Info: After having performed the pfSense upgrade from version 2.1.5 to 2.2 I am no longer able to connect with iPhones to the VPN endpoint. I cannot say what exactly the issue is right now. But as the pfSense people have switched from racoon to strongSwan, there seem to be some significant changes under the hood. I am sorry to say, but this guide is no longer applicable to the current version of pfSense. As soon as I find time to investigate this issue, I post updates here.
Just some side notes: The VPN client in IOS 8 now supports IKEv2, but this feature has not been yet made available in the UI of the VPN client. There is a tool called “Apple Configurator” which can be used to setup a VPN profile which supports IKEv2. pfSense also supports IKEv2 now (since switched to strongSwan).
If anyone gets this thing working again, I am highly interested. Thank you for letting me know.
1. Introduction
I own a pfSense Box myself which runs on an APU1C4 board from PC Engines. I use it for firewalling and as VPN endpoint for various client devices such as iPhones, iPads, Android phones and tablets, Windows PCs and Linux boxes. In this article I want to share my experience in turning your pfSense box in a device which acts as an IPsec VPN endpoint.
2. Goals
My main goals were:
- Mobile devices should be able to connect to my pfSense box and make use of IPsec full-tunneling, which means ALL traffic runs through my pfSense box. This is especially useful if you’re located outside your country and want to access content, which is accessible from domestic IP addresses only.
- I also want to access my private LAN in order to manage my systems, access to my file shares and other resources.
So far, no special goals. Let’s move on.
3. System Environment
3.1 My pfSense Box
My pfSense is running on version 2.1.5-RELEASE (amd64) built on Aug 25 07:44:45 EDT 2014 having FreeBSD 8.3-RELEASE-p16 under the hood. The box is driven by an ALIX APU1C4 Mini-ITX mainboard bought from PC Engines GmbH in Switzerland. The board has some nice hardware specs such as 4 gigs of RAM, an AMD G-T40E dual-core processor and gigabit ethernet network interfaces. The ideal playground to provide VPN connectivity on an embedded device. The only (possible) drawback is, that the OS is running from an SDcard in my case. But you don’t have to. There are also some SSD mSATA-modules available which allow you to run your OS from an SSD.
3.2 Clients
I have tested client connectivity using the following devices:
| Device | Model No. | OS Version | VPN Client |
| Google Nexus 7 Table | K009 D80KBC139568 | Android 4.4.3 | Default |
| Apple iPhone 5s | A1533 | iOS 7.1.2 | Default |
| Apple iPhone 5s | A1457 | iOS 7.1.2 | Default |
| Apple iPhone 4 | A1332 | iOS 7.1.2 | Default |
| Apple iPad Mini | A1432 | iOS 7.1.2 | Default |
| Apple iPad 3 | A1430 | iOS 7.1.2 | Default |
| Apple iPad 2 | A1396 | iOS 7.1.2 | Default |
| Apple MacBook Pro | A1398 | MacOS X 10.9.4 | Default |
| Lenovo X201 | 4290-N77 | Windows 8 | Shrew Soft VPN Client |
| Lenovo X200 | 7458-E46 | Linux Mint 16 | vpnc |
Update: I have tested the configuration on an iPad running on iOS 8.1.2 as well. Detailed test results follow soon. Please bear with me.
Please note, that I have used the vendor-supplied default VPN clients for all Apple and Android devices. There was nothing to install at all. For Windows, I have used the Shrew Soft VPN client 2.2.2-release build dated Jul 01 2013. For Linux systems, I have used the vpnc package, a command-line VPN client, running on version 0.5.3r512.
