IKEv2 Road Warrior VPN with a Dynamic WAN IP?



  • Simple question:  Is it possible with the following ingredients to have a working IKEv2 road warrior VPN?

    • pfSense 2.3.1_1 running on official hardware
    • WAN IP is Dynamic (using a Dyndns.org entry)
    • compatible w/ OS X 10.11, Windows 10 and (ideally) iOS 9

    I've spent the last 3 days fiddling with knobs, CAs, certs, and cipher settings but have had zero success. Just want to know if I am climbing an unscalable mountain. All guides I have seen to date are outdated.



  • Luckman,

    Try this config from pfsense wiki

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    For CA certificate put it in the Trusted Root certification Authorities following this guide

    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

    It work for me in Windows 10 on latest release (as it was working in all the previous)



  • dax- thank you- yes that was one of the first guides I tried to follow.

    Problem as I mentioned in my OP is that it requires entering the "WAN IP" which in this case is dynamic. See screenshot.  So are you saying that every time the IP changes (could be once a week e.g.) a new Cert would need to be generated, imported, trusted, etc.. ?

    Or am I still missing something??




  • just use your DDNS in common name and in alternative names selecting FQDN or hostname in our server cert



  • Would you mind posting some screenshots of your config?  I have literally spent hours and cannot make that work.  Of course redact any sensitive info but it would be extremely helpful to see a sample working config – CA / server cert pages and then the IPSEC tunnel pages showing P1/P2 config..... thank you very much



  • To be more clear you need subscription to a dynamic dns service:

    https://doc.pfsense.org/index.php/Dynamic_DNS

    In the image you see user cert that should be server cert, sorry

    DDNS is somewhere.dyndns.com sorry again.




  • Thanks - I do know what a DDNS service is and I already subscribe to that and have my DDNS working.  What I am saying is when I tried to use that in my cert, it resulted in a non-working config.  So I was hoping to see more of your screenshots from those sections and see where I might have made a wrong turn…

    It's interesting that you have an @ symbol in yours.. is that valid??



  • Screenshots










  • daxpfacc, just wanted to confirm (because I was re-reading this and noticed you linked to a post about installing certs in Windows)- have you gotten this config working on MacOS X and/or iOS9?


  • LAYER 8 Netgate

    You need to create a server certificate using the DDNS FQDN as both the CN and a SAN as described in that guide.

    Use that certificate as the server certificate.

    Import and trust the CA in the device.

    Instruct your clients to connect to the FQDN not the IP address.



  • Thank you - I had success last night and was able to get a working IKEv2 set up [pfSense 2.3.1_5 / OS 10.11.5 / iOS 9.3.2]. I was struggling at first because my connection would immediately fail when I hit connect if a DNS name was specified for "Server".  On a whim I tried putting an IP there instead and - it worked.  Then I tried a different DDNS name (pointed at the same IP) and that worked too.

    So for now, the quirk I'm trying to overcome is that the "Server Address" and the "Remote ID" fields cannot be the same or the connection immediately fails.  Not sure if that's something I've configured wrong or if that's expected behavior…


  • LAYER 8 Netgate

    Is the name you are trying to use actually out in global DNS?



  • Yes it is in public DNS.  It's a really strange problem actually.  I don't know exactly where the problem lies but here's what the symptoms are:

    Let's assume I have 2 public DNS domains "foo.com" and "baz.com" hosted on Namecheap

    • I have set the wildcard A record '*.foo.com' as a Dynamic DNS entry pointing to the WAN IP of my pfSense router

    • I have ext.baz.com also pointing to the WAN IP of my pfSense router (same IP as *.foo.com)

    • Router name (System > General) is "r1.foo.com"

    • IKEv2 Server Cert "CN" = "r1.foo.com"

    • IPSEC IKEv2 Phase1 "My Identifier" (Distinguished Name) = "r1.foo.com"

    Now, from a machine OUTSIDE of the LAN:

    • dig r1.foo.com returns the correct public IP, let's say 11.22.33.44

    • dig ext.baz.com returns the exact same IP 11.22.33.44

    BUT, if I specify "r1.foo.com" in the Server Address from my VPN client (Mac) and try to connect, it immediately fails.  However, changing it to "ext.baz.com" works fine.  I don't even have to have ext.baz.com set as a SAN on the cert, it just works.

    So what I have concluded for now is that somehow, having the identifier on the Phase1 the same as the system/router name may be causing the issue … could be some sort of interaction with DNS not resolving right from the router itself if strongSwan is maybe querying r1.foo.com during the negotiation phase. ??? Not sure


  • LAYER 8 Netgate

    What's in the logs?


Log in to reply