IPsec Road Warrior/Mobile Client How-To

This page covers pfSense 1.2.3, for 2.x, see Mobile IPsec on 2.0

Summary

Getting a "Road Warrior"/mobile IPsec client up and running can be a little tricky, but the important part is to make sure the settings match up in both server and client. You can adjust the values in this howto to your liking, as long as you make identical changes on pfSense and the client software.

pfSense Configuration

In the WebGUI, go to:

VPN > IPsec, Tunnels

• Check Enable IPsec
• Save

VPN > IPsec, Mobile Clients

• Check Allow Mobile Clients

Fill in the settings as follows:

• Phase 1 Proposal (authentication):

Negotiation Mode      : Aggressive
Server Identifier     : My IP Address
Encryption Algorithm  : 3DES
Hash Algorithm        : SHA1
DH Key Group          : 2
Lifetime              : 86400
Authentication Method : Pre-Shared Key

• Phase 2 Proposal (SA/Key Exchange)

Protocol              : ESP
Encryption Algorithms : 3DES, Blowfish, CAST128, Rijndael (AES)
Hash Algorithms       : SHA1, MD5
PFS Key Group         : Off
Lifetime              : 3600

• Click Save

VPN > IPsec, Pre-shared Keys

• Click "+" to add a new PSK

Identifier     : E-mail address, such as vpnuser1@example.com
Pre-shared Key : Random password (the longer the better)

• Click Save

You may want to visit the Status > Services page to ensure that the IPsec/Racoon service is running.

Client Configuration

For a mobile IPsec client, I use the Shrew Soft VPN Client. Others may work with similar settings, but I have used this configuration on several client workstations with success.

Install the Shrew Soft client and configure a new connection as follows:

Shrew Soft Client Config:

General Tab:

Host: <pfSense Box WAN IP>
Port: 500
Auto: Disabled
Adapter: Use virtual adapter and assigned address
Address: (pick some other random range you are not using, like 192.168.111.xx)
Netmask: 255.255.255.0

The client address range should be a subnet of IP addresses that is not in use on any current interface. It cannot overlap any existing network that pfSense can reach directly. This is done to keep IP addresses consistent when users are working remotely. It will also make firewall rules easier to maintain. However, you could instead set the Adapter setting to "use an existing adapter and current address" and leave the IP address blank. This will pass through the IP address currently assigned to the system running the client. Be aware, however, that if these road warriors are out in various places (Hotels, Airports, etc) the remote network might have conflicting IP addresses with your own.

Client Tab:

Leave at defaults

Name Resolution Tab:

Uncheck Enable WINS
Uncheck Enable DNS

Authentication Tab:

Authentication Method: Mutual PSK
Local Identity:
  Type: Key Identifier
  Key ID: E-mail address
Remote Identity:
  Type: IP Address
  [X] Use Discovered remote host address
Credentials:
  Pre Shared Key: (PSK on server for this e-mail address)

Phase 1:

Exchange Type: aggressive
DH Exchange: Group 2
Cipher Algorithm: 3DES
Hash Algorithm: SHA1
Key Life Time: 86400

Phase 2:

Transform Algorithm: esp-3des
HMAC Algorithm: SHA1
PFS: Disabled
Compress: disabled
Key Life Time: 3600

Policy:

UNCHECK Obtain Topology Automatically
Click Add
Type: Include
Address: (Network behind pfSense you want to access, e.g. 192.168.1.0)
Netmask: 255.255.255.0 (Or the appropriate Netmask for that network)

Using the Shrew Soft client is relatively easy, but if more details are needed, let me know.

Debugging

There is a section in the IPsec Troubleshooting document about debugging issues with the Shrew Soft client.