Configure L2TP / IPsec VPN Server with PSK or RSA in pfSense

What is a L2TP / IPsec VPN server for?

A VPN server in our pfSense will enable us to remotely entry the totally different subnets that we’ve configured, it is going to additionally enable us to redirect all Internet visitors to the VPN server to go to the Internet by means of it. Thanks to the configuration of a VPN server, we can hook up with an insecure community in a safe means, as a result of all of the visitors from the origin to the VPN server is encrypted and authenticated.

L2TP (Layer 2 Tunneling Protocol) is likely one of the most generally used VPN protocols, it makes use of the PPP protocol to attach the totally different hyperlinks, in addition, it contains PPP authentication mechanisms akin to PAP and CHAP, in addition to supporting the usage of RADIUS servers for shopper authentication. This sort of VPN protocol is multiprotocol, and permits entry to distant native space networks. The adverse half is that it doesn’t current a strong cryptography, due to this fact, it’s not protected to make use of it. It solely permits authentication between the tip factors of the tunnel, however not for every of the packets that journey by means of it, the identical occurs with the integrity of the packets, it’s not checked. Also, L2TP doesn’t encrypt the visitors from supply to vacation spot.

With all this in thoughts, the IETF group made the choice to make use of the cryptographic protocols of IPsec in conjunction with L2TP, to supply the confidentiality, authentication and integrity options of the L2TP tunnel. For this motive, we are going to at all times discover this protocol written as “L2TP / IPsec” in working techniques, as a result of it makes use of each protocols concurrently.

Once we’ve a abstract of how each VPN protocols work, we are going to proceed with the configuration. By having two protocols to configure, L2TP and IPsec, we’re going to clearly divide the configuration into two components.

L2TP protocol configuration

The very first thing we should do is configure the L2TP protocol, for this, we go to the “VPN / L2TP” part, and configure it as follows:

  • Enable L2TP
    • Enable L2TP Server: Enabled
  • Configuration
    • Interface: WAN
    • Server Address:; We should put a subnet that isn’t in use, and that serves solely to make use of it as a buyer gateway
    • Remote Address Range:; We give an area subnet to connecting shoppers.
    • Number of L2TP Users: 10, this may be configured to go well with the consumer.
    • Secret: 1234clavel2tp; We can put a passcode, it’s advisable to place it, though some shoppers don’t require it. It is determined by the configuration.
    • Authentication Type: CHAP
    • Primary / Secondary L2TP DNS Server: we are able to put a DNS server for the shoppers

Once we’ve configured it and clicked on «Save», we go to the «Users» part and create a username and password to entry. This is the place we must register all of the customers of the VPN server to which they’re going to join, the IP deal with half might be left clean with out configuring, in order that the server assigns the IP dynamically.

Once the L2TP server is configured, we are able to configure the IPsec protocol.

IPsec protocol configuration

To configure the IPsec protocol collectively with the L2TP protocol, we must carry out a complete of three actions. The first one is to allow the “Mobile Clients”, that’s, the distant entry VPN. The second is to allow IPsec part 1, after which configure IPsec part 2.

Configure the «Mobile Clients»

This is likely one of the most essential components, as a result of if we go to the “Tunnels” part we create a Site-to-Site VPN tunnel, and what we need to do with IPsec is configure a distant entry VPN in order that the totally different prospects.

In this menu we allow “Enable IPsec Mobile Client Support” and select “Local Database” though we are going to use it as a result of that’s for xAuth authentication. We click on on save.

As quickly as we click on on «Save», we may even must click on on «Apply Changues», then click on on the inexperienced button that signifies «Create Phase1».

Configure IPsec Phase 1

In this menu we must configure the IPsec protocol appropriately to make use of it with L2TP, not all of the configurations will work, in addition, relying on the VPN shopper used (Android, iOS, Windows …) the safety configuration might change, since not all working techniques they assist the very best VPN ciphers. By default, we are going to see the next menu the place we’ve chosen IKEv2, which isn’t suitable with the L2TP / IPsec protocol that we need to configure.

The choices that we should configure for it to work appropriately are the next:

  • General Information
    • Key Exchange model: IKEv1, if we choose some other it is not going to work.
    • Internet Protocol: IPv4 or IPv6
    • Interface: Internet WAN
    • Description: we put an outline.
  • Phase 1 Proposal (Authentication)
    • Authentication Method: Mutual PSK
    • Negotiation Mode: Aggresive; if we choose “Main” it’s safer, however it’s much less versatile, and we may forestall the VPN shopper from connecting appropriately. Later if the whole lot works with «Aggresive» we are able to check if with «Main» it really works too.
    • My identifier: User distinguished identify – [email protected] or no matter you need.
  • Phase 1 Proposal (Encryption)
    • Encryption Algorithm: AES 128-bit, SHA1, DH Group 2 (1024-bit).

pfSense helps stronger encryption than this one which we’ve configured, however the issue is the VPN shoppers which might be going to attach, which don’t assist higher safety. To configure it with the very best safety, we are able to go testing based mostly on the IPsec “proposals acquired” that we obtain from the shopper, in this fashion, we are going to select probably the most safe of all.

