IPsec Remote Access VPN Example Using IKEv1 with Pre-Shared Keys

This article describes how to set up mobile IPsec in pfSense® software with a Pre-Shared Key.

Note

The current best practice is to use IKEv2 with EAP authentication for IPsec Remote Access on modern clients. See IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 for details.

Warning

There are very few remaining clients which support this type of configuration because it is considered weak compared to other options such as IKEv2 with EAP.

IPsec Server Setup

This is the setup for the pfSense® software side of the connection.

Mobile Clients

  • Navigate to VPN > IPsec, Mobile Clients tab

  • Set the options as follows:

    Enable IPsec Mobile Client Support:

    Checked

    User Authentication:

    Local Database

    Provide a virtual IP address to clients:

    Checked

    Enter an unused subnet in the box (e.g. 10.11.200.0), pick a subnet mask (e.g. 24)

  • Set other options if desired

  • Click Save

  • Click Apply Changes

  • Click fa-plus Create Phase 1 at the top of the screen if it appears

Phase 1 settings

  • Navigate to VPN > IPsec

  • Locate the Mobile Phase 1 in the list

  • Click fa-pencil to edit the Mobile Phase 1

  • Enter the following settings:

    Description:

    Mobile IPsec PSK

    Key Exchange Version:

    Auto to allow both IKEv1 and IKEv2 connections. If all clients support IKEv2, use that instead.

    Note

    Some clients, such as the native Android client, require options which only work with IKEv2.

    Authentication method:

    Mutual PSK

    Negotiation mode:

    Aggressive or Main depending on client requirements.

    My identifier:

    My IP address

    Encryption Algorithm:

    Create several entries which match values for common clients. Add them in order of preference with the most secure options listed first. For example:

    • Algorithm AES128-GCM, Hash SHA256, DH Group 16 (if using IKEv2 only, required for Android)

    • Algorithm AES 256, Hash SHA512, DH Group 14

    • Algorithm AES 256, Hash SHA256, DH Group 14

    • Algorithm AES 256, Hash SHA1, DH Group 14

    • Algorithm AES 128, Hash SHA256, DH Group 2

    • Algorithm AES 128, Hash SHA1, DH Group 2

    Life Time:

    86400

    NAT Traversal:

    Force

  • Click Save

Phase 2 settings

  • Click fa-plus Show Phase 2 Entries inside the Mobile phase 1 to expand its phase 2 list

  • Click fa-plus Add P2 to create a new phase 2 entry

  • Enter the following settings:

    Description:

    Mobile IPsec

    Mode:

    Tunnel IPv4

    Local Network:

    The network on the firewall site which the clients must reach, e.g. LAN Subnet, or Network 0.0.0.0/0 to send all traffic over the VPN.

    Protocol:

    ESP

    Encryption Algorithms:

    AES 128

    Hash Algorithms:

    SHA256

    PFS key group:

    off

    Lifetime:

    28800

  • Add additional phase 2 entries for local networks if necessary

  • Click Save

  • Click Apply Changes

User Settings

Create pre-shared keys to identify users for the VPN

  • Navigate to VPN > IPsec, Pre-shared keys tab.

  • Click fa-plus Add to create a new entry

  • Enter the settings as follows:

    Identifier:

    Any identifier may be used so long as it is unique to the person using the account.

    Tip

    E-mail addresses are commonly used as they are more unique than first or last names.

    Secret Type:

    PSK

    Pre-Shared Key:

    Generate a long/random Pre-Shared Key. The longer and more complex the key, the more secure it is.

    Note

    Some clients, such as Linux network manager, require a minimum key length of 20 characters.

  • Click Save

  • Click Apply Changes

Firewall Rules

Add firewall rules to pass traffic from clients

  • Navigate to Firewall > Rules, IPsec tab

  • Add rules that match traffic to allow from mobile clients or add a rule to pass any protocol/any source/any destination to allow everything.

The firewall configuration is complete.

