(Solved)Working IPSec guide for 2.3
-
Hello,
I understand that 2.3 is now officially released as of yesterday. I've been trying to set IPSec up on my network to no avail. I want to use it as a backup VPN, learn how it works, and to use the native VPN already on my iPhone/Mac. I already have a working OpenVPN but I plan to provide my users VPN access to my network more simply using the VPN built into iOS. I tried following this guide but not sure what isn't working https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
Running pfSense 2.3 and iPhone running iOS +9.0.2
Thanks.
-
That should all work the same on 2.3 as 2.2
Though if you're going for a new IPsec deployment on 2.3 (or 2.2!) you're better off aiming for IKEv2 rather than that style. Like https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 or https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS
-
Thank you!!
Local Network was set to my LAN. with 0.0.0.0/0 it works now and i reply from my iPhone via VPN! -
That should all work the same on 2.3 as 2.2
Though if you're going for a new IPsec deployment on 2.3 (or 2.2!) you're better off aiming for IKEv2 rather than that style. Like https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 or https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS
Thank you for this, made it further but what Im confused is this section
Create a Server Certificate
Navigate to System > Cert Manager, Certificates tab on pfSense
Click "+" to create a new certificate
Select Create an internal certificate for the Method
Enter a Descriptive Name such as IKEv2 Server
Select the appropriate Certificate Authority created in the previous step
Choose the desired Key length, Digest algorithm, and Lifetime
Set the Certificate Type to Server Certificate
Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.
Click "+" to add a new Alternative Name
Enter DNS in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field โ Some clients require the value in SAN not just CN!
Click "+" to add a new Alternative Name
Enter IP in the Type field
Enter the WAN IP address of the firewall in the Value field
Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
Click Saveand
Phase 2
Click "+" to show the Mobile IPsec Phase 2 list
Click "+" to add a new Phase 2 entry if one does not exist, or click "e" to edit an existing entry
Set Mode to Tunnel IPv4
Set Local Network as desired, e.g. LAN subnet
To pass all traffic, including Internet traffic, across the VPN, set the Local Network to 0.0.0.0/0
Enter an appropriate Description
Set Protocol to ESP
Set Encryption algorithms to AES Auto and if there are iOS/OS X devices, also select 3DES.
Set Hash algorithms to SHA1 and SHA256
Set PFS Key Group to off
Set Lifetime to 3600
Click SaveFor the type field (During the Create a Certificate Authority setup) I can't set it as DNS; theres only FQDN or Hostname, IP Address, URL, Email address. Can I insert my DDNS name instead of my IP address in this section as well?
Lastly for the Local Network (during the Phase 2 setup) I set Local Network to Network and Address as 0.0.0.0/0 to pass all traffic thru the tunnel. Is this correct?
This is all I get in the IPsec logs
Apr 14 14:07:50 charon 08[CFG] received stroke: route 'bypasslan' Apr 14 14:07:50 charon 13[CFG] added configuration 'bypasslan' Apr 14 14:07:50 charon 13[CFG] received stroke: add connection 'bypasslan' Apr 14 14:07:50 charon 06[CFG] deleted connection 'con1' Apr 14 14:07:50 charon 06[CFG] received stroke: delete connection 'con1' Apr 14 14:07:50 charon 13[CFG] deleted connection 'bypasslan' Apr 14 14:07:50 charon 13[CFG] received stroke: delete connection 'bypasslan' Apr 14 14:07:50 ipsec_starter 97045 shunt policy 'bypasslan' uninstalled Apr 14 14:07:50 charon 14[CFG] received stroke: unroute 'bypasslan' Apr 14 14:07:50 charon 13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Apr 14 14:07:50 charon 13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Apr 14 14:07:50 charon 13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Apr 14 14:07:50 charon 13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Apr 14 14:07:50 charon 13[CFG] loaded ca certificate Apr 14 14:07:50 charon 13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Apr 14 14:07:50 charon 13[CFG] loaded EAP secret for cristian@torres.li Apr 14 14:07:50 charon 13[CFG] loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key' Apr 14 14:07:50 charon 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Apr 14 14:07:50 charon 13[CFG] rereading secrets Apr 14 14:03:29 charon 14[JOB] <6> deleting half open IKE_SA after timeout Apr 14 14:02:59 charon 14[NET] <6> sending packet: from [500] to [50461] (341 bytes) Apr 14 14:02:59 charon 14[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Apr 14 14:02:59 charon 14[IKE] <6> sending cert request for Apr 14 14:02:59 charon 14[IKE] <6> remote host is behind NAT Apr 14 14:02:59 charon 14[IKE] <6>ย is initiating an IKE_SA Apr 14 14:02:59 charon 14[ENC] <6> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 14 14:02:59 charon 14[NET] <6> received packet: from [50461] to [500] (388 bytes) Apr 14 14:02:57 charon 06[CFG] added configuration 'con1' Apr 14 14:02:57 charon 06[CFG] loaded certificate Apr 14 14:02:57 charon 06[CFG] reusing virtual IP address pool 192.168.4.0/24 Apr 14 14:02:57 charon 06[CFG] received stroke: add connection 'con1' Apr 14 14:02:57 ipsec_starter 97045 'bypasslan' shunt PASS policy installed Apr 14 14:02:57 charon 06[CFG] received stroke: route 'bypasslan' Apr 14 14:02:57 charon 13[CFG] added configuration 'bypasslan' Apr 14 14:02:57 charon 13[CFG] received stroke: add connection 'bypasslan'
-
FQDN is the equivalent of DNS, so use that.
And to pass all traffic over, use a network of 0.0.0.0/0.
-
FQDN is the equivalent of DNS, so use that.
And to pass all traffic over, use a network of 0.0.0.0/0.
IT WORKS
Thank you so much!ย ;D