Tech‎ > ‎

How to set up IPsec tunneling in PfSense 2.0.1-RELEASE for road warriors

By Vorkbaard*gmail*com, 2011-09-27
Edited 2012-03-05 to include workaround for traffic problem

This article describes how to set up IPsec tunneling in PfSense 2.0.1-RELEASE for use with the Shrew Soft VPN client 2.2.0-beta-2 for Windows. The method I describe here is just one of many possible and probably not the best or most efficient. It does however work for me.

If you need a random password, https://www.grc.com/passwords.htm is a good place to get one.
 
Note: there were some problems with the previous setup. A connection would be established but no traffic would flow through it and PfSense would log these lines:
racoon: ERROR: failed to begin ipsec sa negotication.
racoon: ERROR: no configuration found for 188.207.93.***.
I wrestled through the fora, bug trackers and related sites and found a solution that works - again, it works for me. Your mileage may vary. I have updated this page to reflect my solution.
 
-Forkbeard
 
Server configuration
 
In PfSense, go to VPN > IPsec. On the Tunnels tab, tick Enable IPsec and press Save.
 
Go the the Mobile clients tab, tick Enable IPsec Mobile Client Support and Provide a virtual IP address to clients. Make the virtual IP subnet something else than the LAN subnet of your PfSense router. It can be anything and will only be used to distinguish between remotely connected users and local addresses.
 
At Network List, check Provide a list of accessible networks to clients.
At Phase2 PFS Group, check Provide the Phase2 PDS group to clients and select Group 2. I don't think the group number really matters just as long as it's the same on PfSense and the client.
 
If if you like you can set a Login Banner here. This is a message that is displayed to the user when he or she connects, like a warning or a user agreement. This is optional.
 
You may choose to also provide a DNS Default Domain, DNS Servers and WINS Servers. This is up to you. For my private network, I fill in Google’s public DNS servers (8.8.8.8 and 8.8.4.4 at the moment I am writing this). If you are providing Active Directory services through this IPsec setup, consider entering your AD’s DNS servers here.
Press Save.
 
You will get two warnings. Press Apply changes.
 
 
Wait for the page to reload, then press Close. 
 
 
The upper message closes. Click Create Phase 1. 
 
 
You will be taken to the Tunnels tab and presented with a page titled Edit Phase 1: Mobile Client. Fill out the values shown in the next screenshot. 
 
Here the problems mentioned in my note on the top of this page are addressed. At the moment I am using PfSense 2.0.1-RELEASE and a couple of possible solutions have been suggested for the SA problem (traffic not flowing through an established tunnel). These suggestions include:
  • setting Negotiation mode to Main (this broke my setup so I don't use it)
  • setting Policy Generation to Unique (I am not sure if this is necessary however it may also solve the problem that one client can connect from behind a NAT router but consecutive users can't. I haven't tested this but it works so I just let it be.)
  • setting Proposal Checking to Strict
  • setting NAT Traversal to Force
  • disabling Dead Peer Detection (This may or may not be necessary. Apparently this option is buggy in the original BSD package but just as with the Policy Generation I haven't tested it, it works and I don't really care.)
 
 
Click Save. Then click Apply changes. 
 
 
Click the +-button expand the Phase 2 entries list. 
 
 
Click the +-button to create a Phase 2 entry.
 
 
Fill out the page using the values in the next screenshot. 
 

Click Save when you’re done, wait for the page to reload, then click Apply changes and finally the Close button.

Go to the Pre-shared keys tab to create a user who can connect. Click one of the +-buttons to create a user. 

 

 

I like to use e-mail addresses as identifiers as they are unique but you can use anything you like. Get a random string of characters here: https://www.grc.com/passwords.htm, choose the 63 random printable ASCII characters.

Be aware that if you paste the random character string in the Pre-shared key field, your browser may decide to add an extra space. Save yourself a couple of hours of troubleshooting and check if it does. If so, remove it. 

 

Click the Save button, wait for the page to reload and click the Apply changes button.

The IPsec config is done. Don't forget to allow UDP 500, UDP 4500 and protocol ESP on your WAN interface in the firewall. Also keep in mind that you need to explicitly allow traffic on the new IPsec interface in your firewall.

Addendum: apparently you do no need to add those firewall rules in PfSense 2.0.1 (and probably higher). Thanks to Jérôme Cantalupo for trying it and mentioning it to me.

Client configuration

For the client side, I use Shrew Soft VPN Client version 2.1.7-release (http://www.shrew.net/download/vpn). I have found this client to be quite stable and it’s very unobtrusive when in use. You can have it just hide in the system tray automatically when connected. Download and install it.

The screenshots you see here I have adapted from my own working configuration. If I do not mention a specific field or checkbox, use the screenshot as a guide because the defaults in the various Shrew Soft VPN clients may differ. So go with the pictures.

Open the Shrew Soft VPN Access Manager and click the Add button. 

In the General tab, enter your PfSense router’s public IP address. You can also use its FQDN, for example www.mycompany.com.
 
On the Client tab, set NAT Traversal to force-rfc. NAT Traversal, or NAT-T, enables you to use the client from behind a NAT router. Apparently it also works around the bug I refer in the note on top if this page.
 
Deselect Dead Peer Detection. It may break the tunnel. If you need this go ahead and try if it works yet.
 
 
Name Resolution tab: set it all to Automatically. For my Active Directory setup, I use Split DNS to have the clients distinguish between company domains (i.e. their AD logon domain) and the rest of the internet. If your Active Directory logon name is john@mynetwork.domain then you might use mynetwork.domain as a split DNS domain. You can ignore it for home use.
 
 
On the Authentication tab, select Mutual PSK as the authentication method. On the Authentication > Local Identity tab, choose Key Identifier as the Identification Type and enter the e-mail address we entered in PfSense while creating a user with a pre-shared key (VPN: IPsec: Edit pre-shared key).
 
 
On the Authentication > Remote Identity tab, choose IP Address as the Identification type and check Use a discovered remote host address.
 
 
On the Authentication > Credentials tab, enter the pre-shared key we created earlier to go with the e-mail address.
 
 
 
On the Phase 1 and Phase 2 tabs, enter the values we entered earlier in PfSense. Be careful to use the exact same settings as in PfSense.
 
I'm using aes as the Cipher Algorithm here, note that you can also use different cipher algorithms (I needed aes for a different client, otherwise I would have chosen 3DES or Blowfish). Just remember to set it the same both at the client and your PfSense router! 
 
 
 
On the Policy tab, set Policy Generation Level to unique.
 

If you’re done, click Ok and then Save.

Enter a name for the profile. 

 

 
In the Shrew Soft VPN Access Manager, I personally like to set some GUI preferences. In the File menu, click Preferences. Under VPN Connect, select Visible in System Tray only and check Minimize when connection succeeds. If you do this, the connection window will automatically hide itself in the system tray when connected. Of course, this step is optional. 
 
 
Also, I like to create a shortcut on my Desktop to a VPN profile. Create a shortcut to C:\Program Files\ShrewSoft\VPN Client\ipsecc.exe, right click that shortcut and choose Properties. In the Target field, add this: -a -r “MyRouter” 
 
 

Yes, the screenshot is in Dutch. If anyone provides an English one I’ll happily replace it.

Now if you doubleclick the shortcut it’ll connect your IPsec tunnel without asking any questions and go sit in the system tray.

Comments