How to setup IPsec for road warriors in PfSense 2.0.1

Resurrected by Vorkbaard, 2012-06-19

This article describes how to set up IPsec tunneling in PfSense 2.0.1 and how to configure the Shrew Soft VPN Client to connect to it. The client is available for free for Windows, Linux and BSD at shrew.net. You can find PfSense at pfsense.org.

Before we start:

• Make sure your lan is using your PfSense router as its default gateway and that it's working.
• Make sure your client has a functioning internet connection.

In this howto I'll describe how to get IPsec tunneling working. IPsec, tunneling and VPN mean the same in this article.

A lot of information in this howto I gained in the PfSense forum. Thanks to the folks on the forum for providing the information. Go there for help before contacting me.

Layout

On the PfSense router

1. Begin by enabling IPsec.

   Go to VPN > IPsec, tic Enable IPsec and click Save.
   
   



2. Now, to create a phase 1 entry.

   Do not click the [+]-button to create a phase 1 entry. If you do, you will not go the page you need to create a phase 1 for mobile clients but will find a page to create a phase 1 for lan-to-lan-tunneling instead.

   Just go to the Mobile clients tab.
   
   



3. You will get a warning saying Support for IPsec Mobile clients is enabled but a Phase1 definition was not found. Please click Create to define one.

   Click the Create Phase1 button.
   
   You'll be taken to the appropriate page to create a Phase 1 for mobile clients.



4. On the VPN: IPsec: Edit Phase 1: Mobile Client page, enter the following values:

   Key	Value	Remark
   Disabled	not checked
   Interface	WAN
   Description	Mobile Clients	This can be anything, name it something appropriate.
   Authentication method	Mutual PSK
   Negotiation mode	aggressive
   My identifier	My IP address
   Policy Generation	Unique	Might prevent traffic to the lan if set to something else.
   Proposal Checking	Strict
   Encryption algorithm	AES, 256 bits	Choose any, just keep it identical on router and client.
   Hash algorithm	SHA1
   DH key group	2
   Lifetime	3600
   NAT Traversal	Force	Might prevent traffic to the lan if set to something else.
   Dead Peer Detection	not checked

   
   
   Click Save.


5. You will get a warning The IPsec tunnel configuration has been changed. You must apply the changes in order for them to take effect.

   Click Apply changes.
   
   You may ignore the The changes have been applied successfully. notices. The neurotics among us may click the Close button but that's optional.



6. With phase 1 created, we can create a phase 2.

   Click the [+]-button to list the Phase 2 entries under the newly created Phase 1.
   
   



7. Surprise! There aren't any. Let's create one by clicking on the [+]-button.
   
   This will open the VPN: IPsec: Edit Phase 2: Mobile Client page.


8. On the VPN: IPsec: Edit Phase 2: Mobile Client page, enter these values:

   Key	Value	Remark
   Disabled	not checked
   Mode	Tunnel
   Local Network	LAN subnet
   Description	Phase 2 for road warriors	Enter something appropriate.
   Protocol	ESP
   Encryption algorithms	select only 3DES	The best is chosen at handshake time. Others will probably work too. 3DES works for me because I have a mobile application that will work only with this.
   Hash algorithms	Select SHA1 and MD5
   PFS key group	You can't change that here.
   Lifetime	3600
   Automatically ping host	leave empty

   
   
   Click Save.


9. Don't forget to click the Apply changes button.
   
   


10. Tell the client about available services. The more you enter here, the less your clients have to enter manually.

    On the VPN: IPsec page, go to the Mobile clients tab and enter the following values.

    Key	Value	Remark
    IKE Extensions	checked
    User Authentication	system
    Group Authentication	system
    Virtual Address Pool	checked, network: 192.168.79.0/24	Enter a network here that is not in use in your lan and preferably not in your clients' lan either. It can be any subnet, just don't pick a much used one (e.g. don't use 192.168.0.0/24 or 192.168.1.0/24). It will confure the clients.
    Network List	checked
    Save Xauth Password	unchecked	I don't use Xauth. If you do, perhaps you want to check this.
    DNS Default Domain	Check if your clients connect to your Active Directory.	Optional but if you have a domain (I use it for Active Directory) your clients will be able to resolve your servers faster.
    DNS Servers	Check if your clients connect to your Active Directory.	If you have an Active Directory, enter its DNS servers here. If it's a home network, why not use OpenDNS here?
    WINS Servers	Check if you run WINS	Superfluous if you also provide DNS but I'm not here to judge.
    Phase2 PFS Group	checked, group 2	You should probably enter the PFS Group you entered in phase 1.
    Login Banner	Optional	Client software which honours the login banner will present this text to the user upon login. You may need to enter some legal information or so, or a limerick.

    
    
    When you're done, click the Save button. Don't forget to click Apply changes after the page is saved.