The remainder of the configuration choices might be left as they’re, with the default choices.

Once completed, we click on on «Save», and now it is going to take us to the principle menu the place we’ve all of the VPN tunnels with IPsec, we must click on on the one one created and on «Show Phase 2 Entries» after which on «Create Phase 2» to proceed .

Configure IPsec Phase 2

In this configuration menu we should put the next:

  • General Information
    • Mode: transport
    • Description: an outline that we wish.
  • Phase 2 Proposal (SA / Key Exchange)
    • Protocol: ESP
    • Encryption Algoritms: 128-bit AES
    • Hash algorithms: we choose SHA-1 and SHA-256
    • PFS Key group: off, not supported by the protocol.

The remainder of the configuration choices might be left by default.

In the principle menu of “IPsec / Tunnels” we are able to see a abstract of the whole lot we’ve configured.

Now we must go to the “IPsec / Pre-Shared Keys” part and add a brand new identifier.

This new identifier should be:

  • Identifier: allusers (should be like this, with out capital letters and with out some other identify)
  • Secret Type: PSK
  • Pre-Shared Key: the password that we wish, is shared with all of the customers who’re going to attach.

Once that is carried out, we could have the L2TP / IPsec server prepared to simply accept connections, however first, we should create the corresponding guidelines in the firewall.

Open ports in the pfSense firewall

We must create a rule in the “Firewall / Rules / WAN” part with the next data:

  • Action: Pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: UDP
  • Source: any
  • Destination: WAN Address on port 1701 which is L2TP.

We save and apply adjustments, guaranteeing that this rule can be adopted.

When we create an L2TP / IPsec sort VPN server, we could have two extra tabs in “Firewall / Rules”, right here we are able to enable or deny visitors to sure subnets, outline totally different superior guidelines, and so on. For a primary connection and to keep away from potential configuration failures on the firewall degree, we suggest that you simply create a “cross any any any” rule and apply adjustments. Later when communication has been established, if you might want to outline totally different guidelines, then you possibly can edit extra particular guidelines to satisfy all of your necessities.

Once we’ve efficiently configured the firewall, we must configure the VPN shopper to check the connection.

Connection check

In our case, we’ve established a VPN connection with an Android smartphone, particularly the Huawei P30 that comes with an L2TP / IPsec PSK shopper. The configuration that we should perform is the next (we can’t put seize as a result of the working system detects it as personal content material).

  • Name: we give the VPN a reputation
  • Type: L2TP / IPsec PSK
  • Server: IP or DDNS area of your VPN server
  • L2TP Secret: 1234clavel2tp; the important thing that we put in the L2TP part that’s shared with all shoppers.
  • IPsec identifier: [email protected]
  • Initial IPsec Shared Key: 12345678; the important thing we put for the identifier «allusers» in the IPsec / Pre-Shares Key part.

We click on on save, and join. When connecting, it is going to ask us for a username and password, these credentials are those we put in “L2TP Users”. Once carried out, it is going to join us with out issues to the VPN server and we could have entry to the pfSense administration and any community.

As you could have seen, the connection has been efficiently established, and there have been no issues.

Recommendations and recommendation

Depending on the VPN shopper you utilize, the server configuration might range. For safety, it’s at all times advisable to make use of the very best cryptographic algorithms, for that reason, we suggest modifying the safety choices and forcing prospects to at all times select the very best ones, nevertheless, we should have a look at the IPsec data to see what « proposal »despatched by totally different shoppers when connecting. Some smartphones use an L2TP / IPsec VPN shopper with assist for the newest ciphers, nevertheless, different fashions don’t. We must try to select the most secure potential globally, balancing between safety and usefulness.

Another tip if you will use L2TP / IPsec for the primary time, is to know in advance which shoppers you will join, Android, iOS, Windows pc, and so on., because the configuration might be totally different relying on how the shopper is internally configured. It is feasible that they can not all stay collectively on the identical time, for that reason you might use different VPNs akin to OpenVPN or IPsec xAuth amongst others.

With this identical tutorial, it is possible for you to to configure the L2TP / IPsec RSA, modifying the «Mutual PSK» by «Mutual RSA» and configuring the corresponding server and shopper certificates. We will present you the best way to do it quickly. This additionally brings problems, as a result of if we create a CA with a shopper certificates that makes use of the newest algorithms, it’s potential that it’s going to return an error after we join as a result of they don’t seem to be acknowledged.