Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 conf: Win 7/10 native client, EAP-TLS/Mutual-RSA + multiple mobile entries

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dogmeat
      last edited by

      I have spent considerable time on trying to get to work multiple mobile phase 1 entries with IKEv2 on pfSense and perhaps my findings can help other people who are struggling with this:

      Goals and approach

      • VPN access without the need to install software on the client:

        • tested and working on Win7 and Win10, OS X not tested yet

      • manage VPN mobile access for different domains and user groups through one pfSense firewall, using multiple mobile phase 1 entries:

        • each domain and user group combination has its own mobile client phase 1

        • access to the local network is managed through phase 2 entries

      • minimal configuration

        • tried to leave out unnecessary configuration steps

      • selective routing: do not route internet traffic / client local traffic through VPN

      Result

      • it works; however, pfSense has to be tricked into accepting multiple mobile client configurations and there may be a good reason for the lack of multiple mobile phase 1 entries support

      • mutual PSK authentication only; EAP-MSChapv2 and EAP-TLS do not work with multiple mobile phase 1 entries because client specific data is not sent during IKEv2 phase

      • although I'm using this approach in a production environment, OpenVPN (my previous solution) is probably the safer way to go - use the following configuration at your own risk …

      pfSense 2.3.2-RELEASE-p1 configuration
      (I'm including the EAP-MSChapv2 and EAP-TLS configurations as well because they worked except for the multiple mobile phase 1 requirement)

      | |                                         | **EAP-MSChapv2       ** | **EAP-TLS                   ** | **Mutual-RSA               ** | |
      | | Server Certificate CN | vpn.domain.ch | vpn.domain.ch | vpn.domain.ch | *no extended key usage field needed |
      | | User Certificate store | Current User | Current User | Local Computer | *on Windows |
      | | User Certificate CN | group.domain.ch | group.domain.ch | group.domain.ch | *created different certificates for each user group / phase 1
      *created unique certificate passwords for each user (using openSSL) to make certificates "unique" |
      | | User Certificate FQDN | | group.domain.ch | | *only needed for EAP-TLS authentication |
      | | My Identifier | My IP Address | My IP Address | My IP Address | |
      | | Peer Identifier | any | any | ASN.1 dist. name | *match user cert, e.g. "C=CH, ST=Zurich, L=Zurich, O=org, E=group@domain.ch, CN=group.domain.ch" |
      | | Phase 1 selection | first mobile phase 1 | first mobile phase 1 | matching peer identifier | *multiple phase 1 entries are only supported with mutual PSK |
      | | Phase 1 Hash | SHA256 | SHA256 | SHA256 | *other configurations not tested |

      *** add additional mobile phase 1 entries:  https://pfsense.domain.ch/vpn_ipsec_phase1.php?mobile=true

      | | **Phase 2 Encryption             ** | AES256 | *other configurations not tested |
      | | Phase 2 Subnets | minimum: include address of DNS server on LAN | *pfSense checks overlapping subnets, can be tricked to some extent by mixing named interfaces and ip networks |
      | | Phase 2 Hash | SHA1 | *SHA256 not supported |
      | |
      | | **Virtual address pool ** | 10.0.0.1/24              | *should be subset of existing interface; avoid overlap with DHCP and client LAN |
      | | Provide list of networks | | *ignored by Windows client |
      | | DNS Server | 10.0.0.1 | *see phase 2 subnets |
      | | Configure Unique IDs | NO | *enable concurrent users |

      *** Use DNS resolver instead of DNS forwarder: was not able to get it to work with DNS forwarder

      Windows 7 configuration

      • the "Use default gateway on remote network" option in the Advanced TCP/IP settings of the VPN connection has to be disabled

      • For each phase 2 entry admin console: "route add -p xxx.xxx.xxx.xxx mask 255.255.255.0 0.0.0.0 if XXX"

      • Correct if XXX can be found with "route print"

      Windows 10 (after anniversary update) configuration

      • For each phase 2 entry use Power Shell: "Add-VpnConnectionRoute -ConnectionName "group.domain.ch" -DestinationPrefix 10.0.0.0/24 -PassThru"

      OS X configuration tbd

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        FYI the powershell for windows 10 adds it to the pkb (phone book) file for the vpn not to the computer itself so once you add it you can deploy the pbk out with group policy if you wish.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.