L2TP Plugin

[pcampbell]

Hello everyone, I'm new to OPNsense.  Just moved to it from my SonicWall where I had a L2TP/IPsec VPN setup for  remote client access at our Church.  I see in all the documentation that there is a L2TP plugin available for OPNsense, but cannot find it anywhere.  Has it been removed?  I've tried setting up IPsec with IKEv2 EAP-MSCHAPv2 but cannot get it to work properly.  I would prefer using the built in Windows VPN client over OpenVPN if possible.

OPNsense V 20.7.4

Thanks
Philip

[mimugmail]

It was removed, yes, way too old technology. Whats your error with IKEv2?

[pcampbell]

If I follow the directions to the letter, I get an error on trying to connect stating "Invalid Payload Received".  On inspecting the IPsec Logs I see where the client is requesting a Virtual IP and since one is not set it returns the error.  If I set a VIP in the system it will connect with no errors but Internet and DNS are not working (even if I assign my internal DNS server.  I am using the default IPsec rules that are auto generated, but did try the adding the rules from the documentation to no avail.  On my SonicWall when I was using L2TP I did not assign a virtual IP, my DHCP Server assigned IP's to my VPN clients via a pass through and it worked every time.  As I said, I'm new to this type of firewall and working my way through it so any assistance would be appreciated.

Basic Network setup:
LAN - 192.168.0.0/24
DNS Server - 192.168.0.22
VIP Range - 192.168.0.235/24

Let me know if any more info would help.  Only NAT is for my Web Server and Streaming media server (AntMedia) with accompanying outbound NAT for the media server.  Firewall Rules are all default except for ones created by the NAT.

Thanks
Philip

[mimugmail]

Which guide did you follow?

[pcampbell]

Firewall Setup:

https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-mschapv2.html

Client Setup:

https://docs.opnsense.org/manual/how-tos/ipsec-rw-w7.html

[mimugmail]

Screenshots please :)

[pcampbell]

Here they are. Hope they help.

[mimugmail]

You WAN rule doesnt allow IPsec and Virtual IP Pool should be different than LAN, like 192.168.255.0/24.

Also Screenshots of Tunnel config

[pcampbell]

And here are the Tunnel settings.  I've changed my VIP to a different subnet and still no DNS or routing that I can see.  No internet access either.

[mimugmail]

On the client you have the root certificate installed?
Can you post the logs when connecting?

[pcampbell]

Yes I do.  I  am not getting any errors connecting (since adding the VIP), only no routing or DNS.  If you need the logs is there an easier way to get them and screenshot?

[pcampbell]

Ok, after some playing around I'm part way there. I can now route traffic to my internal network, but I still cannot get to the Internet via my VPN tunnel.  Had to add rule to IPsec to allow my IPsec addresses (VIP now starts at 10.10.0.100/24) to my LAN (or "any" in this case).  DNS and everything there seems to be working fine, but like I said, no internet.  I've tried adding a rule to the WAN, and another rule to the IPsec, but must not have them right.  I also tried adding another outbound NAT to see if that would be the issue.

[mimugmail]

Screenshot of updated phase2 in IPsec please

[pcampbell]

I did not change my p2 tunnel, only updated p1 with a different subnet.

[mimugmail]

Remote subnet 0.0.0.0 and add a Route to client?