How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux

Info: After having performed the pfSense upgrade from version 2.1.5 to 2.2 I am no longer able to connect with iPhones to the VPN endpoint. I cannot say what exactly the issue is right now. But as the pfSense people have switched from racoon to strongSwan, there seem to be some significant changes under the hood. I am sorry to say, but this guide is no longer applicable to the current version of pfSense. As soon as I find time to investigate this issue, I post updates here.

Just some side notes: The VPN client in IOS 8 now supports IKEv2, but this feature has not been yet made available in the UI of the VPN client. There is a tool called “Apple Configurator” which can be used to setup a VPN profile which supports IKEv2. pfSense also supports IKEv2 now (since switched to strongSwan).

If anyone gets this thing working again, I am highly interested. Thank you for letting me know.

1. Introduction

I own a pfSense Box myself which runs on an APU1C4 board from PC Engines. I use it for firewalling and as VPN endpoint for various client devices such as iPhones, iPads, Android phones and tablets, Windows PCs and Linux boxes. In this article I want to share my experience in turning your pfSense box in a device which acts as an IPsec VPN endpoint.

2. Goals

My main goals were:

  • Mobile devices should be able to connect to my pfSense box and make use of IPsec full-tunneling, which means ALL traffic runs through my pfSense box. This is especially useful if you’re located outside your country and want to access content, which is accessible from domestic IP addresses only.
  • I also want to access my private LAN in order to manage my systems, access to my file shares and other resources.

So far, no special goals. Let’s move on.

3. System Environment

3.1 My pfSense Box

My pfSense is running on version 2.1.5-RELEASE (amd64) built on Aug 25 07:44:45 EDT 2014 having FreeBSD 8.3-RELEASE-p16 under the hood. The box is driven by an ALIX APU1C4 Mini-ITX mainboard bought from PC Engines GmbH in Switzerland. The board has some nice hardware specs such as 4 gigs of RAM, an AMD G-T40E dual-core processor and gigabit ethernet network interfaces. The ideal playground to provide VPN connectivity on an embedded device. The only (possible) drawback is, that the OS is running from an SDcard in my case. But you don’t have to. There are also some SSD mSATA-modules available which allow you to run your OS from an SSD.

3.2 Clients

I have tested client connectivity using the following devices:

Device Model No. OS Version VPN Client
Google Nexus 7 Table K009 D80KBC139568 Android 4.4.3 Default
Apple iPhone 5s A1533 iOS 7.1.2 Default
Apple iPhone 5s A1457 iOS 7.1.2 Default
Apple iPhone 4 A1332 iOS 7.1.2 Default
Apple iPad Mini A1432 iOS 7.1.2 Default
Apple iPad 3 A1430 iOS 7.1.2 Default
Apple iPad 2 A1396 iOS 7.1.2 Default
Apple MacBook Pro A1398 MacOS X 10.9.4 Default
Lenovo X201 4290-N77 Windows 8 Shrew Soft VPN Client
Lenovo X200 7458-E46 Linux Mint 16 vpnc

Update: I have tested the configuration on an iPad running on iOS 8.1.2 as well. Detailed test results follow soon. Please bear with me.

Please note, that I have used the vendor-supplied default VPN clients for all Apple and Android devices. There was nothing to install at all. For Windows, I have used the Shrew Soft VPN client 2.2.2-release build dated Jul 01 2013. For Linux systems, I have used the vpnc package, a command-line VPN client, running on version 0.5.3r512.

4. pfSense Configuration

Log in to your pfSense box and select VPN -> IPsec. Go to the Tunnels tab and make sure Enable IPsec is checked. Then, add a phase 1 entry and make sure, the following values are set:

Section Setting Value
General Information Disabled Unchecked
Internet Protocol IPv4
Interface WAN
Description (empty)
Phase 1 proposal (authentication) Authentication method Mutual PSK + Xauth
Negotiation mode aggressive
My identifier My IP address
Peer identifier Type: Distinguished name
Value: <identifier>
Pre-Shared Key <pre-shared secret>
Policy Generation Unique
Proposal Checking Default
Encryption algorithm AES 256 bits
Hash algorithm SHA1
DH key group 2 (1024 bit)
Lifetime 86400 seconds
Advanced Options NAT Traversal Enable
Dead Peer Detection Unchecked

