(Solved)Working IPSec guide for 2.3

A Former User

Hello,

I understand that 2.3 is now officially released as of yesterday. I've been trying to set IPSec up on my network to no avail. I want to use it as a backup VPN, learn how it works, and to use the native VPN already on my iPhone/Mac. I already have a working OpenVPN but I plan to provide my users VPN access to my network more simply using the VPN built into iOS. I tried following this guide but not sure what isn't working https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

Running pfSense 2.3 and iPhone running iOS +9.0.2

Thanks.

jimp

That should all work the same on 2.3 as 2.2

Though if you're going for a new IPsec deployment on 2.3 (or 2.2!) you're better off aiming for IKEv2 rather than that style. Like https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 or https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS

renegade

Thank you!!
Local Network was set to my LAN. with 0.0.0.0/0 it works now and i reply from my iPhone via VPN!

A Former User

@jimp:

That should all work the same on 2.3 as 2.2

Though if you're going for a new IPsec deployment on 2.3 (or 2.2!) you're better off aiming for IKEv2 rather than that style. Like https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 or https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS

Thank you for this, made it further but what Im confused is this section

Create a Server Certificate

Navigate to System > Cert Manager, Certificates tab on pfSense
Click "+" to create a new certificate
Select Create an internal certificate for the Method
Enter a Descriptive Name such as IKEv2 Server
Select the appropriate Certificate Authority created in the previous step
Choose the desired Key length, Digest algorithm, and Lifetime
Set the Certificate Type to Server Certificate
Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.
Click "+" to add a new Alternative Name
Enter DNS in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!
Click "+" to add a new Alternative Name
Enter IP in the Type field
Enter the WAN IP address of the firewall in the Value field
Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
Click Save

and

Phase 2

Click "+" to show the Mobile IPsec Phase 2 list
Click "+" to add a new Phase 2 entry if one does not exist, or click "e" to edit an existing entry
Set Mode to Tunnel IPv4
Set Local Network as desired, e.g. LAN subnet
To pass all traffic, including Internet traffic, across the VPN, set the Local Network to 0.0.0.0/0
Enter an appropriate Description
Set Protocol to ESP
Set Encryption algorithms to AES Auto and if there are iOS/OS X devices, also select 3DES.
Set Hash algorithms to SHA1 and SHA256
Set PFS Key Group to off
Set Lifetime to 3600
Click Save

For the type field (During the Create a Certificate Authority setup) I can't set it as DNS; theres only FQDN or Hostname, IP Address, URL, Email address. Can I insert my DDNS name instead of my IP address in this section as well?

Lastly for the Local Network (during the Phase 2 setup) I set Local Network to Network and Address as 0.0.0.0/0 to pass all traffic thru the tunnel. Is this correct?

This is all I get in the IPsec logs

Apr 14 14:07:50	charon		08[CFG] received stroke: route 'bypasslan'
Apr 14 14:07:50	charon		13[CFG] added configuration 'bypasslan'
Apr 14 14:07:50	charon		13[CFG] received stroke: add connection 'bypasslan'
Apr 14 14:07:50	charon		06[CFG] deleted connection 'con1'
Apr 14 14:07:50	charon		06[CFG] received stroke: delete connection 'con1'
Apr 14 14:07:50	charon		13[CFG] deleted connection 'bypasslan'
Apr 14 14:07:50	charon		13[CFG] received stroke: delete connection 'bypasslan'
Apr 14 14:07:50	ipsec_starter	97045	shunt policy 'bypasslan' uninstalled
Apr 14 14:07:50	charon		14[CFG] received stroke: unroute 'bypasslan'
Apr 14 14:07:50	charon		13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Apr 14 14:07:50	charon		13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Apr 14 14:07:50	charon		13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Apr 14 14:07:50	charon		13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Apr 14 14:07:50	charon		13[CFG] loaded ca certificate 
Apr 14 14:07:50	charon		13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Apr 14 14:07:50	charon		13[CFG] loaded EAP secret for cristian@torres.li
Apr 14 14:07:50	charon		13[CFG] loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key'
Apr 14 14:07:50	charon		13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 14 14:07:50	charon		13[CFG] rereading secrets
Apr 14 14:03:29	charon		14[JOB] <6> deleting half open IKE_SA after timeout
Apr 14 14:02:59	charon		14[NET] <6> sending packet: from [500] to [50461] (341 bytes)
Apr 14 14:02:59	charon		14[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Apr 14 14:02:59	charon		14[IKE] <6> sending cert request for 
Apr 14 14:02:59	charon		14[IKE] <6> remote host is behind NAT
Apr 14 14:02:59	charon		14[IKE] <6>  is initiating an IKE_SA
Apr 14 14:02:59	charon		14[ENC] <6> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 14 14:02:59	charon		14[NET] <6> received packet: from [50461] to [500] (388 bytes)
Apr 14 14:02:57	charon		06[CFG] added configuration 'con1'
Apr 14 14:02:57	charon		06[CFG] loaded certificate 
Apr 14 14:02:57	charon		06[CFG] reusing virtual IP address pool 192.168.4.0/24
Apr 14 14:02:57	charon		06[CFG] received stroke: add connection 'con1'
Apr 14 14:02:57	ipsec_starter	97045	'bypasslan' shunt PASS policy installed
Apr 14 14:02:57	charon		06[CFG] received stroke: route 'bypasslan'
Apr 14 14:02:57	charon		13[CFG] added configuration 'bypasslan'
Apr 14 14:02:57	charon		13[CFG] received stroke: add connection 'bypasslan'

jimp

FQDN is the equivalent of DNS, so use that.

And to pass all traffic over, use a network of 0.0.0.0/0.

A Former User

@jimp:

FQDN is the equivalent of DNS, so use that.

And to pass all traffic over, use a network of 0.0.0.0/0.

IT WORKS
Thank you so much!  ;D