How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux

https://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

Info: After having performed the pfSense upgrade from version 2.1.5 to 2.2 I am no longer able to connect with iPhones to the VPN endpoint. I cannot say what exactly the issue is right now. But as the pfSense people have switched from racoon to strongSwan, there seem to be some significant changes under the hood. I am sorry to say, but this guide is no longer applicable to the current version of pfSense. As soon as I find time to investigate this issue, I post updates here.

Just some side notes: The VPN client in IOS 8 now supports IKEv2, but this feature has not been yet made available in the UI of the VPN client. There is a tool called “Apple Configurator” which can be used to setup a VPN profile which supports IKEv2. pfSense also supports IKEv2 now (since switched to strongSwan).

If anyone gets this thing working again, I am highly interested. Thank you for letting me know.

1. Introduction

I own a pfSense Box myself which runs on an APU1C4 board from PC Engines. I use it for firewalling and as VPN endpoint for various client devices such as iPhones, iPads, Android phones and tablets, Windows PCs and Linux boxes. In this article I want to share my experience in turning your pfSense box in a device which acts as an IPsec VPN endpoint.

2. Goals

My main goals were:

  • Mobile devices should be able to connect to my pfSense box and make use of IPsec full-tunneling, which means ALL traffic runs through my pfSense box. This is especially useful if you’re located outside your country and want to access content, which is accessible from domestic IP addresses only.
  • I also want to access my private LAN in order to manage my systems, access to my file shares and other resources.

So far, no special goals. Let’s move on.

3. System Environment

3.1 My pfSense Box

My pfSense is running on version 2.1.5-RELEASE (amd64) built on Aug 25 07:44:45 EDT 2014having FreeBSD 8.3-RELEASE-p16 under the hood. The box is driven by an ALIX APU1C4 Mini-ITX mainboard bought from PC Engines GmbH in Switzerland. The board has some nice hardware specs such as 4 gigs of RAM, an AMD G-T40E dual-core processor and gigabit ethernet network interfaces. The ideal playground to provide VPN connectivity on an embedded device. The only (possible) drawback is, that the OS is running from an SDcard in my case. But you don’t have to. There are also some SSD mSATA-modules available which allow you to run your OS from an SSD.

3.2 Clients

I have tested client connectivity using the following devices:

Device Model No. OS Version VPN Client
Google Nexus 7 Table K009 D80KBC139568 Android 4.4.3 Default
Apple iPhone 5s A1533 iOS 7.1.2 Default
Apple iPhone 5s A1457 iOS 7.1.2 Default
Apple iPhone 4 A1332 iOS 7.1.2 Default
Apple iPad Mini A1432 iOS 7.1.2 Default
Apple iPad 3 A1430 iOS 7.1.2 Default
Apple iPad 2 A1396 iOS 7.1.2 Default
Apple MacBook Pro A1398 MacOS X 10.9.4 Default
Lenovo X201 4290-N77 Windows 8 Shrew Soft VPN Client
Lenovo X200 7458-E46 Linux Mint 16 vpnc

Update: I have tested the configuration on an iPad running on iOS 8.1.2 as well. Detailed test results follow soon. Please bear with me.

Please note, that I have used the vendor-supplied default VPN clients for all Apple and Android devices. There was nothing to install at all. For Windows, I have used the Shrew Soft VPN client2.2.2-release build dated Jul 01 2013. For Linux systems, I have used the vpnc package, a command-line VPN client, running on version 0.5.3r512.

4. pfSense Configuration

Log in to your pfSense box and select VPN -> IPsec. Go to the Tunnels tab and make sure Enable IPsec is checked. Then, add a phase 1 entry and make sure, the following values are set:

Section Setting Value
General Information Disabled Unchecked
Internet Protocol IPv4
Interface WAN
Description (empty)
Phase 1 proposal (authentication) Authentication method Mutual PSK + Xauth
Negotiation mode aggressive
My identifier My IP address
Peer identifier Type: Distinguished name
Value: <identifier>
Pre-Shared Key <pre-shared secret>
Policy Generation Unique
Proposal Checking Default
Encryption algorithm AES 256 bits
Hash algorithm SHA1
DH key group 2 (1024 bit)
Lifetime 86400 seconds
Advanced Options NAT Traversal Enable
Dead Peer Detection Unchecked

In my case, I have choosen vpnusers as value for <identifier>, but you can choose whatever you like. Just choose some simple to remember name here. Once it works, do not forget to choose something stronger. Save your settings and go back to the VPN -> IPsec menu. Now, add a phase 2 entry to the already existing phase 1 entry having the following values set:

Section Setting Value
General Information Disabled Unchecked
Mode Tunnel IPv4
Local Network Type: LAN subnet
Description (empty)
Phase 2 proposal (SA/Key Exchange) Protocol ESP
Encryption algorithms AES 256 bits
Hash algorithms SHA1
PFS key group off
Lifetime 28800 seconds
Advanced Options Automatically ping host (empty)

Again, save your changes and go back to VPN -> IPsec menu. Now select the Mobile clients tab and make sure the following values are set as follows:

