IPsec Remote Access VPN Example Using IKEv1 with Pre-Shared Keys

This article describes how to set up mobile IPsec in pfSense® software with a Pre-Shared Key.

Note

The current best practice is to use IKEv2 with EAP authentication for IPsec Remote Access on modern clients. See IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 for details.

Warning

There are very few remaining clients compatible with this type of configuration because it is considered weak compared to other options such as IKEv2 with EAP.

IPsec Server Setup

This is the setup for the pfSense® software side of the connection.

Mobile Clients

  • Navigate to VPN > IPsec, Mobile Clients tab

  • Set the options as follows:

    Enable IPsec Mobile Client Support:

    Checked

    User Authentication:

    Local Database

    Provide a virtual IP address to clients:

    Checked

    Enter an unused subnet in the box (e.g. 10.11.200.0), pick a subnet mask (e.g. 24)

  • Set other options if desired

  • Click Save

  • Click Apply Changes

  • Click fa-plus Create Phase 1 at the top of the screen if it appears

Phase 1 settings

  • Navigate to VPN > IPsec

  • Locate the Mobile Phase 1 in the list

  • Click fa-pencil to edit the Mobile Phase 1

  • Enter the following settings:

    Description:

    Mobile IPsec PSK

    Key Exchange Version:

    Auto to allow both IKEv1 and IKEv2 connections. If all clients are compatible with IKEv2, use that instead.

    Note

    Some clients, such as the native Android client, require options which only work with IKEv2.

    Authentication method:

    Mutual PSK

    Negotiation mode:

    Aggressive or Main depending on client requirements.

    My identifier:

    My IP address

    Encryption Algorithm:

    Create several entries which match values for common clients. Add them in order of preference with the most secure options listed first. For example:

    • Algorithm AES128-GCM, Hash SHA256, DH Group 16 (if using IKEv2 only, required for Android)

    • Algorithm AES 256, Hash SHA512, DH Group 14

    • Algorithm AES 256, Hash SHA256, DH Group 14

    • Algorithm AES 256, Hash SHA1, DH Group 14

    • Algorithm AES 128, Hash SHA256, DH Group 2

    • Algorithm AES 128, Hash SHA1, DH Group 2

    Life Time:

    86400

    NAT Traversal:

    Force

  • Click Save

Phase 2 settings

  • Click fa-plus Show Phase 2 Entries inside the Mobile phase 1 to expand its phase 2 list

  • Click fa-plus Add P2 to create a new phase 2 entry

  • Enter the following settings:

    Description:

    Mobile IPsec

    Mode:

    Tunnel IPv4

    Local Network:

    The network on the firewall site which the clients must reach, e.g. LAN Subnet, or Network 0.0.0.0/0 to send all traffic over the VPN.

    Protocol:

    ESP

    Encryption Algorithms:

    AES 128

    Hash Algorithms:

    SHA256

    PFS key group:

    off

    Lifetime:

    28800

  • Add additional phase 2 entries for local networks if necessary

  • Click Save

  • Click Apply Changes

User Settings

Create pre-shared keys to identify users for the VPN

  • Navigate to VPN > IPsec, Pre-shared keys tab.

  • Click fa-plus Add to create a new entry

  • Enter the settings as follows:

    Identifier:

    Any identifier may be used so long as it is unique to the person using the account.

    Tip

    E-mail addresses are commonly used as they are more unique than first or last names.

    Secret Type:

    PSK

    Pre-Shared Key:

    Generate a long/random Pre-Shared Key. The longer and more complex the key, the more secure it is.

    Note

    Some clients, such as Linux network manager, require a minimum key length of 20 characters.

  • Click Save

  • Click Apply Changes

Firewall Rules

Add firewall rules to pass traffic from clients

  • Navigate to Firewall > Rules, IPsec tab

  • Add rules that match traffic to allow from mobile clients or add a rule to pass any protocol/any source/any destination to allow everything.

See also

IPsec and firewall rules

The firewall configuration is complete.

Client Configuration

Android

Android 11.x and later contain a client compatible with a pre-shared key configuration provided that it uses IKEv2 only. See the inline notes above for additional requirements.

Note

The settings below are from pure Android 11.x. These exact settings may not present on all Android devices, depending on the Android version and changes made by the OEM.

See Remote Access Mobile VPN Client Compatibility for additional details.

  • Swipe down twice from the top of the screen

  • Tap the Settings cog

  • Tap Networks & Internet, Advanced, VPN

  • Tap +

  • Enter the connection settings as follows:

    Name:

    pfSense Mobile VPN or another suitable description

    Type:

    IKEv2/IPsec PSK

    Server Address:

    The address of the server.

    IPsec Identifier:

    The identifier on the pre-shared key for this user (e.g. a username or e-mail address)

    Pre-Shared Key:

    The PSK value associated with the identifier for this user.

  • Tap Save