Safe IKEv2 Configuration for pfSense and Windows 10 and macOS
-
Thanks for taking the time to post this. I decided on IPsec instead of OpenVPN due to built-in client support for Windows and Android, but it appears "built-in" is a stretch.
I think I have IPSec IKEv2 set up in pfSense, I'm getting through the firewall from a Windows laptop with the certificate, but then I get "policy match error", which I'm guessing is the lack of windows GUI configuration for the Netgate-recommended security settings at the pfSense end.
Going to try it now . . .
-
All the clients seem to suck unless you buy a high-end firewall and most of those are just GUI wrappers for IPsec that make it easy to configure and add some extra features. I attempted OpenVPN but the free version clients don't provide a great experience. I decided to switch to IPsec thinking that basically every client supports it; I had no idea that it was going to take me days to configure properly.
-
OK, I believe the encryption protocols were negotiated after running the Powershell script in Windows. pfSense IPsec status page showed an incoming connection, but I got an authentication failure from the win client.
I am using a pre-shared key with EAP, and the certificate was installed on the Windows laptop per Netgate documentation. I didn't see anything in the Powershell script to connect the cert to the VPN setup, but maybe that isn't needed?
VPN/IPsecPre-Shared/Keys:
SystemCertificate/Manager/Certificates:
-
I'm using EAP-RADIUS with JumpCloud so no PSK here. You might take a look at MS docs for the PowerShell cmdlets.
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnection?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnection?view=win10-psAlternatively, take a look at JumpCloud. I think it's free for up to 10 user accounts, I only have 4. https://jumpcloud.com/ It gives you username/password based authentication with a public web-facing password reset portal with MFA for free. It has some other cool stuff like a Linux agent that updates local accounts/groups for SSH access, you can use password or public key auth and configure passwordless sudo and SSH MFA directly from the user portal. It also does Windows account management for RDP logins with MFA. LDAP and RADIUS servers. Pretty cool and I was amazed at how easy it was to configure everything.
This sounds like an ad but I'm just excited that some enterprise stuff that's traditionally been relegated to the LAN or very difficult to safely implement over the public Internet is finally get some SaaS offerings.
-
@groupers said in Safe IKEv2 Configuration for pfSense and Windows 10 and macOS:
I'm using EAP-RADIUS with JumpCloud so no PSK here. You might take a look at MS docs for the PowerShell cmdlets.
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnection?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnection?view=win10-psAlternatively, take a look at JumpCloud.
While I am sure JumpCloud is cool, I'm not looking to add any more moving parts to this setup at the moment. I would be happy to just have a working VPN.
Still not sure if or where in the powershell setup the authentication was configured. I did see this in your links:
[[-AuthenticationMethod] <String[]>] [[-EapConfigXmlStream] <XmlDocument>] -
I'm afraid I'm not really sure where to go with this. It seems like I got through the firewall, the myriad of possible configurations on both the client and server end, and somehow authentication is failing? No wonder people just settle for an "insecure" setup that falls within the intersection of Windows and pfSense GUI configuration.
-
This wasn’t intended to be a full IPSec configuration guide but a guide to configuring strong IPSec crypto on pfSense and clients. My configuration does not use certificates for machine or user authentication.
If you have a configuration that is working using EAP-RADIUS it will work with these changes. I have no experience using the powershell cmdlets to configure IPSec with TLS auth and am not paid pfSense support.
-
@groupers said in Safe IKEv2 Configuration for pfSense and Windows 10 and macOS:
This wasn’t intended to be a full IPSec configuration guide but a guide to configuring strong IPSec crypto on pfSense and clients. My configuration does not use certificates for machine or user authentication.
You could have led with that. I have a working pfSense setup, just trying to configure the Windows client. Thanks for your efforts.
-
This post is deleted! -
@lifespeed said in Safe IKEv2 Configuration for pfSense and Windows 10 and macOS:
tup, but maybe that isn't needed?
VPN/IPsecPre-Shared/Keys:I don't think it's necessary as long at the trusted key is installed. I automated that in an earlier script (which I'm still adapting, but the cert portion is relevant). I have another version which maps out multiple subnets, I just don't have access to it from here.
$Name = "NAME" $Server = "HOST" $DnsSuffix = "DnsSuffix" $RemoteNetwork = "xxxxxxxx/24" $Cert = @' -----BEGIN CERTIFICATE----- CUT AND PASTED KEY HERE -----END CERTIFICATE----- '@ ## Add the cert $EncodedCert = [system.Text.Encoding]::UTF8.GetBytes($Cert) $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”) ## Download the cert file $pfx.Import($EncodedCert); $store.Open("MaxAllowed") $store.Add($pfx) $store.Close() ## Add the connection try { Add-VpnConnection -Name $Name -ServerAddress $Server -TunnelType "Ikev2" -EncryptionLevel "Required" -AuthenticationMethod Eap -SplitTunneling -AllUserConnection -RememberCredential -PassThru -DnsSuffix $DnsSuffix } catch [Microsoft.Management.Infrastructure.CimException] { ## Ignore } Add-VpnConnectionRoute -ConnectionName $Name -DestinationPrefix $RemoteNetwork