Well I am here to show you a mobile IPSec Road Warrior configuration that actually works, and explain all of the problems I had getting it to work and what I did to fix them. I’ll also explain what some of those pesky options actually do and why changing them might or might not be a good idea.
A Working pfSense Road Warrior IPSec Configuration
Let’s start by running through the configuration one step at a time. (This guide is for pfSense 2.3+.) There are five basic steps. Enable the Mobile configuration, followed by the Phase, and then Phase 2 configuration. Then we need to create and enable users to connect and then configuring the client machines. We’ll discuss each one in detail.
Step 1: Enable the IPSec VPN Mobile Configuration
The first step in getting our pfSense Road Warrior configuration working is to enable Mobile Client Support for IPSec (which enables IKE extensions).
Under VPN –> IPSec click on Mobile Clients.
On the Enable IPSec Mobile Client Support, under IKE extensions check the box that says “Enable IPsec Mobile Client Support”.
On the Extended Authentication box, under User Authentication select “Local Database”. If you had a remote radius server or another pfSense box that had users on it you could configure that here. In our example, we’re only going to use the local database. Leave Group Authentication set to “none”.
On the Client Configuration box, under Virtual Address Pool check the box and enter a subnet. This is the subnet of IP addresses pfSense will give to mobile clients that connect to your VPN.
Note: I had trouble when entering a class C (/24) in this box. For some reason traffic would not route. Changing this to something else (in my case I used a /27) traffic started routing. I think this might be a pfSense bug.
Check the box next to Save Xauth Password. This allows client devices to save the password on their device. If you leave this unchecked you’ll be prompted to enter your password each time you connect, which might be fine if you’re looking for higher security but will certainly be annoying for most.
Continuing on in the same box, check the box next to DNS Default Domain, and enter the domain name for your internal network. In my case I use the domain name .home, so I just entered “home” (not dot in front of it). Yours might be home.com, or a real domain name like TheGeekPub.com.
Next check the box next to DNS Servers and enter the IP address of your DNS server. In my case I want to use the IP address of my pfSense box, because I want to pass internet DNS names to my clients in addition actual domain names on the internet. This will allow client machines connected to my VPN to access my internal servers by name. For example my Plex media server is http://plex.home so you can just enter plex/ in your browser and access my movies when connected to my VPN.
Notice: If you run into trouble with DNS not working for VPN users on pfSense, this is because your DNS resolver or Forwarder interface is set to ALL interfaces. Go to the DNS Resolver or DNS Forwarder configuration (Services –> DNS Forwarder or Services –> DNS Resolver) and make sure that the Interfaces section is set to LAN. DNS should work normally after that.
Step 2: Create the Phase 1 Entry
The next step in our pfSense Road Warrior configuration for IPSec is to create a Phase 1 Entry. You should automatically be prompted to create this after clicking save on the the Mobile Client Configuration.
If for some reason you weren’t prompted, no worries, just go to VPN –> IPSec and click on Tunnels, and click on the Add P1 button.
On the General Information box under Description, enter a name for this VPN. This is purely optional, but makes it easier later on to know what a connection is when looking on the status screens (especially if you have multiple VPNs or clients connected). I just named mine “Home VPN”. Leave everything else default.
Under the Phase 1 Proposal (Authentication), change the Authentication Method to “Mutual PSK + Xauth. Change Negotiation Mode to “Aggressive”. Change Peer Identifier to “Distinguished name” and enter a group name. You’ll need to remember this group name when configuring your clients. Under Pre-Shared Key enter a key. You’ll also need to remember this key when configuring your clients.
Note: If for some reason some of the fields or options do not show up, just scroll to the bottom and click save, then re-open the Phase 1 tunnel again and they should be there this time. This is a known bug in some versions.
Under Phase 1 Proposal (Algorithms) make no changes. The defaults should work fine for all iOS, Android, etc devices.
Under Advanced Options, change NAT Traversal to “Force”. If you don’t change this, clients behind NAT firewalls may have a hard time connecting or not be able to connect at all.
