HELP ME: IKEv2 setup with StrongSwan server



  • Hi all, I have a strongSwan VPN server (let's call this vpn-box) that I want to connect to using my pfSense machine (let's call this pf-box) to evade censorship and all that. What I want to achieve is have my pf-box share this connection to all its ethernet ports, as in the pf-box is acting like a hardware VPN of sorts. The reason why I'm doing this is I have some peripherals that have ethernet but can't install any VPN software, so I'd like to expose that to them with a pfSense box. Is this possible?



  • I've been trying to do this as well, with a VPN provider (NordVPN) that supports IKEv2 with MSCHAP authentification
    So far, I haven't been able to set up the pfsense as a IKEv2 client with a MSCHAP authent.  It might not be possible to do so.  But if it is, I'd be very interested to know.



  • @wildboarcharlie Yes it's completely possible, and not that hard. Similar to @LilYoda, I do exactly what you're describing to connect my pfSense box to my VPN provider (coincidentally, also NordVPN) and route my LAN traffic over the VPN, but I use OpenVPN instead of IKEv2 with MSCHAPv2. There are no problems connecting, but I've noticed that the VPN link will disconnect after a few hours despite near-constant network traffic. I've read in other threads that this behavior is due to configurations on the VPN provider's side, not pfSense's settings.

    There is a lot of documentation already prepared which can help you configure the VPN:
    https://doc.pfsense.org/index.php/VPN_Capability_Overview



  • I've done OpenVPN to NordVPN (I've even played around with 4 tunnels and load-balancing on the 4 tunnels)

    But haven't been able to configure IKEv2 towards NordVPN.  I read the guides you mentionned, but from what I read, MSCHAP can be configured for an IKEv2 server on pfSense, not an IKEv2 client on pfSense.  The guide on IKEv2 that you linked to is written for a IKEv2 server on pfSense, and remote clients like IOS or Android.

    Here's what I did:

    1. download root certificate from NordVPN
    2. convert to PEM format
    3. import as a CA in System->Certificate
    4. Go to VPN->IPSec and setup a sit to site tunnel.
      However, in the authentication box, either I see "Shared PSK" or "RSA"
      I have tried both settings, selecting the Root NordVPN cert for the remote in the "RSA" mode, or using my NordVPN password as the pre-shared-key when in "PSK" more
      When I go to the status page, and click "connect", it goes back to the "disconnected" state almost instantly.  When I check the logs, I keep getting an authentication failed reply from the NordVPN server.

    I might be missing something, though  :o