This article describes how to set up IPsec tunneling in PfSense 2.0.1 with a passkey in stead of xauth and how to configure the Shrew Soft VPN Client to connect to it. The client is available for free for Windows, Linux and BSD at shrew.net.
For information on using xauth and connecting mobile devices like Android phones or iPhones, go here: Mobile_IPsec_on_2.0
Note: in this article I advise to use SHA1 and DES3. I would now recommend using SHA256 and AES256.
Before we start:
- Make sure your lan is using your PfSense router as its default gateway and that it’s working.
- Make sure your client has a functioning internet connection.
If either condition is not met your tunnel will not work. In this howto I’ll describe how to get IPsec tunneling working. IPsec, tunneling and VPN mean the same in this article.
A lot of information in this howto I gained in the PfSense forum. Thanks to the folks on the forum for providing the information.
On your pfSense router
Begin by enabling IPsec.
Go to VPN > IPsec, tic Enable IPsec and click Save.
Now, to create a phase 1 entry.
Do not click the [+]-button to create a phase 1 entry. If you do, you will not go the page you need to create a phase 1 for mobile clients but will find a page to create a phase 1 for lan-to-lan-tunneling instead.
Just go to the Mobile clients tab.
You will get a warning saying Support for IPsec Mobile clients is enabled but a Phase1 definition was not found. Please click Create to define one.
Click the Create Phase1 button.
You’ll be taken to the appropriate page to create a Phase 1 for mobile clients.
On the VPN: IPsec: Edit Phase 1: Mobile Client page, enter the following values:
|Description||Mobile Clients||This can be anything, name it something appropriate.|
|Authentication method||Mutual PSK|
|My identifier||My IP address|
|Policy Generation||Unique||Might prevent traffic to the lan if set to something else.|
|Encryption algorithm||AES, 256 bits||Choose any, just keep it identical on router and client.|
|DH key group||2|
|NAT Traversal||Force||Might prevent traffic to the lan if set to something else.|
|Dead Peer Detection||not checked|
You will get a warning The IPsec tunnel configuration has been changed. You must apply the changes in order for them to take effect.
Click Apply changes.
You may ignore the The changes have been applied successfully. notices. The neurotics among us may click the Closebutton but that’s optional.
With phase 1 created, we can create a phase 2.
Click the [+]-button to list the Phase 2 entries under the newly created Phase 1.
Surprise! There aren’t any. Let’s create one by clicking the [+]-button.
This will open the VPN: IPsec: Edit Phase 2: Mobile Client page.
On the VPN: IPsec: Edit Phase 2: Mobile Client page, enter these values:
|Local Network||LAN subnet|
|Description||Phase 2 for road warriors||Enter something appropriate.|
|Encryption algorithms||select only 3DES||The best is chosen at handshake time. Others will probably work too. 3DES works for me because I have a mobile application that will work only with this.|
|Hash algorithms||Select SHA1 and MD5|
|PFS key group||You can’t change that here.|
|Automatically ping host||leave empty|
Don’t forget to click the Apply changes button.
Tell the client about available services. The more you enter here, the less your clients have to enter manually.
On the VPN: IPsec page, go to the Mobile clients tab and enter the following values.
|Virtual Address Pool||checked, network: 192.168.79.0/24||Enter a network here that is not in use in your lan and preferably not in your clients’ lan either. It can be any subnet, just don’t pick a much used one (e.g. don’t use 192.168.0.0/24 or 192.168.1.0/24). It will confure the clients.|
|Save Xauth Password||unchecked||I don’t use Xauth. If you do, perhaps you want to check this.|
|DNS Default Domain||Check if your clients connect to your Active Directory.||Optional but if you have a domain (I use it for Active Directory) your clients will be able to resolve your servers faster.|
|DNS Servers||Check if your clients connect to your Active Directory.||If you have an Active Directory, enter its DNS servers here. If it’s a home network, why not use OpenDNS here?|
|WINS Servers||Check if you run WINS||Superfluous if you also provide DNS but I’m not here to judge.|
|Phase2 PFS Group||checked, group 2||You should probably enter the PFS Group you entered in [#phase1 phase 1].|
|Login Banner||Optional||Client software which honours the login banner will present this text to the user upon login. You may need to enter some legal information or so, or a limerick.|
When you’re done, click the Save button. Don’t forget to click Apply changes after the page is saved.
We’re almost done here. We need to create user accounts so someone can actually use the tunnel.
On the VPN: IPsec page, go to the Pre-shared keys tab. (My screenshots may look a bit different from yours because I have in-use keys edited out here.)
There are different ways to set up pre-shared keys for users. You can also do it under System > User Manager. However you’d get a lot more options there and those are beyond our current scope.
Click the [+]-button[ to create a new account.
For identifiers I tend to use e-mail addresses as they are more unique than first or last names. Use anything you like just as long as it is unique to the person using the account. I’d go with e-mail addresses. They don’t really need to exist, it’s just for identification.
Get your pre-shared keys here: https://www.grc.com/passwords.htm. Use the string in the middle: 63 random printable ASCII characters.