Section Setting Value
IKE Extensions Enable IPsec Mobile Client Support
Extended Authentication (Xauth) User Authentication Source: Local Database
Group Authentication Source: system
Client Configuration (mode-cfg) Virtual Address Pool Provide a virtual IP address to clients: Checked
Network: 192.168.111.0/24
Network List Provide a list of accessible networks to clients: Unchecked
Save Xauth Password Allow clients to save Xauth passwords: Checked
DNS Default Domain Provide a default domain name to clients: Checked
Value: localdomain
Split DNS Provide a list of split DNS domain names to clients: Unchecked
Value: (empty)
DNS Servers Provide a DNS server list to clients: Checked
Server #1: 8.8.8.8
Server #2: (empty)
Server #3: (empty)
Server #4: (empty)
WINS Servers Provide a WINS server list to clients: Unchecked
Server #1: (empty)
Server #2: (empty)
Phase 2 PFS Group Provide the Phase 2 PFS group to clients: Unchecked
Group: off
Login Banner Provide a login banner to clients: Checked
Value: (Whatever text you like)

Save your changes. Now go to System -> User Manager and select the Group tab. Add a new group called vpnusers. Make sure, the group has the privilege User – VPN – IPsec xauth Dialinset. Save it. Now go to the Users tab and create a user which will later be used to connect to your VPN box. Make sure the user has the group vpnusers set.

Now we need to open the firewall to allow VPN connections to pass through. Go to Firewall -> Rules and select the WAN tab. Configure the following rules:

Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 UDP * * * 500 (ISAKMP) * None (empty) IPsec
IPv4 UDP * * * 4500 (IPsec NAT-T) * None (empty) IPsec

Select the IPsec tab and add a rule which allows all traffic to go through the VPN connection:

Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 * * * * * * None (empty) Allow all

5. Configuring Client Devices

5.1 Configuring Your iPhone

In order to get your iPhone, iPad or MacBook running, just enter the following parameters:

Parameter Value
VPN Type IPsec
Description <Description>
Server <IP/hostname of your VPN endpoint>
Account <user>
Password <password>
Group <identifier>
Shared Secret <pre-shared secret>
Proxy Off

5.2 Configuring Your Android Device

Parameter Value
Name <Description>
Type IPSec Xauth PSK
Server address <IP/hostname of your VPN endpoint>
IPSec identifier <identifier>
IPSec pre-shared key <pre-shared key>

You will be prompted for username and password as soon as you try to connect to your VPN endpoint.

5.3 Configuring Your Windows PC

On Windows, I use the Shrew Soft VPN client. The current version is 2.2.2. The configuration options I use are as follows:

Tab Section/Tab Setting Value
General Remote Host Host Name or IP Address <IP/hostname of your VPN endpoint>
Port 500
Auto Configuration ike config pull
Local Host Adapter Mode Use a virtual adapter and assigned address
Obtain automatically Checked
MTU 1380
Client Firewall Options NAT Traversal enable
NAT Traversal Port 4500
Keep-alive packet rate 15
IKE Fragmentation enable
Maximum packet size 540
Other Options Enable Dead Peer Detection Checked
Enable ISAKMP Failure Notifications Checked
Enable Client Login Banner Checked
Name Resolution DNS Enable DNS Checked
Obtain Automatically Checked
Obtain Automatically (DNS Suffix) Checked
WINS Enable WINS Unchecked
Authentication Authentication Method Mutual PSK + XAuth
Authentication Local Identity Identification Type User Fully Qualified Domain Name
UFQDN String <identifier>
Remote Identity Identification Type IP Address
Address String (empty)
Use a discovered remote host address Checked
Credentials Server Certificate Autority File (empty)
Client Certificate File (empty)
Client Private Key File (empty)
Pre Shared Key <pre-shared key>
Phase 1 Proposal Parameters Exchange Type aggressive
DH exchange group 2
Cipher Algorithm auto
Cipher Key Length (empty)
Hash Algorithm auto
Key Life Time limit 86400 seconds
Key Life Data limit 0 Kbytes
Phase 1 Enable Check Point Compatible Vendor ID Unchecked
Phase 2 Proposal Parameters Transform Algorithm auto
Transform Key Length (empty)
HMAC algorithm auto
PFS Exchange disabled
Compress Algorithm disabled
Key Life Time limit 3600 seconds
Key Life Data limit 0 Kbytes
Policy IPSEC Policy Configuration Policy Generation Level auto
Maintain Persistent Security Associations Unchecked
Obtain Topology Automatically or Tunnel All Checked
Remote Network Resource (empty)

5.4 Configuring Your Linux PC

I use vpnc as a VPN client on Linux. Mine is a Linux Mint box, but vpnc should also be available on Ubuntu and Debian systems. It is command-line based and works pretty well. Install it using the command

sudo apt-get install vpnc

After that, navigate to /etc/vpnc/ and create a copy of the default.conf configuration file, for example:

cp default.conf my-vpn.conf

Edit the newly created file and fill in the parameters like this:

IPSec gateway &lt;IP/hostname of your VPN endpoint&gt;
IPSec ID 
IPSec secret 
IKE Authmode psk
Xauth username 
Xauth password

<identifier> and <pre-shared secret> are the values choosen earlier during pfSense configuration. and are the values entered for the user in pfSense user manager. To connect using vpnc, just enter the following command:

sudo vpnc /etc/vpnc/my-vpn.conf

If you would like to disconnect later, just enter the following command to restore the previous routing configuration:

sudo vpnc-disconnect

6. Final Thoughts

As always, I cannot claim that this tutorial is perfect. Therefore I am more than happy to hear from you, if there is something wrong with this tutorial. Contact information is provided on the web site. But for now, let’s get started.

37 thoughts on “How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux”

  1. Pedro
    I assume you wrote about development edition not stable 2.1.5. In 2.1.5 there is no “Mutual PSK + XAuth” also “Remote gateway” exists. Can you verify this ?
    Anyway, this tutorial is really great and still like rest we are waiting for L2TP with IPSec in PFSense

    Reply