Shulou(Shulou.com)06/03 Report--

L2TP / IPsec is a common × × type that includes L2TP (an insecure tunneling protocol) in a secure channel built using IPsec transport mode. L2TP / IPsec is supported from pfSense 2.2-RELEASE. This article describes how to configure the server and set up the client.

L2TP Settin

Configure the L2TP server

Navigate to * × × > L2TP

Select enable L2TP server

Select WAN interface

Set the Server Address (server address) to the unused private subnet IP, such as 192.168.32.1 Note: this is not a public IP address or the "listening" IP of the L2TP service, it is a local IP address and is used as a "gateway" on the client

Set Remote Address Range (remote address range) to an unused private subnet, such as 192.168.32.128

Set the Subnet Mask (subnet mask) to the appropriate value for the client address range, for example, 25

Set Number of L2TP Users (number of L2TP users) to the expected maximum number of concurrency for L2TP users, for example, 8

Leave the Secret option blank

Set Authentication Type (authentication type) to CHAP

Set the L2TP DNS server or leave it blank

Set the RADIUS option if necessary

Add L2TP user

If you are not using RADIUS, add the L2TP user to pfSense.

Navigate to * × × > L2TP, Users (user) tab

Click "+" to add a new user

Fill in Username (user name), Password/Confirmation (password and confirmation password)

If necessary, set the static IP address (IP address) in the selected subnet

Click Save

Add more users repeatedly as needed

IPsec Settin

After setting up the L2TP server, let's set up the IPsec. The following settings have been tested and valid, but other similar settings may also work.

Mobile Clients Tab (Mobile client)

Navigate to the × × × > IPsec, Mobile Clients (Mobile client) tab

Enable IPsec Mobile Client Support (enable IPSec mobile client support)

Set User Authentication (user authentication) to the local database

Uncheck Provide a virtual IP address to clients (provide the client with a virtual IP address)

Do not check Provide a list of accessible networks to clients (provide a list of accessible networks to clients)

Click Save (Save)

Phase 1

Click the Tunnels tab

Set Enable IPsec (enable IPsec)

Click Save (Save)

Click the Create Phase1 (create Phase1) button or edit an existing mobile IPsec Phase1

If there is no Phase1 and the create Phase1 button does not appear, return to the Mobile client tab and click it.

Set Key Exchange version (key exchange version) to 1KEv1

Fill in Description (description)

Set Authentication method (authentication method) to Mutual PSK

Set Negotiation Mode (negotiation mode) to Main

Set My Identifier (my identifier) to My IP address

Set Encryption algorithm (encryption algorithm) to AES 256

Set Hash algorithm (hash algorithm) to SHA1

Set DH key group (DH key group) to 14 (2048 bit)

Note: IOS and other platforms may be used with DH key group 2

Set Lifetime (validity period) to 28800

Do not check Disable Rekey (disable pregrant key)

Do not check Disable Reauth (disable pre-authentication)

Set NAT Traversal (NAT traversal) to Auto

Set Enable DPD (enable failed peer detection), set 10 seconds and 5 retries

Click Save (Save)

Phase 2

Click "+" to display the Mobile IPsec Phase 2 list

Click "+" to add a new Phase 2 entry or click "e" to edit an existing entry

Set Mode (mode) to Transport

Fill in Description (description)

Set Protocol (protocol) to ESP

Set Encryption algorithms (encryption algorithm) to AES 128

Set Hash algorithms (hash algorithm) to SHA1

Set PFS Key Group (key group) to off

Set Lifetime (validity period) to 3600

Click Save (Save)

Pre-Shared Key (pre-shared key)

The IPsec tunnel has been configured, and the pre-shared key must now be configured in a special way, which is common to all clients.

Navigate to the × × × > IPsec, Pre-Shared Keys tab

Click "+" to add a new PSK

Set Identifier (identifier) to allusers

Note: the "allusers" name is a special keyword used by pfSense to configure the wildcard PSK, which is required for L2TP / IPsec. Do not use any other identifiers for this PSK!

Set Secret Type (encryption type) to PSK

Enter Pre-Shared Key (pre-shared key), such as aaabbbccc-it can be longer than this, it will be more random and more secure!

Click Save (Save)

Click Apply Changes (apply changes)

Firewall Rules and NAT (firewall rules and NAT)

If traffic is transferred from the client host through IPsec to establish a L2TP tunnel, and the actual tunnel × × traffic is transferred to a cross-× × system within the L2TP, firewall rules must be set.

