HELP ME: IKEv2 setup with StrongSwan server
-
Hi all, I have a strongSwan VPN server (let's call this vpn-box) that I want to connect to using my pfSense machine (let's call this pf-box) to evade censorship and all that. What I want to achieve is have my pf-box share this connection to all its ethernet ports, as in the pf-box is acting like a hardware VPN of sorts. The reason why I'm doing this is I have some peripherals that have ethernet but can't install any VPN software, so I'd like to expose that to them with a pfSense box. Is this possible?
-
I've been trying to do this as well, with a VPN provider (NordVPN) that supports IKEv2 with MSCHAP authentification
So far, I haven't been able to set up the pfsense as a IKEv2 client with a MSCHAP authent. It might not be possible to do so. But if it is, I'd be very interested to know. -
@wildboarcharlie Yes it's completely possible, and not that hard. Similar to @LilYoda, I do exactly what you're describing to connect my pfSense box to my VPN provider (coincidentally, also NordVPN) and route my LAN traffic over the VPN, but I use OpenVPN instead of IKEv2 with MSCHAPv2. There are no problems connecting, but I've noticed that the VPN link will disconnect after a few hours despite near-constant network traffic. I've read in other threads that this behavior is due to configurations on the VPN provider's side, not pfSense's settings.
There is a lot of documentation already prepared which can help you configure the VPN:
https://doc.pfsense.org/index.php/VPN_Capability_Overview -
I've done OpenVPN to NordVPN (I've even played around with 4 tunnels and load-balancing on the 4 tunnels)
But haven't been able to configure IKEv2 towards NordVPN. I read the guides you mentionned, but from what I read, MSCHAP can be configured for an IKEv2 server on pfSense, not an IKEv2 client on pfSense. The guide on IKEv2 that you linked to is written for a IKEv2 server on pfSense, and remote clients like IOS or Android.
Here's what I did:
- download root certificate from NordVPN
- convert to PEM format
- import as a CA in System->Certificate
- Go to VPN->IPSec and setup a sit to site tunnel.
However, in the authentication box, either I see "Shared PSK" or "RSA"
I have tried both settings, selecting the Root NordVPN cert for the remote in the "RSA" mode, or using my NordVPN password as the pre-shared-key when in "PSK" more
When I go to the status page, and click "connect", it goes back to the "disconnected" state almost instantly. When I check the logs, I keep getting an authentication failed reply from the NordVPN server.
I might be missing something, though :o