L2TP/IPsec Remote Access VPN Configuration Example (2024)

On current versions of pfSense® software, L2TP/IPsec may be configured formobile clients, though it is not a desirable configuration.

Warning

Users have reported issues with Windows L2TP/IPsec clients behind NAT. If theclients will be behind NAT, Windows clients will most likely not function.

Consider an IKEv2 implementation instead.

As warned at the start of the chapter, the Windows client, among others, and thestrongSwan IPsec daemon are not always compatible, leading to failure in manycases. The best practice is to use another solution such as IKEv2 instead ofL2TP/IPsec.

Setup IPsec¶

These settings have been tested and found to work with some clients, but othersimilar settings may function as well. Feel free to try other encryptionalgorithms, hashes, etc.

Mobile Clients Tab¶

Navigate to VPN > IPsec, Mobile Clients tab in the pfSense softwareGUI
Configure the settings as follows:
Enable IPsec Mobile Client Support:
Checked
User Authentication:
Local Database (Not used, but the option must have something selected)
Provide a virtual IP address to clients:
Unchecked
Provide a list of accessible networks to clients:
Unchecked
Click Save

Phase 1¶

Click the Create Phase1 button at the top if it appears, or edit theexisting Mobile IPsec Phase 1
See Also
How to setup your own OpenVPN server in pfSense
- If there is no Phase 1, and the Create Phase1 button does not appear,navigate back to the Mobile Clients tab and click it there.
Configure the settings as follows:
Key Exchange version:
v1 or Auto
Description:
Text describing the tunnel
Authentication method:
Mutual PSK
Negotiation Mode:
Main
My Identifier:
My IP address
Encryption algorithm:
AES 256
Hash algorithm:
SHA1
DH key group:
14 (2048 bit)
Note
iOS and other platforms may work with a DH key group of 2 instead.
Lifetime:
28800
Disable Rekey:
Unchecked
NAT Traversal:
Auto
Enable DPD:
Checked, set for 10 seconds and 5 retries
Click Save

Phase 2¶

Click Show Phase 2 Entries to show the Mobile IPsec Phase2 list
Click Add P2 to add a new Phase 2 entry if one does not exist,or click to edit an existing entry
Configure the settings as follows:
Mode:
Transport
Description:
Text describing the tunnel
Protocol:
ESP
Encryption algorithms:
ONLY AES 128
Hash algorithms:
ONLY SHA1
PFS Key Group:
off
Lifetime:
3600
Click Save

IPsec Firewall Rules¶

Firewall rules are necessary to pass traffic from the client host over IPsec toestablish the L2TP tunnel, and inside L2TP to pass the actual tunneled VPNtraffic to systems across the VPN. Adding the L2TP rules was covered in theprevious section. To add IPsec rules:

Navigate to Firewall > Rules, IPsec tab
Review the current rules. If there is an “allow all” style rule, then there isno need to add another. Continue to the next task.
Click Add to add a new rule to the top of the list
Configure the options as follows:
Protocol:
any
Source:
any
Destination:
any
Note
This does not have to pass all traffic, but must at least pass L2TP (UDPport 1701) to the WAN IP address of the firewall.
Click Save
Click Apply Changes

DNS Configuration¶

If DNS servers are supplied to the clients and the Unbound DNS Resolver isused, then the subnet chosen for the L2TP clients must be added to its accesslist.

Navigate to Services > DNS Resolver, Access Lists tab
Click Add to add a new access list
Enter an Access List Name, such as VPN Users
Set Action to Allow
Click Add Network under Networks to add a new network
Enter the VPN client subnet into the Network box, e.g. 10.3.177.128
Choose the proper CIDR, e.g. 25
Click Save
Click Apply Changes

Client Setup¶

When configuring clients, there are a few points to look for:

Ensure that the client operating system configuration is set to connect to theproper external address for the VPN.
It may be necessary to force the VPN type to L2TP/IPsec on the client ifit has an automatic mode.
The client authentication type must match what is configured on the L2TPserver (e.g. CHAP)