal to Auto

  • Check Enable DPD, set for 10 seconds and 5 retries

  • Click Save

Phase 2

  • Click fa-plus-circle Show Phase 2 Entries to show the Mobile IPsec Phase 2 list
  • Click fa-plus Add P2 to add a new Phase 2 entry if one does not exist, or click fa-pencil to edit an existing entry
  • Set Mode to Transport
  • Enter an appropriate Description
  • Set Protocol to ESP
  • Set Encryption algorithms to ONLY AES 128
  • Set Hash algorithms to ONLY SHA1
  • Set PFS Key Group to off
  • Set Lifetime to 3600
  • Click Save

Pre-Shared Key

The Pre-Shared Key for the connection, which is common for all clients, must be configured in a special way.

  • Navigate to VPN > IPsec, Pre-Shared Keys tab on pfSense

  • Click fa-plus Add to add a new PSK

  • Set the Identifier to allusers

    Note

    The allusers name is a special keyword used by pfSense to configure a wildcard PSK, which is necessary for L2TP/IPsec to function. Do not use any other Identifier for this PSK!

  • Set Secret Type to PSK

  • Enter a Pre-Shared Key, such as aaabbbccc – ideally one a lot longer, more random, and secure!

  • Click Save

  • Click Apply Changes

IPsec Firewall Rules

Firewall rules are necessary to pass traffic from the client host over IPsec to establish the L2TP tunnel, and inside L2TP to pass the actual tunneled VPN traffic to systems across the VPN. Adding the L2TP rules was covered in the previous section. To add IPsec rules:

  • Navigate to Firewall > Rules, IPsec tab

  • Review the current rules. If there is an “allow all” style rule, then there is no need to add another. Continue to the next task.

  • Click fa-level-up Add to add a new rule to the top of the list

  • Set the Protocol to any

  • Set the Source and Destination to any

    Note

    This does not have to pass all traffic, but must at least pass L2TP (UDP port 1701) to the WAN IP address of the firewall

  • Click Save

  • Click Apply Changes

DNS Configuration

If DNS servers are supplied to the clients and the Unbound DNS Resolver is used, then the subnet chosen for the L2TP clients must be added to its access list.

  • Navigate to Services > DNS Resolver, Access Lists tab
  • Click fa-plus Add to add a new access list
  • Enter an Access List Name, such as VPN Users
  • Set Action to Allow
  • Click fa-plus Add Network under Networks to add a new network
  • Enter the VPN client subnet into the Network box, e.g. 10.3.177.128
  • Choose the proper CIDR, e.g. 25
  • Click Save
  • Click Apply Changes

Client Setup

When configuring clients, there are a few points to look for:

  • Ensure that the client operating system configuration is set to connect to the proper external address for the VPN.
  • It may be necessary to force the VPN type to L2TP/IPsec on the client if it has an automatic mode.
  • The client authentication type must match what is configured on the L2TP server (e.g. CHAP)