Setting up an L2TP over IPsec VPN on a pfSense firewall provides a balance between compatibility and security for remote access. L2TP offers wide client support across Windows, macOS, iOS and Android, while IPsec provides strong encryption and key exchange. This guide walks through a secure, production-ready configuration on pfSense with practical tips for authentication, firewall rules, NAT traversal, and troubleshooting.

Prerequisites and design decisions

Before you begin, gather the following and decide on authentication and addressing methods:

  • Working pfSense firewall with WAN and LAN interfaces configured and internet connectivity.
  • Administrative access to the pfSense web GUI (latest stable release recommended).
  • Publicly reachable IP address or resolvable DNS name for the pfSense WAN (required for remote clients).
  • Decide on authentication: RADIUS/LDAP for central management (enterprise) or local pfSense user database for small deployments.
  • Decide on credential type: IPsec can use a pre-shared key (PSK) for small setups, but using certificates (IKEv2 with certs) is more secure for larger organizations. Note: pfSense’s built-in L2TP uses IPsec with PSK; implementing certificate-based IPsec for L2TP may require advanced customization.
  • Plan the L2TP address pool and DNS settings for clients (avoid overlapping with existing LAN subnets).

Step 1 — System preparation on pfSense

Ensure pfSense is updated and backup the configuration first (System > Backup/Restore). Enable the services needed:

  • System > Package Manager: ensure StrongSwan or default IPsec functionality is installed/available (most pfSense builds include native IPsec support).
  • System > User Manager: create local users if you will use local authentication. Make sure each user has a password and, if desired, add them to a group for easier management.

Step 2 — Configure IPsec Phase 1 (IKE)

Navigate to VPN > IPsec and add a new tunnel. Key settings to pay attention to:

  • Key Exchange version: IKEv1 is required for pfSense’s L2TP implementation — choose IKEv1.
  • Internet Protocol: IPv4 (or IPv4+IPv6 as needed).
  • Remote Gateway: Leave as “Any” for road-warrior setups, or specify the client public IP if known.
  • Authentication Method: Mutual PSK (unless you are configuring certificates).
  • Pre-Shared Key: Use a long, random passphrase (minimum 20+ characters recommended) and store it securely.
  • Encryption Algorithms: Choose strong, compatible algorithms such as AES-256 for encryption, SHA256 for integrity, and DH Group 14 or higher. Example proposal: AES-256 / SHA256 / DH Group 14.
  • Lifetime: 28800 seconds is typical for Phase 1.

Save and apply. This establishes the IKE SA used to protect L2TP traffic.

Step 3 — Configure IPsec Phase 2 (ESP)

Under the same IPsec tunnel, add a Phase 2 entry specifically for L2TP traffic. Important settings:

  • Mode: Tunnel.
  • Local Network: This is typically “LAN subnet” if you want remote clients to access internal resources, or a specific alias/subnet.
  • Remote Network: Leave empty for road warriors or configure to a client pool if known.
  • Protocol: ESP.
  • Encryption Algorithms: Match Phase 1 selections (AES-256 / SHA256) for compatibility; enable PFS if desired with a secure DH Group.
  • L2TP requires NAT-T: Ensure NAT Traversal (NAT-T) is enabled so clients behind NAT can connect.

Step 4 — Enable the L2TP Server

Go to VPN > L2TP and enable the L2TP server. Key configuration:

  • Server address: Assign an IP from a separate subnet (e.g., 10.10.10.1) — this is the gateway IP for the L2TP clients on the VPN side.
  • Remote address range: Define a small pool for clients (e.g., 10.10.10.100-10.10.10.200).
  • Mask: Typically 24 bits for simple setups.
  • Authentication: Choose Local Database for small deployments or select RADIUS for enterprise integration (enter RADIUS server details under System > User Manager > Authentication Servers).
  • WINS/DNS: Optionally set internal DNS/WINS servers for name resolution inside the network.
  • Require MPPE: Enable MPPE and select 128-bit or 256-bit if required by clients — note MPPE is specific to Microsoft clients; modern clients rely on IPsec encryption primarily.