Step 3: Configuring the Phase 2 Entry
Step 3 of our pfSsense Road Warrior configuration for IPSec involves creating a Phase 2 Entry. Phase 1 of the configuration defines the tunnels and trades keys. Phase 2 is about building the tunnel for traffic.
Under the General Information box, under Local Network change the the type to “Network” and enter the address as “0.0.0.0/0”. This will tell the local clients to send all traffic to you, even traffic bound for the internet. When clients pull down a webpage or file from the internet it will traverse your VPN.
If you only want clients to access your local network and send all other traffic out their own ISP then you’d just select “LAN Subnet” from the dropdown and leave the address box empty. This might cause issues with DNS, as your clients will poll the VPN DNS first, so make sure you set the DNS appropriate if you do this back in step 1 (such as google DNS 188.8.131.52, rather your own pfSense box).
Continuing on under Phase 2 Proposal (SA/Key Exchange), leave everything here to default. It should work just fine.
Under Advanced configuration, also leave this unchanged (empty box).
Step 4: Create a User and give them Permissions
Step 4 of our pfSense Road Warrior configuration for IPSec is to create a user and give them permissions to connect. It is highly recommended that you do not use your pfSense admin account for this connection, as it would be a huge security risk should the account be compromised later on. Do yourself a favorite and create a separate account for VPN access, even if you’re the only one connecting to the VPN.
Go to System –> User Manager and click +Add.
Enter a username under Username, and a password under the Password fields (twice). Don’t change anything under the group settings.
Under Keys, don’t enter anything. We’ve already set our pre-shared key on the tunnel configuration.
Now save the account and then reopen it. You’ll see a new section called Effective Privileges. Click the +Add button.
Under User Privileges, select “User – VPN: IPSec xauth Dialin” and then click Save. That’s it. You’ve created a user that can connect to your VPN tunnel.
Step 5: Configure the Client Computers and Devices
The final step is to configure our client machines to connect to the VPN we just made. I’ll give two examples, iOS and MacOS, but most other clients are just as easy.
Go to Settings –> VPN –> Add VPN Configuration. Select Type as IPSec.
Under Description put something like “Connect to Home”.
Under Server, enter the DNS name (fully qualified FQDN) or the WAN IP address of your pfSense box. Then enter the Account username and password. Leave Use Certificate set to off.
Under Group Name enter the Group Name you used in Step 2 above. In addition, enter the Secret that you entered in Step 2 above. That’s all there is to it. Your iOS client should now be able to connect to the VPN. The example given is the iPhone, but the iPad will be exactly the same settings.
Configuring MacOS for pfSense Road Warrior IPSec
Under Interface select “VPN” and then under VPN Type select “Cisco IPSec”.
Under Service Name enter whatever you want to call this VPN connection. I called mine “Connect to Home” and then click Create.
On the next screen under Server Address enter the Fully Qualified DNS name or IP address of your pfSense WAN interface. Then enter the same username and password you created earlier. Then click Authentication Settings.
Select Shared Secret and enter the Secret you chose in Step 2 and then enter the Group Name you also chose in Step 2.
TroubleShooting and Final Thoughts
At this point your pfSense Road Warrior VPN should be working like a champ. If its not there are a few things you might need to check.
Firewall Rules and NAT for pfSense IPSec
If you turned off auto generation of firewall rules, then your going to need to open ports 500 and 4500 inbound to your WAN IP Address. You can check this under System –> Advanced.
In addition, you might need to change your NAT reflection settings, which can be found in the same location. Change the NAT Reflection mode for port forwards to “Pure NAT”.
One last note. Some ISPs block inbound ports to your home network. Most all block ports 25 and 80. But some of the worst offending ISPs will also block port 500 and 4500 specifically to keep you from VPNing to your home network. If your ISP does this you should dump them as they truly do suck.
On another note, if you are looking for a new pfSense firewall for your home, I highly recommend this unit from Amazon. It is really nice. I and several of my friends have it and it works quite well!
Check out the WANBOX
The Geek Pub now sells the WANBOX! It’s the perfect appliance firewall for running open source or freely available firewall packages such as pfSense, OpenSense, or Untangle!