In my case, I have choosen vpnusers as value for <identifier>, but you can choose whatever you like. Just choose some simple to remember name here. Once it works, do not forget to choose something stronger. Save your settings and go back to the VPN -> IPsec menu. Now, add a phase 2 entry to the already existing phase 1 entry having the following values set:

Section Setting Value
General Information Disabled Unchecked
Mode Tunnel IPv4
Local Network Type: LAN subnet
Description (empty)
Phase 2 proposal (SA/Key Exchange) Protocol ESP
Encryption algorithms AES 256 bits
Hash algorithms SHA1
PFS key group off
Lifetime 28800 seconds
Advanced Options Automatically ping host (empty)

Again, save your changes and go back to VPN -> IPsec menu. Now select the Mobile clients tab and make sure the following values are set as follows:

Section Setting Value
IKE Extensions Enable IPsec Mobile Client Support
Extended Authentication (Xauth) User Authentication Source: Local Database
Group Authentication Source: system
Client Configuration (mode-cfg) Virtual Address Pool Provide a virtual IP address to clients: Checked
Network: 192.168.111.0/24
Network List Provide a list of accessible networks to clients: Unchecked
Save Xauth Password Allow clients to save Xauth passwords: Checked
DNS Default Domain Provide a default domain name to clients: Checked
Value: localdomain
Split DNS Provide a list of split DNS domain names to clients: Unchecked
Value: (empty)
DNS Servers Provide a DNS server list to clients: Checked
Server #1: 8.8.8.8
Server #2: (empty)
Server #3: (empty)
Server #4: (empty)
WINS Servers Provide a WINS server list to clients: Unchecked
Server #1: (empty)
Server #2: (empty)
Phase 2 PFS Group Provide the Phase 2 PFS group to clients: Unchecked
Group: off
Login Banner Provide a login banner to clients: Checked
Value: (Whatever text you like)

Save your changes. Now go to System -> User Manager and select the Group tab. Add a new group called vpnusers. Make sure, the group has the privilege User – VPN – IPsec xauth Dialin set. Save it. Now go to the Users tab and create a user which will later be used to connect to your VPN box. Make sure the user has the group vpnusers set.

Now we need to open the firewall to allow VPN connections to pass through. Go to Firewall -> Rules and select the WAN tab. Configure the following rules:

Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 UDP * * * 500 (ISAKMP) * None (empty) IPsec
IPv4 UDP * * * 4500 (IPsec NAT-T) * None (empty) IPsec

Select the IPsec tab and add a rule which allows all traffic to go through the VPN connection:

Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 * * * * * * None (empty) Allow all

5. Configuring Client Devices

5.1 Configuring Your iPhone

In order to get your iPhone, iPad or MacBook running, just enter the following parameters:

Parameter Value
VPN Type IPsec
Description <Description>
Server <IP/hostname of your VPN endpoint>
Account <user>
Password <password>
Group <identifier>
Shared Secret <pre-shared secret>
Proxy Off

5.2 Configuring Your Android Device

Parameter Value
Name <Description>
Type IPSec Xauth PSK
Server address <IP/hostname of your VPN endpoint>
IPSec identifier <identifier>
IPSec pre-shared key <pre-shared key>

You will be prompted for username and password as soon as you try to connect to your VPN endpoint.

5.3 Configuring Your Windows PC

On Windows, I use the Shrew Soft VPN client. The current version is 2.2.2. The configuration options I use are as follows:

Tab Section/Tab Setting Value
General Remote Host Host Name or IP Address <IP/hostname of your VPN endpoint>
Port 500
Auto Configuration ike config pull
Local Host Adapter Mode Use a virtual adapter and assigned address
Obtain automatically Checked
MTU 1380
Client Firewall Options NAT Traversal enable
NAT Traversal Port 4500
Keep-alive packet rate 15
IKE Fragmentation enable
Maximum packet size 540
Other Options Enable Dead Peer Detection Checked
Enable ISAKMP Failure Notifications Checked
Enable Client Login Banner Checked
Name Resolution DNS Enable DNS Checked
Obtain Automatically Checked
Obtain Automatically (DNS Suffix) Checked
WINS Enable WINS Unchecked
Authentication Authentication Method Mutual PSK + XAuth
Authentication Local Identity Identification Type User Fully Qualified Domain Name
UFQDN String <identifier>
Remote Identity Identification Type IP Address
Address String (empty)
Use a discovered remote host address Checked
Credentials Server Certificate Autority File (empty)
Client Certificate File (empty)
Client Private Key File (empty)
Pre Shared Key <pre-shared key>
Phase 1 Proposal Parameters Exchange Type aggressive
DH exchange group 2
Cipher Algorithm auto
Cipher Key Length (empty)
Hash Algorithm auto
Key Life Time limit 86400 seconds
Key Life Data limit 0 Kbytes
Phase 1 Enable Check Point Compatible Vendor ID Unchecked
Phase 2 Proposal Parameters Transform Algorithm auto
Transform Key Length (empty)
HMAC algorithm auto
PFS Exchange disabled
Compress Algorithm disabled
Key Life Time limit 3600 seconds
Key Life Data limit 0 Kbytes
Policy IPSEC Policy Configuration Policy Generation Level auto
Maintain Persistent Security Associations Unchecked
Obtain Topology Automatically or Tunnel All Checked
Remote Network Resource (empty)

5.4 Configuring Your Linux PC

I use vpnc as a VPN client on Linux. Mine is a Linux Mint box, but vpnc should also be available on Ubuntu and Debian systems. It is command-line based and works pretty well. Install it using the command

sudo apt-get install vpnc

After that, navigate to /etc/vpnc/ and create a copy of the default.conf configuration file, for example:

cp default.conf my-vpn.conf

Edit the newly created file and fill in the parameters like this:

IPSec gateway &lt;IP/hostname of your VPN endpoint&gt;
IPSec ID 
IPSec secret 
IKE Authmode psk
Xauth username 
Xauth password

<identifier> and <pre-shared secret> are the values choosen earlier during pfSense configuration. and are the values entered for the user in pfSense user manager. To connect using vpnc, just enter the following command:

sudo vpnc /etc/vpnc/my-vpn.conf

If you would like to disconnect later, just enter the following command to restore the previous routing configuration:

sudo vpnc-disconnect

6. Final Thoughts

As always, I cannot claim that this tutorial is perfect. Therefore I am more than happy to hear from you, if there is something wrong with this tutorial. Contact information is provided on the web site. But for now, let’s get started.

39 thoughts on “How To Configure IPSec VPN on pfSense For Use With iPhone, iPad, Android, Windows and Linux

  1. Pedro

    I assume you wrote about development edition not stable 2.1.5. In 2.1.5 there is no “Mutual PSK + XAuth” also “Remote gateway” exists. Can you verify this ?
    Anyway, this tutorial is really great and still like rest we are waiting for L2TP with IPSec in PFSense

    Reply
    1. André

      Hi Pedro,

      I have checked my pfSense box. As mentioned, I currently run version “2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014 FreeBSD 8.3-RELEASE-p16”. This is a regular release version, nothing development here. Also, I have found the “Mutual PSK + XAuth” setting, as mentioned in the tutorial.

      HTH,
      André

      Reply
  2. John

    Thank you so much for this. I’ve tried several times in the past to get an ipsec “road warrior” setup going on pfsense and android following many different HOWTOs found online. I could never get a connection. I usually just would end up going using openvpn (though openvpn on android has been interesting over the years).

    Today I thought I’d give it a shot again and still couldn’t find a working tutorial until I found this one, written yesterday. It worked.

    One small correction: You show enabling the mobile extensions after creating phase 1 & phase 2. You have to do this first or you won’t get the Mutual PSK + Xauth option when creating phase 1.

    Reply
  3. Dan

    Can you test with iOS 8.02? I can’t for the life of me get it working following your guide exactly using pfSense 2.1.5.

    Reply
  4. armand17

    I’ve tried the following configuration to configure my windows 7 virtual host as client on my virtual pfsense. but it’s not work yet.
    help me, what is the wrong possibilities.

    Reply
  5. Horst

    Hi,

    that is a very nice documentation which everybody interested in pfSense VPN will appreciate.