Step 5 — Firewall and NAT rules

Correct firewall and NAT configuration is essential:

  • On the WAN interface, create firewall rules to allow UDP ports 500 (IKE), 4500 (NAT-T) and protocol ESP (IP protocol 50). If using a pre-shared key and L2TP, also allow UDP 1701 but only if L2TP over IPsec is required — typically L2TP uses 1701 encapsulated within IPsec so it may not be necessary to open 1701 to the WAN in many setups.
  • Create rules on the OpenVPN/LAN or OPT interface that allow traffic from the L2TP client subnet to the network resources you need (e.g., LAN networks, servers).
  • If pfSense is behind another NAT device, enable port forwarding for UDP 500/4500 and ESP to the pfSense WAN IP.
  • Static outbound NAT: If you need traffic from VPN clients to appear with a specific source address externally, configure outbound NAT under Firewall > NAT > Outbound.

Step 6 — Client configuration examples

Clients vary by OS. Basic steps are:

  • Windows 10/11: Use the built-in VPN client — create a new VPN connection using IKEv1 and select L2TP as the type. Enter server hostname, PSK, and username/password. Set data encryption to maximum and enable use of default gateway on remote network if you need full-tunnel routing.
  • macOS: System Preferences > Network > Add a new VPN (L2TP over IPsec). Enter the server address, account name, PSK, and password. Use advanced settings to set MTU if necessary.
  • iOS: Settings > General > VPN > Add VPN Configuration: L2TP. Fill server, account, password, and secret (PSK).
  • Android: Native support varies; some versions require a third-party client like StrongSwan or use built-in L2TP/IPsec PSK option (note that Android may not support AES-GCM in older versions).

MTU and fragmentation

L2TP over IPsec adds overhead; adjust the client and server MTU to avoid fragmentation issues. Typical values:

  • Try MTU 1400 on clients if you experience slow or broken connections for large transfers.
  • Alternatively, set PPP MRU/MSS clamping on pfSense (Firewall > NAT > Outbound or Firewall > Settings > Advanced if applicable) to prevent fragmentation for TCP traffic.

Security hardening and best practices

Follow these recommendations to keep your VPN secure:

  • Avoid weak PSKs: Use long, complex pre-shared keys; consider rotating keys periodically.
  • Prefer centralized auth: Use RADIUS or LDAP for user management and multi-factor authentication where possible.
  • Limit access: Use firewall rules to restrict VPN user access to only required services and IPs (least privilege).
  • Logging and monitoring: Enable IPsec and system logs (Status > System Logs > IPsec) and integrate with a SIEM for large deployments.
  • Use strong crypto: Disable obsolete algorithms (e.g., DES, MD5) and prefer AES and SHA2-family hashes with DH Group 14+.

Troubleshooting common issues

When things go wrong, these checks usually resolve the most common problems:

  • IPsec not establishing: Check WAN firewall for blocked UDP 500/4500 or blocked ESP protocol. Verify PSK matches on client and pfSense.
  • Authentication failures: Ensure user credentials are correct and the chosen authentication backend (Local or RADIUS) is reachable and properly configured.
  • Clients connect but no LAN access: Verify firewall rules permit traffic from the L2TP subnet to LAN. Check routing and ensure client assigned addresses are in the expected pool.
  • Fragmentation or slow transfers: Reduce MTU/MRU to 1400 or clamp MSS for TCP sessions.
  • Intermittent drops: Look at system logs for SA rekeying failures; adjust Phase 1/2 lifetimes or PFS settings to be compatible with client expectations.

Operational tips and maintenance

For production environments, consider these operational activities:

  • Schedule configuration backups and test restores regularly.
  • Document user onboarding/offboarding processes and automate RADIUS account lifecycle if possible.
  • Monitor IPsec SA counts and session durations to detect anomalies.
  • Keep pfSense and underlying packages updated to address security vulnerabilities.

By following the steps above and applying the security best practices, you can deploy a robust L2TP over IPsec remote-access VPN on pfSense that serves both small teams and enterprise needs. Start with a lab or staging environment to validate client interoperability and firewall/NAT behavior before rolling out to production.

Published by Dedicated-IP-VPN