IPsec Rules (IPsec rules)

Navigate to the Firewall > Rules, IPsec tab

View the current rule. If you have an allow all style rule, you don't need to add it. We can move on to the next mission.

Click "+" to add a new rule

Set Protocol (protocol) to any, Source (source) and Destination (destination) to any

Note: this does not have to go through all traffic, but it must at least go through L2TP (UDP port 1701) to the WAN IP address of the firewall

Click Save (Save)

Click Apply Changes (apply changes)

L2TP Rules (L2TP rules)

Navigate to the Firewall > Rules, L2TP × × tab

View the current rule. If you have an allow all style rule, you don't need to add it. We can move on to the next mission.

Click "+" to add a new rule

Set Protocol (protocol) to any, Source (source) and Destination (destination) to any

Note: this does not have to pass all traffic, the stricter rule is that you can limit where the client can go

Click Save (Save)

Click Apply Changes (apply changes)

Outbound NAT (outbound NAT)

If the client must pass × × and then return to the Internet, it is likely that the outbound NAT will be required.

Navigate to the Firewall > NAT, Outbound tab

Check the rules to see if they apply to L2TP clients. In automatic or mixed mode, L2TP subnets should be listed in the automatic rules section.

If manual outbound NAT is enabled and no rule exists, add a rule to override the L2TP client.

DNS Configuration (DNS configuration)

If the DNS server is provided to the client, and if an unbound DNS parser is used, the subnet selected for the L2TP client must be added to its access list.

Navigate to the Services > DNS Resolver, Access Lists tab

Click "+" to add a new access list

Enter Access List Name (access list name), such as × × Users

Set Action (Action) to Allow (allowed)

Click "+" to add Networks (Network)

Enter the × × client subnet in the Network box, for example. 192.168.32.128

Select the correct CIDR value, for example: 25

Click Save (Save)

Click Apply Changes (apply changes)

Client Setup (client settings)

Windows

Now I'll create a client × × connection. Depending on the version of Windows you are using, there are several ways to add such a connection. You can adjust it as needed.

Open the Network and sharing Center on the client computer

Click to set up a new connection or network

Choose to connect to the workspace

Click next

If not, create a new connection

Click next

Click to use my Internet connection (* *)

Enter the IP address or hostname in the Internet address bar

Enter the target name to identify the connection

Click to create

The connection has been created, but several default values must be modified to be used correctly. For example, the type defaults to automatic, and if there is a PPTP connection, the PPTP connection is locked, which would be very bad. So be sure to modify some of the defaults first:

In the Network connection / Adapter Settings in Windows, find the connection you just created

Right-click on the connection

Click Properties

Click the security option

Set the × × type to layer 2 tunneling protocol IPsec (L2TP/IPsec) using IPsec (L2TP/IPsec)

Click Advanced Settings

Choose to use a pre-shared key for authentication

Enter the key, for example: aaabbbccc

Click to confirm

Set data encryption to: encryption is required (disconnect if the server refuses)

Set authentication / allow to use these protocols for challenge handshake authentication protocol (CHAP) (H)-to match the settings in L2TP

Click to confirm

Try it Out (try it)

After the above settings, you should be able to connect to × × now.

Troubleshooting (troubleshooting)

Firewall traffic blocked outbound (firewall traffic blocking outbound)

If the firewall log shows traffic blocking "out" on L2TP, add a floating firewall rule to resolve the problem:

Navigate to the Firewall > Rules, Floating (floating) tab

Click "+" to add a new rule

Set Action (Action) to Pass (pass)

Set Quick (Quick)

Interface is selected as L2TP × × ×

Set Direction (orientation) to Out

Set Protocol (protocol) to TCP

Set Source/Destination (source and destination) or set to any as needed

Advanced options:

Set TCP Flags (TCP identity) to Any flags

Set State Type (status type) to Sloppy State

Precautions (Note)

If the client is behind NAT, the Windows client will not be able to connect to the server. You can consider using IKEv2 to achieve × × connection (if you access the Internet through a route instead of directly assigning an external network IP, you will not be able to use L2TP / IPsec type × ×). Please refer to this article: http://fxn2025.blog.51cto.com/24757/1983419.

Original address: https://doc.pfsense.org/index.php/L2TP/IPsec

31 May 2017

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.