4. pfSense Configuration
Log in to your pfSense box and select VPN -> IPsec. Go to the Tunnels tab and make sure Enable IPsec is checked. Then, add a phase 1 entry and make sure, the following values are set:
| Section | Setting | Value |
| General Information | Disabled | Unchecked |
| Internet Protocol | IPv4 | |
| Interface | WAN | |
| Description | (empty) | |
| Phase 1 proposal (authentication) | Authentication method | Mutual PSK + Xauth |
| Negotiation mode | aggressive | |
| My identifier | My IP address | |
| Peer identifier | Type: Distinguished name Value: <identifier> |
|
| Pre-Shared Key | <pre-shared secret> | |
| Policy Generation | Unique | |
| Proposal Checking | Default | |
| Encryption algorithm | AES 256 bits | |
| Hash algorithm | SHA1 | |
| DH key group | 2 (1024 bit) | |
| Lifetime | 86400 seconds | |
| Advanced Options | NAT Traversal | Enable |
| Dead Peer Detection | Unchecked |
In my case, I have choosen vpnusers as value for <identifier>, but you can choose whatever you like. Just choose some simple to remember name here. Once it works, do not forget to choose something stronger. Save your settings and go back to the VPN -> IPsec menu. Now, add a phase 2 entry to the already existing phase 1 entry having the following values set:
| Section | Setting | Value |
| General Information | Disabled | Unchecked |
| Mode | Tunnel IPv4 | |
| Local Network | Type: LAN subnet | |
| Description | (empty) | |
| Phase 2 proposal (SA/Key Exchange) | Protocol | ESP |
| Encryption algorithms | AES 256 bits | |
| Hash algorithms | SHA1 | |
| PFS key group | off | |
| Lifetime | 28800 seconds | |
| Advanced Options | Automatically ping host | (empty) |
Again, save your changes and go back to VPN -> IPsec menu. Now select the Mobile clients tab and make sure the following values are set as follows:
| Section | Setting | Value |
| IKE Extensions | Enable IPsec Mobile Client Support | |
| Extended Authentication (Xauth) | User Authentication | Source: Local Database |
| Group Authentication | Source: system | |
| Client Configuration (mode-cfg) | Virtual Address Pool | Provide a virtual IP address to clients: Checked Network: 192.168.111.0/24 |
| Network List | Provide a list of accessible networks to clients: Unchecked | |
| Save Xauth Password | Allow clients to save Xauth passwords: Checked | |
| DNS Default Domain | Provide a default domain name to clients: Checked Value: localdomain |
|
| Split DNS | Provide a list of split DNS domain names to clients: Unchecked Value: (empty) |
|
| DNS Servers | Provide a DNS server list to clients: Checked Server #1: 8.8.8.8 Server #2: (empty) Server #3: (empty) Server #4: (empty) |
|
| WINS Servers | Provide a WINS server list to clients: Unchecked Server #1: (empty) Server #2: (empty) |
|
| Phase 2 PFS Group | Provide the Phase 2 PFS group to clients: Unchecked Group: off |
|
| Login Banner | Provide a login banner to clients: Checked Value: (Whatever text you like) |
Save your changes. Now go to System -> User Manager and select the Group tab. Add a new group called vpnusers. Make sure, the group has the privilege User – VPN – IPsec xauth Dialin set. Save it. Now go to the Users tab and create a user which will later be used to connect to your VPN box. Make sure the user has the group vpnusers set.
Now we need to open the firewall to allow VPN connections to pass through. Go to Firewall -> Rules and select the WAN tab. Configure the following rules:
| Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
| IPv4 UDP | * | * | * | 500 (ISAKMP) | * | None | (empty) | IPsec |
| IPv4 UDP | * | * | * | 4500 (IPsec NAT-T) | * | None | (empty) | IPsec |
Select the IPsec tab and add a rule which allows all traffic to go through the VPN connection:
| Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
| IPv4 * | * | * | * | * | * | None | (empty) | Allow all |
5. Configuring Client Devices
5.1 Configuring Your iPhone
In order to get your iPhone, iPad or MacBook running, just enter the following parameters:
| Parameter | Value |
| VPN Type | IPsec |
| Description | <Description> |
| Server | <IP/hostname of your VPN endpoint> |
| Account | <user> |
| Password | <password> |
| Group | <identifier> |
| Shared Secret | <pre-shared secret> |
| Proxy | Off |
5.2 Configuring Your Android Device
| Parameter | Value |
| Name | <Description> |
| Type | IPSec Xauth PSK |
| Server address | <IP/hostname of your VPN endpoint> |
| IPSec identifier | <identifier> |
| IPSec pre-shared key | <pre-shared key> |
You will be prompted for username and password as soon as you try to connect to your VPN endpoint.
