Personal tools

Mobile IPsec on 2.0

From PFSenseDocs

Jump to: navigation, search
This article is part of the HOWTO series.

You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS (iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.

This document covers the most common setup for mobile devices, which is IPsec using Xauth and a mutual Pre-Shared Key.

This setup has been tested and working on various Android and iOS devices (see text and links below for more detail). Other clients may work as well, including (at least one of) the Cisco software client(s).

IPsec Server Setup

This is the setup for the pfSense side of the connection

Mobile Clients

  • Check "Enable IPsec Mobile Client Support"
  • Check "Provide a virtual IP address to clients"
  • Enter an unused subnet in the box, pick a subnet mask
  • Set any other desired options here
  • Save, apply, create p1 if it doesn't exist.

Phase 1 settings

  • Authentication method: Mutual PSK + Xauth
  • Negotiation mode: aggressive
  • My identifier: My IP address
  • Peer identfier: User Distinguished Name, vpnusers@example.com
  • Pre-Shared Key: aaabbbccc
  • Policy Generation: Unique
  • Proposal Checking: Strict
  • Encryption Algorithm: AES 128
  • Hash Algorithm: SHA1
  • DH Key Group: 2
  • Lifetime: 86400
  • NAT Traversal: Force
  • Save

Phase 2 settings

  • Mode: Tunnel
  • Local Network: (your local network)
  • Protocol: ESP
  • Encryption Algorithms: AES 128 *only*
  • Hash Algorithms: SHA1 *only*
  • PFS key group: off
  • Lifetime: 28800
  • Save, apply

User Settings

  • Go to System > User Manager
  • Add a user, grant the user the xauth dialin permission, or add to a group with this permission.
    • Note that for xauth, the password used is the password for the user, not the "IPsec Pre-Shared Key" field. That is used for non-xauth IPsec.

Firewall Rules

Don't forget to add firewall rules to pass traffic from clients

  • Firewall > Rules, IPsec tab
  • Add rules that match the traffic you want to allow, or add a rule to pass any protocol/any source/any destination to allow everything.

IPsec SA Preference

  • System > Advanced, Miscellaneous tab.
  • Uncheck "Prefer Old IPsec SA"

Device Setup (Android)

NOTE: These settings are not present on all Android devices. See Android VPN Connectivity for more info.

  • Settings, Networks & Wireless, VPN Settings, Advanced IPsec VPNs
  • From there, press the menu button, then add.
  • Connection Template: PSK v1 (AES, xauth, aggressive)
  • VPN Name: whatever you want
  • VPN Server: IP of the server
    • The phone forces the keyboard to numbers, not sure if a hostname is supported.
  • Pre-Shared Key Type: text
  • Pre-Shared Key: PSK from the Phase 1 above
  • Identity Type: User FQDN
  • Identity: vpnusers@example.com
  • Username: your xauth username
  • Password: your xauth password
  • Internal Subnet IP: Whatever subnet(s) you specified in p2 above.
  • Finish

Device Setup (iOS)

  • Settings > General > Network > VPN
  • Add VPN Configuration
  • Click IPsec
  • Description: whatever you want
  • Server: IP of the server
  • Account: your xauth username
  • Password: your xauth password (or leave blank to be prompted every time)
  • Group Name: vpnusers@example.com
  • Secret: PSK from the Phase 1 above

Troubleshooting

By default iOS will tunnel all traffic over the VPN, including traffic going to the Internet. If you are unable to access Internet sites once connected, you may need to push a DNS server to the client for it to use, such as the LAN IP address of your firewall if you have the DNS forwarder enabled, or a public DNS server such as 8.8.8.8/8.8.4.4.

The reason for the above is that your 3G provider is likely giving your mobile devices DNS servers that are only accessible from their network. Once you connect to the VPN the DNS servers are now being accessed via the VPN instead of the 3G network, and the queries are likely to be dropped. Supplying a local/public DNS server will work around that.