Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New to pfSense - need to set up ipsec vpn remote access

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      roveer
      last edited by

      I'm been playing with pfSense for the past two weeks and just took my two sites live on the system.  Very impressed with all the features.

      I need to set up remote access so I can access the systems when away with my laptop.  I really don't want to use openvpn and would rather use ipsec vpn.

      Last night I tried to set up remote access using this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

      My client (me) uses a windows 7 laptop

      It failed saying something about not liking the ike credentials.  It was late so I did not properly document.

      This method is using EAP-MSCHAPv2 which is built-in in windows 7.  I'm used to using a vpn client on my old check point implemention

      I found one similar post with the exact same problem I was having and there were no additional posts providing any insight.  I think it had to do with the certificate and there was one problem with the guide saying use DNS which is not available as an option in the version (latest) that I'm using.

      Is this a good way to set up remote access?  Is there a better way?  I'd just like something reliable and secure.  I'd prefer split tunnel as that's the way I've always used it, but I'm starting to rethink that for purposes of security and protection.

      If you have any suggestions or guides that can help a newbie get remote access set up, I'd really appreciate it.  So far I'm having a lot of fun getting pfSense configured in my environment.  It's really great software.

      Roveer

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        I use the following with W7 & IOS/OS X Devices :-

        P1

        Encryption Algorithm 3DES
        Hash Algorithm SHA1
        DH Group 2

        P2

        Encryption Algorithms AES & 3DES
        Hash Algorithms SHA1 SHA256 SHA384 & SHA512

        I don't use a split tunnel and tunnel everything.

        Is the cert installed in the correct location ?

        https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • R
          roveer
          last edited by

          @NogBadTheBad:

          I use the following with W7 & IOS/OS X Devices :-

          P1

          Encryption Algorithm 3DES
          Hash Algorithm SHA1
          DH Group 2

          P2

          Encryption Algorithms AES & 3DES
          Hash Algorithms SHA1 SHA256 SHA384 & SHA512

          I don't use a split tunnel and tunnel everything.

          Is the cert installed in the correct location ?

          https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

          What do you use for a client on the Windows 7 machine?  Did you use the setup procedures from the guide I posted?  Thanks.

          Roveer

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            @roveer:

            @NogBadTheBad:

            I use the following with W7 & IOS/OS X Devices :-

            P1

            Encryption Algorithm 3DES
            Hash Algorithm SHA1
            DH Group 2

            P2

            Encryption Algorithms AES & 3DES
            Hash Algorithms SHA1 SHA256 SHA384 & SHA512

            I don't use a split tunnel and tunnel everything.

            Is the cert installed in the correct location ?

            https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

            What do you use for a client on the Windows 7 machine?  Did you use the setup procedures from the guide I posted?  Thanks.

            Roveer

            Yes followed the link you posted, but my authentication is now using freeradius, this allows me to give users a fixedIP address from the VPN range.

            I use the inbuilt vpn on W7.

            https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • R
              roveer
              last edited by

              I took another look at setting up remote access last night and was able to get it to work.

              The problem I was having is that when I went to install the certificate on the laptop I was using certmgr.msc to just install it on the user side.  When I used the MMC console and specified the local machine and then installed the certificate (which also puts it on the personal side as well), I was able to make the connection without a problem.  I think that should be highlighted in any guides that this must be done.  I think a lot of people could make a similar mistake thinking "oh I just have to install a certificate, I know how to do that, when in reality it has to be done via MMC.  Even know it's pointed out in the guide, people (me) will ignore those instructions and just installed it to the personal user account.

              In any event, I was able to get it working and after tweaking the DNS settings a little, now have remote access via certificates utilizing dyndnamic dns to locate the site in the even of ip address changes.

              Roveer

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.