    One thing. I miss your configuration for remote gateway in Phase 1 IPSec. I have the pfsense release and a remote gateway is a mandatory configuration value. The same is with Phase 2, where a remote network is required.

    What are your values.

    regards,
    Horst

    Reply
  6. armand17

    thanks for the tutorial, i’ve been practice this for three days and I did it with some additional configuration, but based on this tutorial. thanks alot for the tutorial.

    Reply
  7. Thomas

    Just a few notes to everyone:

    This guide also works for using Network Manager and the vpnc plugins for it. On Ubuntu 14.04:

    (1) Firstly, install the vpnc plugin for Network Manager. It also installs vpnc.
    sudo apt-get install network-manager-vpnc network-manager-vpnc-gnome

    (2) Create a new VPN connection, using the vpnc option. Give it a name where the window says “VPN connection 1” (or similar). Provide the following under the VPN tab:
    Gateway: IP/Hostname of the IPSec server (in this case, the WAN on the pfSense device)
    Username: Username
    User password: User password
    Group name: Whatever you configured above for the Distinguished Name entry
    Group password: The pre-shared key/passcode you set during configuration in the guide.

    (3) Save the configuration.

    (4) Click the network manager icon, go to VPN Connections, choose the new connection you made.

    (5) It should connect assuming you followed this guide right, and bam, you’re done!

    Reply
  8. DanielS

    Well written post with all the info needed!

    I had already gotten my phone (Galaxy Note 4) connected (and it works great, add it to the list 🙂 ) but couldn’t find how to get my windows pc connected (I was missing the shrewsoft client and was trying the IKEv2 connection built into windows without luck) and your post gave me all the info I needed to get it connected as well!

    Thanks!

    Reply
  9. Hans Holt

    I have a Windows Phone Lumia 630 DS.

    It uses only IKEv2 not supported with pfSense.

    Is there a way to get VPN on the Windows Phone?

    Reply
  10. Chris

    Im trying to setup with the default MAC VPN client and my pfSense device is unable to find the mobile policy (almost exact copy of your configuration above) , any ideas?

    Jan 12 13:37:55 charon: 07[CFG] looking for pre-shared key peer configs matching (IP ADDRESSES HERE)[vpnusers]
    Jan 12 13:37:55 charon: 07[IKE] no peer config found
    Jan 12 13:37:55 charon: 07[IKE] no peer config found
    Jan 12 13:37:55 charon: 07[ENC] generating INFORMATIONAL_V1 request 1103528263 [ N(AUTH_FAILED) ]

    Reply
  11. Pingback: open VPN and other VPN links on pfSense - elbsolutions.com Project List & Blog

  12. Tony

    On Android, this configuration does not force all traffic over the VPN. While the local network is now available, the default route still travels over the non-vpn’d internet connection.

    Reply
  13. Pingback: iPhone and normal VPN on pfSense - Lt2p over iPSec - can a mac connect to pfSense? - elbsolutions.com Project List & Blog

  14. harlock_99

    Hi,
    I have updated pfsense to 2.2.2, but I have still an error message on iPad (iOS 8.3) or Android (5.1): “the vpn shared secret key is incorrect”

    Some questions about your steps:
    -in the IPSEC PHASE 1
    –you don’t sepcify the KEY EXCHANGE VERSION
    –the 2 following settings doesn’t exist in the Version 2.2.1 or 2.2.2:
    — Policy Generation: Unique
    —Proposal Checking: Default

    Reply
  15. Pingback: Configure IPSEC VPN on PfSense | rodez I/0

  16. aallinen

    I was upgrading 2.1 RC1 to 2.2.4 Release.
    I was getting The VPN Shared Secret is incorrect error on my IPad 7.1.2
    I had to add PreShared key to VPN – IPSec – Pre-Shared Keys
    after that I can successfully connect on my IPad again.
    New version dosen’t care PreShared settings in VPN – IPSec – Tunnels – Phase 1 – Pre-Shared Key.

    Reply
  17. Chris

    Problem solved with Pfsense 2.2.4 and IOS8 or IOS9.
    I unchecked the Option “Provide a virtual IP address to clients” in Mobile Clients tab and iPhone can now establish successfully an VPN connection.

