Info: After having performed the pfSense upgrade from version 2.1.5 to 2.2 I am no longer able to connect with iPhones to the VPN endpoint. I cannot say what exactly the issue is right now. But as the pfSense people have switched from racoon to strongSwan, there seem to be some significant changes under the hood. I am sorry to say, but this guide is no longer applicable to the current version of pfSense. As soon as I find time to investigate this issue, I post updates here.
Just some side notes: The VPN client in IOS 8 now supports IKEv2, but this feature has not been yet made available in the UI of the VPN client. There is a tool called “Apple Configurator” which can be used to setup a VPN profile which supports IKEv2. pfSense also supports IKEv2 now (since switched to strongSwan).
If anyone gets this thing working again, I am highly interested. Thank you for letting me know.
1. Introduction
I own a pfSense Box myself which runs on an APU1C4 board from . I use it for firewalling and as VPN endpoint for various client devices such as iPhones, iPads, Android phones and tablets, Windows PCs and Linux boxes. In this article I want to share my experience in turning your pfSense box in a device which acts as an IPsec VPN endpoint.
2. Goals
My main goals were:
- Mobile devices should be able to connect to my pfSense box and make use of IPsec full-tunneling, which means ALL traffic runs through my pfSense box. This is especially useful if you’re located outside your country and want to access content, which is accessible from domestic IP addresses only.
- I also want to access my private LAN in order to manage my systems, access to my file shares and other resources.
So far, no special goals. Let’s move on.
3. System Environment
3.1 My pfSense Box
My pfSense is running on version 2.1.5-RELEASE (amd64) built on Aug 25 07:44:45 EDT 2014 having FreeBSD 8.3-RELEASE-p16 under the hood. The box is driven by an ALIX APU1C4 Mini-ITX mainboard bought from PC Engines GmbH in Switzerland. The board has some nice hardware specs such as 4 gigs of RAM, an AMD G-T40E dual-core processor and gigabit ethernet network interfaces. The ideal playground to provide VPN connectivity on an embedded device. The only (possible) drawback is, that the OS is running from an SDcard in my case. But you don’t have to. There are also some SSD mSATA-modules available which allow you to run your OS from an SSD.
3.2 Clients
I have tested client connectivity using the following devices:
Device Model No. OS Version VPN Client Google Nexus 7 Table K009 D80KBC139568 Android 4.4.3 Default Apple iPhone 5s A1533 iOS 7.1.2 Default Apple iPhone 5s A1457 iOS 7.1.2 Default Apple iPhone 4 A1332 iOS 7.1.2 Default Apple iPad Mini A1432 iOS 7.1.2 Default Apple iPad 3 A1430 iOS 7.1.2 Default Apple iPad 2 A1396 iOS 7.1.2 Default Apple MacBook Pro A1398 MacOS X 10.9.4 Default Lenovo X201 4290-N77 Windows 8 Shrew Soft VPN Client Lenovo X200 7458-E46 Linux Mint 16 vpnc
Update: I have tested the configuration on an iPad running on iOS 8.1.2 as well. Detailed test results follow soon. Please bear with me.
Please note, that I have used the vendor-supplied default VPN clients for all Apple and Android devices. There was nothing to install at all. For Windows, I have used the Shrew Soft VPN client 2.2.2-release build dated Jul 01 2013. For Linux systems, I have used the vpnc package, a command-line VPN client, running on version 0.5.3r512.
4. pfSense Configuration
Log in to your pfSense box and select VPN -> IPsec. Go to the Tunnels tab and make sure Enable IPsec is checked. Then, add a phase 1 entry and make sure, the following values are set:
Section Setting Value General Information Disabled Unchecked Internet Protocol IPv4 Interface WAN Description (empty) Phase 1 proposal (authentication) Authentication method Mutual PSK Xauth Negotiation mode aggressive My identifier My IP address Peer identifier Type: Distinguished name Value: <identifier> Pre-Shared Key <pre-shared secret> Policy Generation Unique Proposal Checking Default Encryption algorithm AES 256 bits Hash algorithm SHA1 DH key group 2 (1024 bit) Lifetime 86400 seconds Advanced Options NAT Traversal Enable Dead Peer Detection Unchecked
In my case, I have choosen vpnusers as value for <identifier>, but you can choose whatever you like. Just choose some simple to remember name here. Once it works, do not forget to choose something stronger. Save your settings and go back to the VPN -> IPsec menu. Now, add a phase 2 entry to the already existing phase 1 entry having the following values set:
Section Setting Value General Information Disabled Unchecked Mode Tunnel IPv4 Local Network Type: LAN subnet Description (empty) Phase 2 proposal (SA/Key Exchange) Protocol ESP Encryption algorithms AES 256 bits Hash algorithms SHA1 PFS key group off Lifetime 28800 seconds Advanced Options Automatically ping host (empty)
Again, save your changes and go back to VPN -> IPsec menu. Now select the Mobile clients tab and make sure the following values are set as follows:
Section Setting Value IKE Extensions Enable IPsec Mobile Client Support Extended Authentication (Xauth) User Authentication Source: Local Database Group Authentication Source: system Client Configuration (mode-cfg) Virtual Address Pool Provide a virtual IP address to clients: Checked Network: 192.168.111.0/24 Network List Provide a list of accessible networks to clients: Unchecked Save Xauth Password Allow clients to save Xauth passwords: Checked DNS Default Domain Provide a default domain name to clients: Checked Value: localdomain Split DNS Provide a list of split DNS domain names to clients: Unchecked Value: (empty) DNS Servers Provide a DNS server list to clients: Checked Server #1: 8.8.8.8 Server #2: (empty) Server #3: (empty) Server #4: (empty) WINS Servers Provide a WINS server list to clients: Unchecked Server #1: (empty) Server #2: (empty) Phase 2 PFS Group Provide the Phase 2 PFS group to clients: Unchecked Group: off Login Banner Provide a login banner to clients: CheckedValue: (Whatever text you like)
Save your changes. Now go to System -> User Manager and select the Group tab. Add a new group called vpnusers. Make sure, the group has the privilege User – VPN – IPsec xauth Dialin set. Save it. Now go to the Users tab and create a user which will later be used to connect to your VPN box. Make sure the user has the group vpnusers set.
