New to pfSense - need to set up ipsec vpn remote access



  • I'm been playing with pfSense for the past two weeks and just took my two sites live on the system.  Very impressed with all the features.

    I need to set up remote access so I can access the systems when away with my laptop.  I really don't want to use openvpn and would rather use ipsec vpn.

    Last night I tried to set up remote access using this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    My client (me) uses a windows 7 laptop

    It failed saying something about not liking the ike credentials.  It was late so I did not properly document.

    This method is using EAP-MSCHAPv2 which is built-in in windows 7.  I'm used to using a vpn client on my old check point implemention

    I found one similar post with the exact same problem I was having and there were no additional posts providing any insight.  I think it had to do with the certificate and there was one problem with the guide saying use DNS which is not available as an option in the version (latest) that I'm using.

    Is this a good way to set up remote access?  Is there a better way?  I'd just like something reliable and secure.  I'd prefer split tunnel as that's the way I've always used it, but I'm starting to rethink that for purposes of security and protection.

    If you have any suggestions or guides that can help a newbie get remote access set up, I'd really appreciate it.  So far I'm having a lot of fun getting pfSense configured in my environment.  It's really great software.

    Roveer



  • I use the following with W7 & IOS/OS X Devices :-

    P1

    Encryption Algorithm 3DES
    Hash Algorithm SHA1
    DH Group 2

    P2

    Encryption Algorithms AES & 3DES
    Hash Algorithms SHA1 SHA256 SHA384 & SHA512

    I don't use a split tunnel and tunnel everything.

    Is the cert installed in the correct location ?

    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs



  • @NogBadTheBad:

    I use the following with W7 & IOS/OS X Devices :-

    P1

    Encryption Algorithm 3DES
    Hash Algorithm SHA1
    DH Group 2

    P2

    Encryption Algorithms AES & 3DES
    Hash Algorithms SHA1 SHA256 SHA384 & SHA512

    I don't use a split tunnel and tunnel everything.

    Is the cert installed in the correct location ?

    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

    What do you use for a client on the Windows 7 machine?  Did you use the setup procedures from the guide I posted?  Thanks.

    Roveer



  • @roveer:

    @NogBadTheBad:

    I use the following with W7 & IOS/OS X Devices :-

    P1

    Encryption Algorithm 3DES
    Hash Algorithm SHA1
    DH Group 2

    P2

    Encryption Algorithms AES & 3DES
    Hash Algorithms SHA1 SHA256 SHA384 & SHA512

    I don't use a split tunnel and tunnel everything.

    Is the cert installed in the correct location ?

    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

    What do you use for a client on the Windows 7 machine?  Did you use the setup procedures from the guide I posted?  Thanks.

    Roveer

    Yes followed the link you posted, but my authentication is now using freeradius, this allows me to give users a fixedIP address from the VPN range.

    I use the inbuilt vpn on W7.

    https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect



  • I took another look at setting up remote access last night and was able to get it to work.

    The problem I was having is that when I went to install the certificate on the laptop I was using certmgr.msc to just install it on the user side.  When I used the MMC console and specified the local machine and then installed the certificate (which also puts it on the personal side as well), I was able to make the connection without a problem.  I think that should be highlighted in any guides that this must be done.  I think a lot of people could make a similar mistake thinking "oh I just have to install a certificate, I know how to do that, when in reality it has to be done via MMC.  Even know it's pointed out in the guide, people (me) will ignore those instructions and just installed it to the personal user account.

    In any event, I was able to get it working and after tweaking the DNS settings a little, now have remote access via certificates utilizing dyndnamic dns to locate the site in the even of ip address changes.

    Roveer


Log in to reply