Setup L2TP/IPsec vpn on PfSense Authenticated by Radius


VPN

5 min read

Today we're configuring an L2TP/IPsec client vpn tunnel on Pfsense that uses Zentyal Radius to do the authentication.

Prerequisites:

The Authentication back-end will be Active-Directories Open Source Implementation called Zentyal.
Since Zentyal is a free product this is great for starting and small businesses.(Mostly managed by Windows RSAT tools)
I'm not going over the basic setup of an AD and configuring permission accordingly.
Inside the AD we create a group called 'VPN Users' and add the user that need access to the L2TP/IPsec vpn.

L2TP:

On the PfSense router we're first configuring the L2TP tunnel.
Enable the L2TP server.
The Interface is usually your WAN connection.
The Server address is the address where the server will route the clients out (usually you want this set to you an FREE address in your LAN network - 10.100.10.0/24 is my LAN where the leases for DHCP start at 10.100.10.100).
Remote address range is the range that your clients on VPN will receive from the L2TP tunnel.
Number of L2TP users is obvious ..
Secret stays empty.
Authentication type needs to be set to MS-CHAPv2
Primary and Secondary L2TP DNS server entries stay empty.

L2TP Authentication will be the Radius Server
Enable the Use a RADIUS server for authentication.
Accounting stays Disabled.
The Server is in my case the IP of the Zentyal Radius server.
Secret is the shared secret configured on the RADIUS server,
RADIUS issued IP's stays unchecked.

IPsec:

Now lets head over to the IPsec tunnel tab and complete the config.
On the Mobile Clients page the checkbox for IKE Extensions to Enable IPsec Mobile Client Support need to be checked.
We're not using Xauth so no further changes are need here.
Save the config (normally you should see now a header to configure the first stage of the Tunnel - First apply/save the config before you configure the tunnel.)

The Setup for the First Stage of the tunnel.
Disabled leave this unchecked.
Key Exchange version is set to IKEv1 (IKEv2 is based on certificates, another how to will be created for that one ;) )
Internet Protocol is IPv4 (haven't tested with IPv6 yet).
Interface is typically set to your WAN network.
Authentication Method set this one to Mutual PSK.
Negotiation mode set to Main.
My identifier is My IP address.
Encryption Algorithm change this to AES as Algorithm, 256 bits for the Key length, SHA1 as Hash and finish of with 14 (2048 bit) for the Deffie Hellman Group Key Exchange.
This can now be saved and we continue with the 2nd Stage.

And the 2nd Stage Setup.
The Mode is Transport.
Protocol Set this to ESP ( HA is only authentication)
For Encryption Algorithm we'll can go with Selecting AES for the Algorithm and Auto for the key length ( I've selected the others for testing but noticed in the logs that it is using CBC not GCM )
With Hash Algorithm select SHA1 and SHA256.
PFS key group needs to be set to OFF.
Configuration for the 2nd Stage of the Tunnel is now completed.
We just need a couple small adjustments on the firewall and create the PSK key-phrase.

IPsec Pre-Shared Key

Identifier needs to be any (since we're using L2TP Radius for Auth.)
Secret type select PSK.
Pre-Shared Key is set here to vpnuser ( just for testing - preferable this should be set to a long 20+ char passphrase)
rest can stay as is and save the Key.

Firewall Rules

For the WAN the L2TP port needs to be opened.
The protocol for this is IPv4 UDP as Destination Select your WAN address and the port needs to be L2TP port 1701.

Allow all traffic for the L2TP VPN.

Allow all the traffic for IPsec. ( this could be restricted to your needs but typically your LAN Rules should protect you.

Client Setup

Next step is to roll the client out and test the setup.
You'll probably want to do this by GPO.

Here is a example PowerShell One-liner to get you going ;) ( to roll it out with software installation this needs to be converted to an msi.)
On a Domain Joined workstation run (as admin) :
Add-VpnConnection -Name 'Office VPN' -ServerAddress <Your Server/WAN IP> -TunnelType L2TP -AllUserConnection -L2tpPsk 'vpnusers' -UseWinLogonCerdential -AuthenticationMethod MSChapv2 -EncryptionLevel Required -force