Info: After having performed the pfSense upgrade from version 2.1.5 to 2.2 I am no longer able to connect with iPhones to the VPN endpoint. I cannot say what exactly the issue is right now. But as the pfSense people have switched from racoon to strongSwan, there seem to be some significant changes under the hood. I am sorry to say, but this guide is no longer applicable to the current version of pfSense. As soon as I find time to investigate this issue, I post updates here.

Just some side notes: The VPN client in IOS 8 now supports IKEv2, but this feature has not been yet made available in the UI of the VPN client. There is a tool called “Apple Configurator” which can be used to setup a VPN profile which supports IKEv2. pfSense also supports IKEv2 now (since switched to strongSwan).

If anyone gets this thing working again, I am highly interested. Thank you for letting me know.

1. Introduction

I own a pfSense Box myself which runs on an APU1C4 board from . I use it for firewalling and as VPN endpoint for various client devices such as iPhones, iPads, Android phones and tablets, Windows PCs and Linux boxes. In this article I want to share my experience in turning your pfSense box in a device which acts as an IPsec VPN endpoint.

2. Goals

• Mobile devices should be able to connect to my pfSense box and make use of IPsec full-tunneling, which means ALL traffic runs through my pfSense box. This is especially useful if you’re located outside your country and want to access content, which is accessible from domestic IP addresses only.
• I also want to access my private LAN in order to manage my systems, access to my file shares and other resources.

So far, no special goals. Let’s move on.

3. System Environment

3.1 My pfSense Box

My pfSense is running on version 2.1.5-RELEASE (amd64) built on Aug 25 07:44:45 EDT 2014 having FreeBSD 8.3-RELEASE-p16 under the hood. The box is driven by an ALIX APU1C4 Mini-ITX mainboard bought from PC Engines GmbH in Switzerland. The board has some nice hardware specs such as 4 gigs of RAM, an AMD G-T40E dual-core processor and gigabit ethernet network interfaces. The ideal playground to provide VPN connectivity on an embedded device. The only (possible) drawback is, that the OS is running from an SDcard in my case. But you don’t have to. There are also some SSD mSATA-modules available which allow you to run your OS from an SSD.

3.2 Clients

I have tested client connectivity using the following devices:

Section Setting Value General Information Disabled Unchecked Internet Protocol IPv4 Interface WAN Description (empty) Phase 1 proposal (authentication) Authentication method Mutual PSK Xauth Negotiation mode aggressive My identifier My IP address Peer identifier Type: Distinguished name Value: <identifier> Pre-Shared Key <pre-shared secret> Policy Generation Unique Proposal Checking Default Encryption algorithm AES 256 bits Hash algorithm SHA1 DH key group 2 (1024 bit) Lifetime 86400 seconds Advanced Options NAT Traversal Enable Dead Peer Detection Unchecked

In my case, I have choosen vpnusers as value for <identifier>, but you can choose whatever you like. Just choose some simple to remember name here. Once it works, do not forget to choose something stronger. Save your settings and go back to the VPN -> IPsec menu. Now, add a phase 2 entry to the already existing phase 1 entry having the following values set:

Section Setting Value General Information Disabled Unchecked Mode Tunnel IPv4 Local Network Type: LAN subnet Description (empty) Phase 2 proposal (SA/Key Exchange) Protocol ESP Encryption algorithms AES 256 bits Hash algorithms SHA1 PFS key group off Lifetime 28800 seconds Advanced Options Automatically ping host (empty)

Again, save your changes and go back to VPN -> IPsec menu. Now select the Mobile clients tab and make sure the following values are set as follows:

Section Setting Value IKE Extensions Enable IPsec Mobile Client Support Extended Authentication (Xauth) User Authentication Source: Local Database Group Authentication Source: system Client Configuration (mode-cfg) Virtual Address Pool Provide a virtual IP address to clients: Checked Network: 192.168.111.0/24 Network List Provide a list of accessible networks to clients: Unchecked Save Xauth Password Allow clients to save Xauth passwords: Checked DNS Default Domain Provide a default domain name to clients: Checked Value: localdomain Split DNS Provide a list of split DNS domain names to clients: Unchecked Value: (empty) DNS Servers Provide a DNS server list to clients: Checked Server #1: 8.8.8.8 Server #2: (empty) Server #3: (empty) Server #4: (empty) WINS Servers Provide a WINS server list to clients: Unchecked Server #1: (empty) Server #2: (empty) Phase 2 PFS Group Provide the Phase 2 PFS group to clients: Unchecked Group: off Login Banner Provide a login banner to clients: CheckedValue: (Whatever text you like)

Save your changes. Now go to System -> User Manager and select the Group tab. Add a new group called vpnusers. Make sure, the group has the privilege User – VPN – IPsec xauth Dialin set. Save it. Now go to the Users tab and create a user which will later be used to connect to your VPN box. Make sure the user has the group vpnusers set.

Now we need to open the firewall to allow VPN connections to pass through. Go to Firewall -> Rules and select the WAN tab. Configure the following rules:

Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 UDP * * * 500 (ISAKMP) * None (empty) IPsec IPv4 UDP * * * 4500 (IPsec NAT-T) * None (empty) IPsec

Select the IPsec tab and add a rule which allows all traffic to go through the VPN connection:

Proto Source Port Destination Port Gateway Queue Schedule Description IPv4 * * * * * * None (empty) Allow all

5. Configuring Client Devices

5.1 Configuring Your iPhone

In order to get your iPhone, iPad or MacBook running, just enter the following parameters:

Parameter Value Name <Description> Type IPSec Xauth PSK Server address <IP/hostname of your VPN endpoint> IPSec identifier <identifier> IPSec pre-shared key <pre-shared key>

After that, navigate to /etc/vpnc/ and create a copy of the default.conf configuration file, for example:

Edit the newly created file and fill in the parameters like this:

<identifier> and <pre-shared secret> are the values choosen earlier during pfSense configuration. and are the values entered for the user in pfSense user manager. To connect using vpnc, just enter the following command:

If you would like to disconnect later, just enter the following command to restore the previous routing configuration:

6. Final Thoughts

As always, I cannot claim that this tutorial is perfect. Therefore I am more than happy to hear from you, if there is something wrong with this tutorial. Contact information is provided on the web site. But for now, let’s get started.