IPsec VPN Tutorial (iPhone, Android, Windows, Linux)

andre323

Hi all,

This is my first post to this forum. As a very happy pfSense user I have managed to get an IPsec VPN up and running which allows me to connect to it by using various devices, such as iPhones, iPads, Android Devices, Windows and Linux Boxes. With this post I would like to share my experience with you. Hopefully, some of you might find this tutorial useful. I have tried to describe my configuration settings as detailled as possible.

You can find the tutorial here:
http://blog.andregasser.net/how-to-configure-ipsec-vpn-on-pfsense-for-use-with-iphone-ipad-android-windows-and-linux/

I am by no means an IPsec VPN expert. So, if you find any errors or other issues, I would like to hear from you. Constructive feedback is always very welcome.

Best regards,
André

dstroot

First - wonderful job trying to document this! I have one question and one suggestion:

Question - has anyone tried this with iOS 8.02? I can't for the life of me get this to work…

Suggestion - I'm a visual person, screenshots would be most appreciated rather than just the text in the guide - however it is still quite clear.

P3R

Thanks andre323,

This is what I noticed so far when following your instructions:

There is no need to add the WAN rules to allow IPSec traffic in. The system automatically creates (hidden) rules for that.
As far as I know you can't create the mobile clients phase 1 entry the way you describe (going directly to the VPN>IPSec>Tunnels tab). The only way I have found to do it is to FIRST Enable IPsec Mobile Client Support, THEN to use the Create Phase 1 button showing on the Mobile Clients tab.
The rule created in Firewall>Rules>IPSec to allow client traffic in could be tightened considerably. I set the source network to be the same as the Virtual Address Pool defined in VPN>IPSec>Mobile Clients and the destination network only to the resources I allow (could even be a single server, depending on individual security policy).

dstroot

As far as I know you can't create the mobile clients phase 1 entry the way you describe (going directly to the VPN>IPSec>Tunnels tab). The only way I have found to do it is to FIRST Enable IPsec Mobile Client Support, THEN to use the Create Phase 1 button showing on the Mobile Clients tab.

Yep, I agree - this hung me up!

ErTnEc

I'm having some issues with this, I've been fighting with IPSec now for a while to try get it to work, but it doesn't seem to want to allow any traffic through to anything other than the PFSense box. So, I've not configured the IPSec VPN as described in this guide, re-configured my Android handset, but alas the same still occurs.

I can connect fine to PFSense admin from Android, I can ping any network IP through the VPN, but I can't get any traffic to it via either Chrome or anything else.

Firewall is also showing packets as being allowed…

Bit of background on the setup... (example devices used)

LAN is 10.0.0.0/8.
PFSense is 10.10.100.1
Device A is 10.10.50.20
Device B is 10.20.10.15

IPSec configures as-per instructions in documentation, with IP range in Mobile Clients being 172.16.0.0/24

The phone connects fine to the VPN, I can ping the phone's assigned IP (172.16.0.6) from pfsense, and as mentioned ping all devices on the LAN fine from the phone (in an adb shell)

But, try to hit (for example) Device A on :443, it hangs. Device B on :80, it also hangs...

Any ideas? I've even tried setting the Mobile Client range to 10.60.20.0/24 but to no avail... If any more info/logs/etc is needed just say.

Cheers

andra.pocherebox

I'm having the same issue that's driving me crazy! :'(
I'm on the latest release 2.2, I tried several config and always could establish the connection between my iphone and the pfsense endpoint.
When on 3G, I can reach my internal Lan and be able to access at the pfsense box as well as my shared resources. What I really cannot make it works is redirect my iphone traffic through the pfsense IPsec VPN…
My iPhone always go to the web by using its 3G IP instead of the pfsense one.

Any thoughts?

Thanks

andra.pocherebox

Well… Being stubborn led me solved by myself! :D :D

To whole it may interest I found out that to redirect all traffic through VPN, you gotta set up two different Phase2 according to the picture below.

Then both your LAN traffic and Internet traffic will be routed correctly through the VPN endpoint.
Hope this can help!

Cheers

![Screen Shot 2015-02-28 at 19.59.51.png](/public/imported_attachments/1/Screen Shot 2015-02-28 at 19.59.51.png)
![Screen Shot 2015-02-28 at 19.59.51.png_thumb](/public/imported_attachments/1/Screen Shot 2015-02-28 at 19.59.51.png_thumb)

dstroot

@andra.pocherebox:

Well… Being stubborn led me solved by myself! :D :D

To whole it may interest I found out that to redirect all traffic through VPN, you gotta set up two different Phase2 according to the picture below.

Then both your LAN traffic and Internet traffic will be routed correctly through the VPN endpoint.
Hope this can help!

Cheers

Could you post your full configuration? PLEASE???? ;D

All the guides and whatnot I have seen (including the one above in the first post) do not really address pfsense 2.2 and I have basically given up because people post that they got it working but never seem to share a full configuration that works and I can't seem to put it all together.

andra.pocherebox

I made up a tutorial. I hope this can help!

Best

https://www.dropbox.com/s/zwbq6ix97s6fu1c/IPsecVPN.pdf?dl=0

sic08869

Thank you! will give this a go today!

jkline

Hi andra.pocherebox,

Thanks for that Dropbox document!

Somewhere along the line, my intranet names stopped resolving over VPN.

VPN worked, but I had to use IP addresses.

I had presumed the configured DNS servers were not being provided to the client. Whatever it is/was, adding the second phase 2 entry with network 0.0.0.0/0 was all that was needed. My intranet names now resolve!

Cheers,
John

DavidYon47

@andra.pocherebox:

Well… Being stubborn led me solved by myself! :D :D

To whole it may interest I found out that to redirect all traffic through VPN, you gotta set up two different Phase2 according to the picture below.

Then both your LAN traffic and Internet traffic will be routed correctly through the VPN endpoint.
Hope this can help!

Cheers

Here's another Kudo coming from a long-time pfSense user. I also got bit by going from 2.0.1 to 2.2.2. IPsec "worked", but the route-all-traffic-for-free feature went dead and for all my Google searches I couldn't figure out how to fix it. I'm primarily using IPsec from IOS and OSX devices, and was wondering why the hell DNS resolution of internal hosts wasn't working. It wasn't until I deep-drilled some more that I figured out it was a default gateway problem, which finally led me to this post (which I found only by manually browsing the forums!).

So thank you, thank you, thank you!

pfSense mods: this information needs to be part of the IPsec troubleshooting page! This is obviously a stumbling block for anyone unknowingly crossing the racoon->strongSwan transition, and I got a lot of Google hits asking how to fix this, but precious few answers.