11. We're almost done here. We need to create user accounts so someone can actually use the tunnel.

    On the VPN: IPsec page, go to the Pre-shared keys tab. (My screenshots may look a bit different from yours because I have in-use keys edited out here.)

    There are different ways to set up pre-shared keys for users. You can also do it under System > User Manager. However you'd get a lot more options there and those are beyond our current scope.

    Click the [+]-button[ to create a new account.
    
    



12. For identifiers I tend to use e-mail addresses as they are more unique than first or last names. Use anything you like just as long as it is unique to the person using the account. I'd go with e-mail addresses. They don't really need to exist, it's just for identification.

    Get your pre-shared keys here: https://www.grc.com/passwords.htm. Use the string in the middle: 63 random printable ASCII characters.

    CAUTION: if you triple-click in the box with the ASCII chars, all characters PLUS ONE EXTRA LINE BREAK are selected and you'll spend a long time wondering why the IPsec tunnel won't come up. So check if you really copied just the characters.

    
    
    



13. Press Save, wait for the page to load, note that your account is now in the list and press Apply changes.
    
    

The client

1. Download and install Shrew Soft VPN. I'm using version 2.2.0-beta-2. In my experience it's as stable as the stable releases.

   Once you're done, open ipseca.exe. You will be presented with a VPN Access Manager window. (My screenshot capturing program is a bit weird about its window style so the Window title bar is missing in the screenshots.)
   
   



2. Press the big round Add button to set up a tunnel configuration.

   On the General tab, enter your PfSense router's ip address or host name. Leave the rest as it is. I don't know if the default values in new versions of the Shrew Soft VPN client will be different so in case of doubt, stick to the screenshots.
   
   



3. On the Client tab, set NAT Traversal to force-rfc and uncheck 'Enable Dead Peer Detection'. If you get these settings wrong you may end up with an established tunnel that doesn't let any traffic through. This was different with earlier versions of PfSense so if you've upgraded, pay attention to this.
   
   


4. Don't change anything on the Name Resolution tab; these settings are all automatically set by PfSense. You could enter relevant information here but if you followed the router part of this howto, you don't need to.
   
   


5. Go to the Authentication tab. Set Authentication Method to Mutual PSK. Under Local Identity, choose Key Identifier as the Identification Type and enter the user's e-mail address (or whatever you used as identifiers) in the Key ID String field.
   
   Under Remote Identity, set Identification Type to IP Address and check Use a discovered remote host address.
   
   Finally, under Credentials, enter the Pre Shared Key associated with the e-mail address.
   
   


6. Now scroll over to the Phase 1 tab.
   Set the Cipher Algorithm to aes or whatever you entered on the Phase 1 page in PfSense. Cipher Key Length to 256 (or whatever etc.) and Hash Algorithm to sha1. Set the Key Life Time limit to 3600.
   
   


7. Phase 2 tab: set Transform Algorithm to esp-3des, HMAC Algorithm to sha1 and PFS Exchange to group 2.
   
   


8. Nearly there! Go to the Policy tab and set Policy Generation Level to unique.
   
   


9. Click Save and give the newly created configuration an appropriate name.
   
   


10. Double-click the configuration and the tunnel window will pop up. Click Connect to start the tunnel.
    
    


11. Click Disconnect to... disconnect the tunnel.
    
    

Client tweaks

1. In the VPN Access Manager, go to File > Preferences.
   
   


2. For Access Manager and VPN Connect, set Windows Style to Visible in System Tray only and check 'Remember when connection succeeds'. No need to remember the user name since we're not using user names but pre-shared keys.
   
   


3. You can create a shortcut directly to the tunnel: create a shortcut to ipsecc.exe (in c:\program files etc.). Right-click the shortcut and choose Properties. In the Target field, add -a -r "MyTunnel". -a means: start automatically. This starts the connection without the user having to press the Connect button. -r specifies the tunnel name. If you named you tunnel "Work", write "Work" in stead of "MyTunnel".
   
   Now if you doubleclick the shortcut, your tunnel is automatically started.


4. Backup your tunnel profile by selecting it in the VPN Access Manager and going to File > Export. Restoring works by choosing Import.

Troubleshooting

• Check the router and the client settings.
• Check the router and the client settings again.
• In PfSense, go to Status > System Logs and there to the IPsec tab. Hit the Clear log button, have the client try and start the connection and click the IPsec tab again to refresh the page. This is usually very inspiring.
• In PfSense, go to Status > Services and reset the racoon service. This sometimes helps.
• Reboot the client machine.
• Reboot the PfSense machine. Should not be necessary but you never know.
• Use a simple pre-shared key so you can be certain you didn't make a mistake there. When done troubleshooting, use the hard key again!
• If a user calls you and says Shrew Soft VPN wants to know his user name and password, it's almost always because the user has either no internet connection or no dns service. Or they are on a guest network and need to open their browser for identification or something.