# l2tp/ipsec.. which server vpn to use



## antolap (Oct 25, 2017)

I want to shutdown a cisco that is used as l2tp/ipsec and use FreeBSD.

Which server to install?

clients are linux, android phone, and windows 7, windows 10 (all of them are behind a nat)

if possibile, I'd like to run the server behind a nat (I should redirect ports/protocols from the firewall which has the static ip to the vpn server)


----------



## obsigna (Oct 25, 2017)

First of all, you want to use FreeBSD 11.1-RELEASE, because long standing IPsec NAT-T issues with Windows clients have finally been resolved. If you need earlier FreeBSD versions, then you would need to patch the kernel.

For managing IPsec, you want to install security/strongswan, and for the L2TP part you need net/mpd5.

Because NAT is involved, you need to add the following registry entry on Windows clients: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule = (DWORD)2.

A few years ago, I wrote a BLog post about setting up a L2TP/IPsec service on a FreeBSD (10.0) server. The most part of this should work for FreeBSD 11.1 without changes, only patching the kernel is no more needed, and this part should be skipped. It is written in German but the online translation by Google seems to do a pretty good job for making the post comprehensible for English speakers:
https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&ie=UTF-8&u=https://obsigna.net/?p=520

In any case, please ask here, if something is not clear.


----------



## antolap (Oct 25, 2017)

> Because NAT is involved, you need to add the following registry entry on Windows clients: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule = (DWORD)2.



Because there will NAT at client side or server side? Up to now I have used windows client behind NAT with Cisco server VPN and I have never modified registry.


----------