5.3 Configuring Your Windows PC
On Windows, I use the Shrew Soft VPN client. The current version is 2.2.2. The configuration options I use are as follows:
| Tab | Section/Tab | Setting | Value |
| General | Remote Host | Host Name or IP Address | <IP/hostname of your VPN endpoint> |
| Port | 500 | ||
| Auto Configuration | ike config pull | ||
| Local Host | Adapter Mode | Use a virtual adapter and assigned address | |
| Obtain automatically | Checked | ||
| MTU | 1380 | ||
| Client | Firewall Options | NAT Traversal | enable |
| NAT Traversal Port | 4500 | ||
| Keep-alive packet rate | 15 | ||
| IKE Fragmentation | enable | ||
| Maximum packet size | 540 | ||
| Other Options | Enable Dead Peer Detection | Checked | |
| Enable ISAKMP Failure Notifications | Checked | ||
| Enable Client Login Banner | Checked | ||
| Name Resolution | DNS | Enable DNS | Checked |
| Obtain Automatically | Checked | ||
| Obtain Automatically (DNS Suffix) | Checked | ||
| WINS | Enable WINS | Unchecked | |
| Authentication | Authentication Method | Mutual PSK + XAuth | |
| Authentication | Local Identity | Identification Type | User Fully Qualified Domain Name |
| UFQDN String | <identifier> | ||
| Remote Identity | Identification Type | IP Address | |
| Address String | (empty) | ||
| Use a discovered remote host address | Checked | ||
| Credentials | Server Certificate Autority File | (empty) | |
| Client Certificate File | (empty) | ||
| Client Private Key File | (empty) | ||
| Pre Shared Key | <pre-shared key> | ||
| Phase 1 | Proposal Parameters | Exchange Type | aggressive |
| DH exchange | group 2 | ||
| Cipher Algorithm | auto | ||
| Cipher Key Length | (empty) | ||
| Hash Algorithm | auto | ||
| Key Life Time limit | 86400 seconds | ||
| Key Life Data limit | 0 Kbytes | ||
| Phase 1 | Enable Check Point Compatible Vendor ID | Unchecked | |
| Phase 2 | Proposal Parameters | Transform Algorithm | auto |
| Transform Key Length | (empty) | ||
| HMAC algorithm | auto | ||
| PFS Exchange | disabled | ||
| Compress Algorithm | disabled | ||
| Key Life Time limit | 3600 seconds | ||
| Key Life Data limit | 0 Kbytes | ||
| Policy | IPSEC Policy Configuration | Policy Generation Level | auto |
| Maintain Persistent Security Associations | Unchecked | ||
| Obtain Topology Automatically or Tunnel All | Checked | ||
| Remote Network Resource | (empty) |
5.4 Configuring Your Linux PC
I use vpnc as a VPN client on Linux. Mine is a Linux Mint box, but vpnc should also be available on Ubuntu and Debian systems. It is command-line based and works pretty well. Install it using the command
sudo apt-get install vpnc
After that, navigate to /etc/vpnc/ and create a copy of the default.conf configuration file, for example:
cp default.conf my-vpn.confEdit the newly created file and fill in the parameters like this:
IPSec gateway <IP/hostname of your VPN endpoint> IPSec ID IPSec secret IKE Authmode psk Xauth username Xauth password
<identifier> and <pre-shared secret> are the values choosen earlier during pfSense configuration. and are the values entered for the user in pfSense user manager. To connect using vpnc, just enter the following command:
sudo vpnc /etc/vpnc/my-vpn.conf
If you would like to disconnect later, just enter the following command to restore the previous routing configuration:
sudo vpnc-disconnect6. Final Thoughts
As always, I cannot claim that this tutorial is perfect. Therefore I am more than happy to hear from you, if there is something wrong with this tutorial. Contact information is provided on the web site. But for now, let’s get started.
I assume you wrote about development edition not stable 2.1.5. In 2.1.5 there is no “Mutual PSK + XAuth” also “Remote gateway” exists. Can you verify this ?
Anyway, this tutorial is really great and still like rest we are waiting for L2TP with IPSec in PFSense
Hi Pedro,
I have checked my pfSense box. As mentioned, I currently run version “2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014 FreeBSD 8.3-RELEASE-p16”. This is a regular release version, nothing development here. Also, I have found the “Mutual PSK + XAuth” setting, as mentioned in the tutorial.
HTH,
André
Hi Pedro,
Please check John’s comment below regarding mobile extensions.
Cheers
Thank you so much for this. I’ve tried several times in the past to get an ipsec “road warrior” setup going on pfsense and android following many different HOWTOs found online. I could never get a connection. I usually just would end up going using openvpn (though openvpn on android has been interesting over the years).