CAUTION: if you triple-click in the box with the ASCII chars, all characters PLUS ONE EXTRA LINE BREAK are selected and you’ll spend a long time wondering why the IPsec tunnel won’t come up. So check if you really copied just the characters.
Press Save, wait for the page to load, note that your account is now in the list and press Apply changes.
Congratulations, you’re done configuring your router. In the olden days you needed to configure your firewall to allow IPsec tunneling. In version 2.0.1 that’s no longer necessary.
This part is done on the user’s computer. My screenshots were taken in Windows but Shrew Soft VPN is available for Linux and BSD (so probably Mac) too.
Download and install Shrew Soft VPN. I’m using version 2.2.0-beta-2. In my experience it’s as stable as the stable releases.
Once you’re done, open ipseca.exe. You will be presented with a VPN Access Manager window. (My screenshot capturing program is a bit weird about its window style so the Window title bar is missing in the screenshots.)
Press the big round Add button to set up a tunnel configuration.
On the General tab, enter your PfSense router’s ip address or host name. Leave the rest as it is. I don’t know if the default values in new versions of the Shrew Soft VPN client will be different so in case of doubt, stick to the screenshots.
On the Client tab, set NAT Traversal to force-rfc and uncheck ‘Enable Dead Peer Detection’. If you get these settings wrong you may end up with an established tunnel that doesn’t let any traffic through. This was different with earlier versions of PfSense so if you’ve upgraded, pay attention to this.
Don’t change anything on the Name Resolution tab; these settings are all automatically set by PfSense. You could enter relevant information here but if you followed the router part of this howto, you don’t need to.
Go to the Authentication tab. Set Authentication Method to Mutual PSK. Under Local Identity, choose Key Identifieras the Identification Type and enter the user’s e-mail address (or whatever you used as identifiers) in the Key ID String field.
Under Remote Identity, set Identification Type to IP Address and check Use a discovered remote host address.
Finally, under Credentials, enter the Pre Shared Key associated with the e-mail address.
Now scroll over to the Phase 1 tab. Set the Cipher Algorithm to aes or whatever you entered on the Phase 1 page in PfSense. Cipher Key Length to 256 (or whatever etc.) and Hash Algorithm to sha1. Set the Key Life Time limit to 3600.
Phase 2 tab: set Transform Algorithm to esp-3des, HMAC Algorithm to sha1 and PFS Exchange to group 2.
Nearly there! Go to the Policy tab and set Policy Generation Level to unique.
Click Save and give the newly created configuration an appropriate name.
Double-click the configuration and the tunnel window will pop up. Click Connect to start the tunnel.
Click Disconnect to… disconnect the tunnel.
That’s it! You now have a working IPsec tunneling system.
Personally I like to tweak it a little bit so the windows hide themselves nicely in the system tray. This is optional but I find it improves the user experience.
In the VPN Access Manager, go to File > Preferences.
For Access Manager and VPN Connect, set Windows Style to Visible in System Tray only and check Remember when connection succeeds. No need to remember the user name since we’re not using user names but pre-shared keys.
You can create a shortcut directly to the tunnel: create a shortcut to ipsecc.exe (in c:\program files etc.). Right-click the shortcut and choose Properties. In the Target field, add -a -r “MyTunnel”. -a means: start automatically. This starts the connection without the user having to press the Connect button. -r specifies the tunnel name. If you named you tunnel “Work”, write “Work” in stead of “MyTunnel”.
Now if you doubleclick the shortcut, your tunnel is automatically started.
Backup your tunnel profile by selecting it in the VPN Access Manager and going to File > Export. Restoring works by choosing Import.
I’ve been using PfSense in combination with Shrew Soft VPN for a long time and in my experience it is a very stable combination. However things can always go wrong. If it doesn’t work, here are some hints to help you troubleshoot.
- Check the router and the client settings.
- Check the router and the client settings again.
- In PfSense, go to Status > System Logs and there to the IPsec tab. Hit the Clear log button, have the client try and start the connection and click the IPsec tab again to refresh the page. This is usually very inspiring.
- In PfSense, go to Status > Services and reset the racoon service. This sometimes helps.
- Reboot the client machine.
- Reboot the PfSense machine. Should not be necessary but you never know.
- Use a simple pre-shared key so you can be certain you didn’t make a mistake there. When done troubleshooting, use the hard key again!
- If a user calls you and says Shrew Soft VPN wants to know his user name and password, it’s almost always because the user has either no internet connection or no dns service. Or they are on a guest network and need to open their browser for identification or something.
- Roy Blüthgen wrote in to say: I am running a pfSense 2.0.2 installation and followed your guide to set up IPsec server/client. Afterwards when testing I was running into this issue: http://redmine.pfsense.org/issues/1351. I tried the pfSense config suggested in note 30 (by Jim) and that fixed my problem: System >> Advanced >> Miscellaneous >> IP Security: disable/uncheck “Prefer older IPsec SAs” (added this info as note 35 for issue 1351)
This article is also published on http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth.