Bug #475
closed
L2TP is not functional in the way users will expect
0%
Description
L2TP appears to be missing the IPsec part, mpd binds on UDP 1701, but it has nothing for the ISAKMP, nothing is bound on UDP 500. Clients just fail after attempting to send the ISAKMP phase 1 ident which gets no response.
Updated by Ermal Luçi about 14 years ago
This is relevant to what is needed to be done.
For further reference read this http://old.nabble.com/IPSec-NAT-T-in-transport-mode-td27240984.html
Updated by Chris Buechler almost 14 years ago
- Subject changed from L2TP is not functional to L2TP is not functional in the way users will expect
clarifying ticket, it does actually work, but not the way most people are going to expect.
Updated by Ermal Luçi over 13 years ago
Probably this should be closed and a feature request should be opened for a wizard.
Updated by Chris Buechler over 13 years ago
to be consistent with how users expect it to work, and how it works in similar projects, it needs to just automatically add the appropriate IPsec bits. I don't see any need for a wizard.
Updated by Jim Pingle over 13 years ago
Some sample configurations linked here:
http://forum.pfsense.org/index.php/topic,30114.msg156037.html#msg156037
Updated by Thomas Reagan over 13 years ago
Hello,
This is functionality that I could really use, and would be happy to assist in any way that I can. However, I am unclear from the bug to date what needs to happen next - is the next step evaluating the relevant settings, building a framework, or what?
If one of the core developers can point me in a direction, I am happy to slug through this.
Thanks,
--tkr
Updated by Chris Buechler over 13 years ago
L2TP is likely just going to be plain L2TP for 2.0 and we can work out the IPsec bits later. The underlying software doesn't work properly with L2TP+IPsec and it's going to require some heavy lifting development work to fix that. Details in the link Ermal provided in the fist comment above.
Updated by Ermal Luçi about 13 years ago
- Target version changed from 2.0 to 2.1
This cannot be achived in 2.0 timeframe.
Updated by Ermal Luçi about 13 years ago
Another helpful link
http://kuapp.com/2010/07/14/how-to-setup-l2tpipsec-vpn-on-freebsd.html
Updated by Dim Hatz about 12 years ago
Another related link:
Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)
http://forums.freebsd.org/showthread.php?t=26755
Updated by Carsten Zimmermann over 11 years ago
Are there any updates on this regarding the 2.1 release? I'm running the 2.1 beta (build: Fri Nov 16 04:26:21 EST 2012) and there is indeed no IKE daemon running after enabling L2TP.
(Also, is there a recommended approach to do this manuelly without 'disturbing' the web-based mpd configuration?)
Updated by Jim Pingle over 11 years ago
There is still no way to do this with or without the GUI. It still requires patches to the software (ipsec-tools/racoon) that we have not yet made.
Updated by Slava Bendersky almost 10 years ago
Why do not stop using racoon ? Why not start using libreswan base on netkey or klips. Libreswan match match more sutiable solution for ipsec then racoon. I am talking from my experience.
Updated by Slava Bendersky almost 10 years ago
Slava Bendersky wrote:
Just stop using racoon ? Why not start using libreswan base on netkey or klips. Libreswan match match more sutiable solution for ipsec then racoon. I am talking from my experience.
Updated by Ermal Luçi over 9 years ago
- Status changed from New to Closed
This is possible on 2.2.
So this can be considered closed.