Today I thought I’d give it a shot again and still couldn’t find a working tutorial until I found this one, written yesterday. It worked.
One small correction: You show enabling the mobile extensions after creating phase 1 & phase 2. You have to do this first or you won’t get the Mutual PSK + Xauth option when creating phase 1.
Can you test with iOS 8.02? I can’t for the life of me get it working following your guide exactly using pfSense 2.1.5.
Hi Dan,
I was able to connect using 8.02.
Regards,
André
I’ve tried the following configuration to configure my windows 7 virtual host as client on my virtual pfsense. but it’s not work yet.
help me, what is the wrong possibilities.
Hi,
that is a very nice documentation which everybody interested in pfSense VPN will appreciate.
One thing. I miss your configuration for remote gateway in Phase 1 IPSec. I have the pfsense release and a remote gateway is a mandatory configuration value. The same is with Phase 2, where a remote network is required.
What are your values.
regards,
Horst
thanks for the tutorial, i’ve been practice this for three days and I did it with some additional configuration, but based on this tutorial. thanks alot for the tutorial.
Just a few notes to everyone:
This guide also works for using Network Manager and the vpnc plugins for it. On Ubuntu 14.04:
(1) Firstly, install the vpnc plugin for Network Manager. It also installs vpnc.
sudo apt-get install network-manager-vpnc network-manager-vpnc-gnome(2) Create a new VPN connection, using the vpnc option. Give it a name where the window says “VPN connection 1” (or similar). Provide the following under the VPN tab:
Gateway: IP/Hostname of the IPSec server (in this case, the WAN on the pfSense device)
Username: Username
User password: User password
Group name: Whatever you configured above for the Distinguished Name entry
Group password: The pre-shared key/passcode you set during configuration in the guide.
(3) Save the configuration.
(4) Click the network manager icon, go to VPN Connections, choose the new connection you made.
(5) It should connect assuming you followed this guide right, and bam, you’re done!
Works but i am not able to route trafic ????
Well written post with all the info needed!
I had already gotten my phone (Galaxy Note 4) connected (and it works great, add it to the list 🙂 ) but couldn’t find how to get my windows pc connected (I was missing the shrewsoft client and was trying the IKEv2 connection built into windows without luck) and your post gave me all the info I needed to get it connected as well!
Thanks!
I have a Windows Phone Lumia 630 DS.
It uses only IKEv2 not supported with pfSense.
Is there a way to get VPN on the Windows Phone?
Im trying to setup with the default MAC VPN client and my pfSense device is unable to find the mobile policy (almost exact copy of your configuration above) , any ideas?
Jan 12 13:37:55 charon: 07[CFG] looking for pre-shared key peer configs matching (IP ADDRESSES HERE)[vpnusers]
Jan 12 13:37:55 charon: 07[IKE] no peer config found
Jan 12 13:37:55 charon: 07[IKE] no peer config found
Jan 12 13:37:55 charon: 07[ENC] generating INFORMATIONAL_V1 request 1103528263 [ N(AUTH_FAILED) ]
On Android, this configuration does not force all traffic over the VPN. While the local network is now available, the default route still travels over the non-vpn’d internet connection.
Hi,
I have updated pfsense to 2.2.2, but I have still an error message on iPad (iOS 8.3) or Android (5.1): “the vpn shared secret key is incorrect”
Some questions about your steps:
-in the IPSEC PHASE 1
–you don’t sepcify the KEY EXCHANGE VERSION
–the 2 following settings doesn’t exist in the Version 2.2.1 or 2.2.2:
— Policy Generation: Unique
—Proposal Checking: Default
Pfsense 2.2.2 change and windows not found !!!! please help
I was upgrading 2.1 RC1 to 2.2.4 Release.
I was getting The VPN Shared Secret is incorrect error on my IPad 7.1.2
I had to add PreShared key to VPN – IPSec – Pre-Shared Keys
after that I can successfully connect on my IPad again.
New version dosen’t care PreShared settings in VPN – IPSec – Tunnels – Phase 1 – Pre-Shared Key.
Problem solved with Pfsense 2.2.4 and IOS8 or IOS9.
I unchecked the Option “Provide a virtual IP address to clients” in Mobile Clients tab and iPhone can now establish successfully an VPN connection.