    Hope that hels

    Reply
    1. André

      Hi Chris,
      Thank you very much for your comment. That indeed sounds promising. I will hopefully soon be able to try that out and update the tutorial.

      Best regards,
      André

      Reply
  18. Arn

    Worked perfectly on pfsense 2.2.4 and iphone 6 running 9.1-beta! Thank you. Had problems but was routing clients to dns and internet because i didnt setup the phase 2 entry.

    Reply
    1. Shane

      ARN please tell me your configuration because I can’t get my IOS device to route traffic at all through the VPN connection. See my longer post.

      Reply
  19. Shane

    I am trying this on my PFSENSE 2.2.5 and IOS 9.02 phone. The only way I can get it to connect is to CHECK provide virtual IP address to the IOS client. If I uncheck that I get “negotiation with the vpn server failed”.

    I want to be able to “access” all computers on the LAN once I authenticate and get onto the VPN. If I check VIRTUAL IP, it puts the IOS guest off in some subnet and I can’t access the inside of the LAN.

    Secondly, when I do put it to “checked” for virtual IP and connect, then I go to check my IP address, google shows me my IPHONE IP address, not the IP address of my PFSENSE box.

    How do I configure this so that:
    a) IOS client can access machines on the LAN
    b) IOS client can surf the internet through the VPN connection.

    THANKS!

    Reply
  20. Marco

    I followed your manual and I am using release 2.2.5 of pfSense and it seems to work fine for my Android 4.2.2 phone and the iPad mini with iOS 9.1.

    I did disable and not use the Group identifier on the iPad

    Reply
  21. Agaufres

    Hello André!

    I follow your tutorial to setup VPN for Mac and Windows.

    Thanks a lot! It’s working great!

    But i got an issue on Windows 10 with Shrew.

    What should i setup for:
    “Local identity” FDQN ?

    You wrote User’s FQDN but i don’t understand to what it correspond.

    Best regards!

    Reply
  22. Agaufres

    Hello Andre!!

    All the problems are solved, and the VPN works well from iOS 9.2 !

    I’m running PfSense 2.2.5

    And the right settings is
    Key Exchange version: V1
    Peer identifier: Distinguished Name

    Don’t hesitate to contact me if you need any assistance. Thanks to you everything works fine.

    Reply
  23. AndydnA

    Hi Guys,

    this tutorial is great, but it’s incomplete if you want achieve a true road warrior style VPN.
    For how it has been written it can only permit you to reach the LAN side/ web admin interface of your pfsense box. Nothing more!
    If you want surf the Internet through the WAN of your box or reach any destination over the tunnel you must add/change the following few steps:

    Phase 2 settings > Local Network
    Chose “Network” and set 0.0.0.0/0 to send everything over VPN.

    Mobile Clients > DNS Servers
    Chose the LAN ip of your pfsense box (if you are running the DNS forwarder) or any public DNS of your choice.

    Firewall > Rules, IPsec tab
    Add rules that match the traffic that should be allowed, or add a rule to pass any protocol/any source/any destination to allow everything.

    That’s all folks! 😉

    AndydnA

    Reply
  24. rlindenschmidt

    Just followed this with the updates and still cannot get connected to my VPN. Using 2.2.6 and iOS 9.3.1 I continually get this:

    found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode

    I’ve explicitly set that in Phase 1 Proposal as Mutual PSK + Xauth with Aggressive.

    What am I missing???

    Reply
  25. Pingback: How To Configure Ipsec Windows 7 | Goods News

  26. Pingback: How To Configure Vpn On Macbook | Information

  27. Stefan

    hi,
    i have the problem to reach my qnap nas, via ipsec.
    My Config is Internet => Fritzbox (exposed Host) => PFSesce

    i used this tutorial (from André and Andydna) and everything seems finde. Connection to my pfcense and internet via ipsectunnel is ok . But i cant connect to my nas. Any idea ? wich Info do you need for some help.?

    Thanks… 🙂

    Reply
  28. markhascole

    I recently bought HMA vpn for my IPhone from recent article of ReviewsDir for IPhone HMA vpn is best and its easy to configrate HMA vpn in IPhone.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*