(Solved)Working IPSec guide for 2.3



  • Hello,

    I understand that 2.3 is now officially released as of yesterday. I've been trying to set IPSec up on my network to no avail. I want to use it as a backup VPN, learn how it works, and to use the native VPN already on my iPhone/Mac. I already have a working OpenVPN but I plan to provide my users VPN access to my network more simply using the VPN built into iOS. I tried following this guide but not sure what isn't working https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    Running pfSense 2.3 and iPhone running iOS +9.0.2

    Thanks.


  • Rebel Alliance Developer Netgate

    That should all work the same on 2.3 as 2.2

    Though if you're going for a new IPsec deployment on 2.3 (or 2.2!) you're better off aiming for IKEv2 rather than that style. Like https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 or https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS



  • Thank you!!
    Local Network was set to my LAN. with 0.0.0.0/0 it works now and i reply from my iPhone via VPN!



  • @jimp:

    That should all work the same on 2.3 as 2.2

    Though if you're going for a new IPsec deployment on 2.3 (or 2.2!) you're better off aiming for IKEv2 rather than that style. Like https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 or https://doc.pfsense.org/index.php/IKEv2_with_EAP-RADIUS

    Thank you for this, made it further but what Im confused is this section

    Create a Server Certificate

    Navigate to System > Cert Manager, Certificates tab on pfSense
    Click "+" to create a new certificate
    Select Create an internal certificate for the Method
    Enter a Descriptive Name such as IKEv2 Server
    Select the appropriate Certificate Authority created in the previous step
    Choose the desired Key length, Digest algorithm, and Lifetime
    Set the Certificate Type to Server Certificate
    Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
    Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.
    Click "+" to add a new Alternative Name
    Enter DNS in the Type field
    Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!
    Click "+" to add a new Alternative Name
    Enter IP in the Type field
    Enter the WAN IP address of the firewall in the Value field
    Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
    Click Save

    and

    Phase 2

    Click "+" to show the Mobile IPsec Phase 2 list
    Click "+" to add a new Phase 2 entry if one does not exist, or click "e" to edit an existing entry
    Set Mode to Tunnel IPv4
    Set Local Network as desired, e.g. LAN subnet
    To pass all traffic, including Internet traffic, across the VPN, set the Local Network to 0.0.0.0/0
    Enter an appropriate Description
    Set Protocol to ESP
    Set Encryption algorithms to AES Auto and if there are iOS/OS X devices, also select 3DES.
    Set Hash algorithms to SHA1 and SHA256
    Set PFS Key Group to off
    Set Lifetime to 3600
    Click Save

    For the type field (During the Create a Certificate Authority setup) I can't set it as DNS; theres only FQDN or Hostname, IP Address, URL, Email address. Can I insert my DDNS name instead of my IP address in this section as well?

    Lastly for the Local Network (during the Phase 2 setup) I set Local Network to Network and Address as 0.0.0.0/0 to pass all traffic thru the tunnel. Is this correct?

    This is all I get in the IPsec logs

    Apr 14 14:07:50	charon		08[CFG] received stroke: route 'bypasslan'
    Apr 14 14:07:50	charon		13[CFG] added configuration 'bypasslan'
    Apr 14 14:07:50	charon		13[CFG] received stroke: add connection 'bypasslan'
    Apr 14 14:07:50	charon		06[CFG] deleted connection 'con1'
    Apr 14 14:07:50	charon		06[CFG] received stroke: delete connection 'con1'
    Apr 14 14:07:50	charon		13[CFG] deleted connection 'bypasslan'
    Apr 14 14:07:50	charon		13[CFG] received stroke: delete connection 'bypasslan'
    Apr 14 14:07:50	ipsec_starter	97045	shunt policy 'bypasslan' uninstalled
    Apr 14 14:07:50	charon		14[CFG] received stroke: unroute 'bypasslan'
    Apr 14 14:07:50	charon		13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Apr 14 14:07:50	charon		13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Apr 14 14:07:50	charon		13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Apr 14 14:07:50	charon		13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Apr 14 14:07:50	charon		13[CFG] loaded ca certificate 
    Apr 14 14:07:50	charon		13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Apr 14 14:07:50	charon		13[CFG] loaded EAP secret for cristian@torres.li
    Apr 14 14:07:50	charon		13[CFG] loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key'
    Apr 14 14:07:50	charon		13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Apr 14 14:07:50	charon		13[CFG] rereading secrets
    Apr 14 14:03:29	charon		14[JOB] <6> deleting half open IKE_SA after timeout
    Apr 14 14:02:59	charon		14[NET] <6> sending packet: from [500] to [50461] (341 bytes)
    Apr 14 14:02:59	charon		14[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
    Apr 14 14:02:59	charon		14[IKE] <6> sending cert request for 
    Apr 14 14:02:59	charon		14[IKE] <6> remote host is behind NAT
    Apr 14 14:02:59	charon		14[IKE] <6>  is initiating an IKE_SA
    Apr 14 14:02:59	charon		14[ENC] <6> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Apr 14 14:02:59	charon		14[NET] <6> received packet: from [50461] to [500] (388 bytes)
    Apr 14 14:02:57	charon		06[CFG] added configuration 'con1'
    Apr 14 14:02:57	charon		06[CFG] loaded certificate 
    Apr 14 14:02:57	charon		06[CFG] reusing virtual IP address pool 192.168.4.0/24
    Apr 14 14:02:57	charon		06[CFG] received stroke: add connection 'con1'
    Apr 14 14:02:57	ipsec_starter	97045	'bypasslan' shunt PASS policy installed
    Apr 14 14:02:57	charon		06[CFG] received stroke: route 'bypasslan'
    Apr 14 14:02:57	charon		13[CFG] added configuration 'bypasslan'
    Apr 14 14:02:57	charon		13[CFG] received stroke: add connection 'bypasslan'
    

  • Rebel Alliance Developer Netgate

    FQDN is the equivalent of DNS, so use that.

    And to pass all traffic over, use a network of 0.0.0.0/0.



  • @jimp:

    FQDN is the equivalent of DNS, so use that.

    And to pass all traffic over, use a network of 0.0.0.0/0.

    IT WORKS
    Thank you so much!  ;D