Hope that hels
Hi Chris,
Thank you very much for your comment. That indeed sounds promising. I will hopefully soon be able to try that out and update the tutorial.
Best regards,
André
Worked perfectly on pfsense 2.2.4 and iphone 6 running 9.1-beta! Thank you. Had problems but was routing clients to dns and internet because i didnt setup the phase 2 entry.
ARN please tell me your configuration because I can’t get my IOS device to route traffic at all through the VPN connection. See my longer post.
I tested this with pfsense 2.2.4 and it works great with the cisco vpn client
I am trying this on my PFSENSE 2.2.5 and IOS 9.02 phone. The only way I can get it to connect is to CHECK provide virtual IP address to the IOS client. If I uncheck that I get “negotiation with the vpn server failed”.
I want to be able to “access” all computers on the LAN once I authenticate and get onto the VPN. If I check VIRTUAL IP, it puts the IOS guest off in some subnet and I can’t access the inside of the LAN.
Secondly, when I do put it to “checked” for virtual IP and connect, then I go to check my IP address, google shows me my IPHONE IP address, not the IP address of my PFSENSE box.
How do I configure this so that:
a) IOS client can access machines on the LAN
b) IOS client can surf the internet through the VPN connection.
THANKS!
I followed your manual and I am using release 2.2.5 of pfSense and it seems to work fine for my Android 4.2.2 phone and the iPad mini with iOS 9.1.
I did disable and not use the Group identifier on the iPad
Hello André!
I follow your tutorial to setup VPN for Mac and Windows.
Thanks a lot! It’s working great!
But i got an issue on Windows 10 with Shrew.
What should i setup for:
“Local identity” FDQN ?
You wrote User’s FQDN but i don’t understand to what it correspond.
Best regards!
Hello Andre!!
All the problems are solved, and the VPN works well from iOS 9.2 !
I’m running PfSense 2.2.5
And the right settings is
Key Exchange version: V1
Peer identifier: Distinguished Name
Don’t hesitate to contact me if you need any assistance. Thanks to you everything works fine.
The reason the VPN broke on iOS was a problem with Racoon. They dropped it in 2.2.1 for another system.
Hi Guys,
this tutorial is great, but it’s incomplete if you want achieve a true road warrior style VPN.
For how it has been written it can only permit you to reach the LAN side/ web admin interface of your pfsense box. Nothing more!
If you want surf the Internet through the WAN of your box or reach any destination over the tunnel you must add/change the following few steps:
Phase 2 settings > Local Network
Chose “Network” and set 0.0.0.0/0 to send everything over VPN.
Mobile Clients > DNS Servers
Chose the LAN ip of your pfsense box (if you are running the DNS forwarder) or any public DNS of your choice.
Firewall > Rules, IPsec tab
Add rules that match the traffic that should be allowed, or add a rule to pass any protocol/any source/any destination to allow everything.
That’s all folks! 😉
AndydnA
Cisco vpn client works great because i have tried this with pfsense 2.2.4 and found it very much better specially for ipad vpn.
Just followed this with the updates and still cannot get connected to my VPN. Using 2.2.6 and iOS 9.3.1 I continually get this:
found 1 matching config, but none allows XAuthInitPSK authentication using Aggressive Mode
I’ve explicitly set that in Phase 1 Proposal as Mutual PSK + Xauth with Aggressive.
What am I missing???
Hallo,
how does it work behind a FritzBox?
hi,
i have the problem to reach my qnap nas, via ipsec.
My Config is Internet => Fritzbox (exposed Host) => PFSesce
i used this tutorial (from André and Andydna) and everything seems finde. Connection to my pfcense and internet via ipsectunnel is ok . But i cant connect to my nas. Any idea ? wich Info do you need for some help.?
Thanks… 🙂
I recently bought HMA vpn for my IPhone from recent article of ReviewsDir for IPhone HMA vpn is best and its easy to configrate HMA vpn in IPhone.
Good tutorial, appreciate it. Able to get Android and iOS to connect no problem, can navigate to the remote IPs in the network. Using W7, and Shrew Soft VPN 2.2.2 I can get connected, but not able to get anywhere. Not sure what’s missing here. Might try a different client. Any ideas would be most welcome!
I had success using 3des in phase 2 in pfsense and Shrew. Also setting NAT Transversal to force-rfc and the policy level to unique in Shrew.