2

I am trying to setup a home VPN with IPsec as I have read about PPTP having some security problems and being outdated. I found an article on the web that shows you how to setup an IPsec VPN here which I was able to follow and setup, but when I went to connect to it I could not. I tried port scanning the router from the LAN and by using a computer outside of my LAN and both scans concluded that port 500 (the VPN port) was closed. Is there something else I have to do to set it up to listen so clients can connect? I checked the error logs and everything was clean so I am confused here.

In addition, from what I know IPsec is supposed to be a wrapper around L2TP so am I supposed to setup L2TP first and then configure my IPsec to work with L2TP which would explain why it's not "listening"? If so, could you kindly share a link with me that helps me accomplish that? I've gone though the first couple pages of Google and all I can seem to dig up is PPTP guides. Many thanks!

user99545
  • 263
  • 1
  • 4
  • 6
  • Did you ever find an answer for this? I am in a similar situation. – jmreicha Apr 25 '12 at 17:44
  • @jmreicha Unfortunately I have not. I ended up using OpenVPN instead but if I find a solution (I will probably keep trying), I will post it here. – user99545 Apr 25 '12 at 21:13
  • If it is of any help to you, I had some (limited) success setting up L2TP. I opened port 500, 1701 on the firewall and was able to connect using the android VPN client. However, I wasn't able to do anything outside my local network and I am not able to get it working with any other clients. – jmreicha Apr 26 '12 at 15:10
  • @jmreicha Yes, I believe L2TP and PPTP on Pfsense work fine, but for some reason IPsec does not. Are you running IPsec without L2TP, or are you running both IPsec and L2TP? – user99545 Apr 26 '12 at 15:12
  • I couldn't get anything to work with both. The piece I got working was with L2TP only. – jmreicha Apr 26 '12 at 15:42

1 Answers1

2

IKE traffic to establish a phase 1 tunnel runs over port 500 of the UDP protocol; a typical port scan only checks TCP ports. This is because it's much harder to simply 'check' a UDP port for openness without knowing what protocol is operating on the port - many services won't respond to a UDP packet that's malformed, and many systems won't send ICMP unreachable responses to indicate a non-listening UDP port. See -sU scan section here for more information.

Check the logs in the pfsense device, and turn up logging verbosity if necessary, to get some information on what's going on with the connection attempts.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251