Newbie here.
Just want to keep it simple for accessing NAS. In pfsense, I have enabled L2TP server (with shared key), setup userID and add firewall rules to allow L2TP - but I am not able to connect with message server does not respond. How to troubleshoot this?
Okay few things.
First- L2TP itself isn’t encrypted. That’s why it’s almost always paired with IPSec. Many implementations just say L2TP when they really mean L2TP/IPSec. If you put in a shared key, there’s IPSec happening.
If you’re trying to connect to L2TP from a Windows host, be aware of this if your pfSense is behind another NAT.
That all said- I think you would be better off skipping L2TP and going with OpenVPN. The OpenVPN setup wizard will make all the right settings for you and set up the crypto stuff. Then go to User Manager, create a new user, and check on the box for ‘create certificate’. Finally download the plugin ‘OpenVPN Client Export’. Go back to VPN-OpenVPN and you’ll see a Client Export tab. In there you can generate an instant installer that will setup a Windows machine to connect to your VPN.
If you want to connect from mobile, you can download the app and have the Client Export spit out an appropriate .OVPN file.
Hello and welcome to pfSense!
Have you looked at the recipes we have on our website? There’s one for doing what you’re trying to accomplish: L2TP/IPsec Remote Access VPN Configuration Example | pfSense Documentation
pfSense isn’t a very good L2TP LAC or LNS; with or without IPSec. This said, it does work when it wants to.
You may need to add custom rules to allow access to it; L2TP runs on UDP port 1701. Check your firewall logs to see if you’re being blocked.
As others have mentioned, L2TP isn’t in any way designed with security in mind. Any data sent over it that isn’t encrypted in itself, can be seen by any nodes enroute.
Why dont you use pure ipsec or openvpn instead?
Does it mean: L2TP with pre shared key is a “not-bad” in terms of security?
Correct. But L2TP with PSK is L2TP/IPSec with pre shared key. The PSK is part of IPSec, not L2TP.