Now we need to open the firewall to allow VPN connections to pass through. Go to Firewall -> Rules and select the WAN tab. Configure the following rules:
Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 UDP * * * 500 (ISAKMP) * None (empty) IPsec IPv4 UDP * * * 4500 (IPsec NAT-T) * None (empty) IPsec
Select the IPsec tab and add a rule which allows all traffic to go through the VPN connection:
Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 * * * * * * None (empty) Allow all
5. Configuring Client Devices
5.1 Configuring Your iPhone
In order to get your iPhone, iPad or MacBook running, just enter the following parameters:
Parameter Value VPN Type IPsec Description <Description> Server <IP/hostname of your VPN endpoint> Account <user> Password <password> Group <identifier> Shared Secret <pre-shared secret> Proxy Off
5.2 Configuring Your Android Device
Parameter Value Name <Description> Type IPSec Xauth PSK Server address <IP/hostname of your VPN endpoint> IPSec identifier <identifier> IPSec pre-shared key <pre-shared key>
You will be prompted for username and password as soon as you try to connect to your VPN endpoint.
5.3 Configuring Your Windows PC
On Windows, I use the Shrew Soft VPN client. The current version is 2.2.2. The configuration options I use are as follows:
Tab Section/Tab Setting Value General Remote Host Host Name or IP Address <IP/hostname of your VPN endpoint> Port 500 Auto Configuration ike config pull Local Host Adapter Mode Use a virtual adapter and assigned address Obtain automatically Checked MTU 1380 Client Firewall Options NAT Traversal enable NAT Traversal Port 4500 Keep-alive packet rate 15 IKE Fragmentation enable Maximum packet size 540 Other Options Enable Dead Peer Detection Checked Enable ISAKMP Failure Notifications Checked Enable Client Login Banner Checked Name Resolution DNS Enable DNS Checked Obtain Automatically Checked Obtain Automatically (DNS Suffix) Checked WINS Enable WINS Unchecked Authentication Authentication Method Mutual PSK XAuth Authentication Local Identity Identification Type User Fully Qualified Domain Name UFQDN String <identifier> Remote Identity Identification Type IP Address Address String (empty) Use a discovered remote host address Checked Credentials Server Certificate Autority File (empty)Client Certificate File (empty) Client Private Key File (empty) Pre Shared Key <pre-shared key> Phase 1 Proposal Parameters Exchange Type aggressive DH exchange group 2 Cipher Algorithm auto Cipher Key Length (empty) Hash Algorithm auto Key Life Time limit 86400 seconds Key Life Data limit 0 Kbytes Phase 1 Enable Check Point Compatible Vendor ID Unchecked Phase 2 Proposal Parameters Transform Algorithm auto Transform Key Length (empty) HMAC algorithm auto PFS Exchange disabled Compress Algorithm disabled Key Life Time limit 3600 seconds Key Life Data limit 0 Kbytes Policy IPSEC Policy Configuration Policy Generation Level auto Maintain Persistent Security Associations Unchecked Obtain Topology Automatically or Tunnel All Checked Remote Network Resource (empty)
5.4 Configuring Your Linux PC
I use vpnc as a VPN client on Linux. Mine is a Linux Mint box, but vpnc should also be available on Ubuntu and Debian systems. It is command-line based and works pretty well. Install it using the command
sudo apt-get install vpnc
After that, navigate to /etc/vpnc/ and create a copy of the default.conf configuration file, for example:
cp default.conf my-vpn.conf
Edit the newly created file and fill in the parameters like this:
IPSec gateway <IP/hostname of your VPN endpoint> IPSec ID IPSec secret IKE Authmode psk Xauth username Xauth password
<identifier> and <pre-shared secret> are the values choosen earlier during pfSense configuration. and are the values entered for the user in pfSense user manager. To connect using vpnc, just enter the following command:
sudo vpnc /etc/vpnc/my-vpn.conf
If you would like to disconnect later, just enter the following command to restore the previous routing configuration:
sudo vpnc-disconnect
6. Final Thoughts
As always, I cannot claim that this tutorial is perfect. Therefore I am more than happy to hear from you, if there is something wrong with this tutorial. Contact information is provided on the web site. But for now, let’s get started.