Client Configuration

Android

Android 11.x and later contain a client compatible with a pre-shared key configuration provided that it uses IKEv2 only. See the inline notes above for additional requirements.

Note

The settings below are from pure Android 11.x. These exact settings may not present on all Android devices, depending on the Android version and changes made by the OEM.

See Remote Access Mobile VPN Client Compatibility for additional details.

  • Swipe down twice from the top of the screen

  • Tap the Settings cog

  • Tap Networks & Internet, Advanced, VPN

  • Tap +

  • Enter the connection settings as follows:

    Name:

    pfSense Mobile VPN or another suitable description

    Type:

    IKEv2/IPsec PSK

    Server Address:

    The address of the server.

    IPsec Identifier:

    The identifier on the pre-shared key for this user (e.g. a username or e-mail address)

    Pre-Shared Key:

    The PSK value associated with the identifier for this user.

  • Tap Save

Windows (Deprecated)

Warning

The Shrew Soft client is deprecated and does not work on current supported versions of Windows. The instructions below remain for reference, but should not be followed exactly.

Some settings below may not match the configuration above due to no longer being supported or because they are weak. If more secure options exist in the client, use them.

This part is done on the end user computer.

Download and install Shrew Soft VPN.

Once finished, open ipseca.exe. The VPN Access Manager window is presented.

../_images/vb_howto_ipsec_024.jpg

Press the big round Add button to set up a tunnel configuration.

On the General tab, enter the IP address or host name of the firewall. Leave the rest as it is. The default values in new versions of the Shrew Soft VPN client may change so in case of doubt, stick to the screenshots.

../_images/vb_howto_ipsec_025.jpg

On the Client tab, set NAT Traversal to force-rfc and uncheck Enable Dead Peer Detection. If these settings are wrong, an established tunnel may not let any traffic through.

../_images/vb_howto_ipsec_026.jpg

Don’t change anything on the Name Resolution tab; these settings are all automatically set by the pfSense software. Relevant information could be entered here but if the settings were configured on the firewall, they need not be set here.

../_images/vb_howto_ipsec_028.jpg ../_images/vb_howto_ipsec_029.jpg ../_images/vb_howto_ipsec_030.jpg

Go to the Authentication tab. Set Authentication Method to Mutual PSK. Under Local Identity, choose Key Identifier as the Identification Type and enter the user’s e-mail address (or whatever was used as an identifier) in the Key ID String field.

../_images/vb_howto_ipsec_031.jpg

Under Remote Identity, set Identification Type to IP Address and check Use a discovered remote host address.

../_images/vb_howto_ipsec_032.jpg

Finally, under Credentials, enter the Pre Shared Key associated with the e-mail address.

../_images/vb_howto_ipsec_033.jpg

Now scroll over to the Phase 1 tab. Set the Cipher Algorithm to aes or whatever was entered on the Phase 1 page in the pfSense software. Cipher Key Length to 256 (or whatever etc.) and Hash Algorithm to sha2-256. Set the Key Life Time limit to 3600.

../_images/vb_howto_ipsec_034.jpg

Phase 2 tab: set Transform Algorithm to esp-aes, Transform Key Length to 128, HMAC Algorithm to sha2-256 and PFS Exchange to group 2.

Warning

This matches the configuration for the server configured above, but may not match the screenshots since they are from an older OS that isn’t available currently to update.

../_images/vb_howto_ipsec_035.jpg

Nearly there! Go to the Policy tab and set Policy Generation Level to unique.

../_images/vb_howto_ipsec_036.jpg

Click Save and give the newly created configuration an appropriate name.

../_images/vb_howto_ipsec_037.jpg

Double-click the configuration and the tunnel window will pop up. Click Connect to start the tunnel.

../_images/vb_howto_ipsec_038.jpg

Click Disconnect to… disconnect the tunnel.

../_images/vb_howto_ipsec_040.jpg

That’s it! A working IPsec tunneling system is now in place.