Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual Address Pool in Pre-Shared Keys tab nicely work with EAP-TLS

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 153 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thwn
      last edited by

      Re: Virtual Address Pool in Pre-Shared Keys is not used for ipsec

      Sorry, if this is already posted elsewhere:

      But I was not aware, that the "Pre-Shared Keys" tab in the IPsec section can also be used to define user based Virtual Address Pools, if you set the auth mode in Phase 1 to EAP-TLS (i.e., using user certificates generated with the same CA on pfSense you use for the IPsec server cert). Since the Pre-Shared Key field is not allowed to be empty, you can use it as comment field ("cert auth").

      Using "VPN > IPsec > IPsec Export" from the ipsec-profile-wizard package you automatically get offered your TLS certs issued by your CA in the "VPN Client" dropdown. It nicely packages the CA cert, user cert and private key and the IPsec config into one easily installable profile for macOS and iOS (I didn't test the Windows part).

      Notable: the "Local ID" field in the IKEv2 config was automatically prefilled on macOS/iOS. That was not the case when using EAP-MSChapv2 for auth. As @heltech points out, it could be filled with the Identifier given in the Pre-Shared Keys entry of the user to make user pools work. Using EAP-TLS does make this step unnecessary.

      The only small problem I noticed so far: when installing the apple profile on a client, the CA cert is not trusted for SSL server usage out of the box. This might confront you with an untrusted cert alert e.g., for your pfSense web GUI. Easily correctable though in Keychain (macOS) or General > About > Certificate Trust Settings in iOS.

      For me, this is a perfect solution for a user friendly separation of VPN privileges controllable via firewall rules on the IPsec interface.

      1 Reply Last reply Reply Quote 1
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.