IPsec Remote Access VPN Example Using IKEv1 with Xauth

This document covers IPsec using Xauth and a mutual Pre-Shared Key.

Note

The current best practice is to use IKEv2 for IPsec Remote Access on modern clients. See IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 for details.

This setup has been tested and working on various Android and iOS devices. Other clients may work as well.

IPsec Server Setup

This is the setup for the pfSense® software side of the connection

Mobile Clients

  • Navigate to VPN > IPsec, Mobile Clients tab

  • Set the options as follows:

    Enable IPsec Mobile Client Support:

    Checked

    User Authentication:

    Local Database

    Provide a virtual IP address to clients:

    Checked

    Enter an unused subnet in the box (e.g. 10.11.200.0), pick a subnet mask (e.g. 24)

  • Set other options if desired

  • Click Save

  • Click Apply Changes

  • Click fa-plus Create Phase 1 at the top of the screen if it appears

Phase 1 settings

  • Navigate to VPN > IPsec

  • Locate the Mobile Phase 1 in the list

  • Click fa-pencil to edit the Mobile Phase 1

  • Enter the following settings:

    Description:

    Mobile IPsec PSK + Xauth

    Key Exchange Version:

    IKEv1

    Authentication method:

    Mutual PSK + Xauth

    Negotiation mode:

    Aggressive or Main depending on client requirements.

    My identifier:

    My IP address

    Peer identfier:

    User fully qualified domain name / E-mail, vpnusers@example.com

    Pre-Shared Key:

    A long/random pre-shared key suitable for giving to users.

    Encryption Algorithm:

    Create several entries which match values for common clients. Add them in order of preference with the most secure options listed first. For example:

    • Algorithm AES 256, Hash SHA512, DH Group 14

    • Algorithm AES 256, Hash SHA256, DH Group 14

    • Algorithm AES 256, Hash SHA1, DH Group 14

    • Algorithm AES 128, Hash SHA1, DH Group 2

    Life Time:

    86400

    NAT Traversal:

    Force

  • Click Save

Phase 2 settings

  • Click fa-plus Show Phase 2 Entries inside the Mobile phase 1 to expand its phase 2 list

  • Click fa-plus Add P2 to create a new phase 2 entry

  • Enter the following settings:

    Description:

    Mobile IPsec

    Mode:

    Tunnel IPv4

    Local Network:

    The network on the firewall site which the clients must reach, e.g. LAN Subnet, or Network 0.0.0.0/0 to send all traffic over the VPN.

    Protocol:

    ESP

    Encryption Algorithms:

    AES 128

    Hash Algorithms:

    SHA1

    PFS key group:

    off

    Lifetime:

    28800

  • Add additional phase 2 entries for local networks if necessary

  • Click Save

  • Click Apply Changes

User Settings

  • Navigate to System > User Manager

  • Add a user

  • Edit the user and grant them the User - VPN - IPsec xauth Dialin privilege or add them to a group with this privilege.

    Note

    Xauth uses both this per-user password and the value of the pre-shared key for different types of authentication. The pre-shared key is used to authenticate the tunnel itself and the per-user password ensures that a particular user is authorized to access the tunnel.

Firewall Rules

Add firewall rules to pass traffic from clients

  • Navigate to Firewall > Rules, IPsec tab

  • Add rules that match traffic to allow from mobile clients or add a rule to pass any protocol/any source/any destination to allow everything.

See also

IPsec and firewall rules

Device Setup (Android)

Note

The settings below are from pure Android 11.x. These exact settings may not present on all Android devices, depending on the Android version and changes made by the OEM.

See Remote Access Mobile VPN Client Compatibility for additional details.

  • Swipe down twice from the top of the screen

  • Tap the Settings cog

  • Tap Networks & Internet, Advanced, VPN

  • Tap +

  • Enter the connection settings as follows:

    Name:

    pfSense Mobile VPN or another suitable description

    Type:

    IPsec Xauth PSK

    Server Address:

    The address of the server.

    IPsec Identifier:

    If the mobile IPsec phase 1 is set for Aggressive fill in the identifier set in phase 1 (e.g. vpnusers@example.com).

    If the mobile IPsec phase 1 is set for Main, leave this at the default empty value of (not used).

    Pre-Shared Key:

    The value of the pre-shared key from the mobile phase 1 entry.

    Username:

    The username for this xauth user

    Password:

    The password for this xauth user

  • Tap Save

Device Setup (iOS)

  • Tap Settings > VPN or Settings > General > VPN

  • Tap Add VPN Configuration

  • Set Type to IPsec

  • Enter the settings as follows:

    Description:

    pfSense Mobile VPN or another suitable description

    Server:

    The address of the server.

    Account:

    The username for this xauth user

    Password:

    The password for this xauth user (or leave blank to be prompted every time)

    Group Name:

    The identifier set in phase 1 (e.g. vpnusers@example.com).

    Secret:

    The value of the pre-shared key from the mobile phase 1 entry.

Troubleshooting

By default iOS will tunnel all traffic over the VPN including traffic going to the Internet. If Internet sites are inaccessible once connected, a DNS server may need to be pushed to the client for it to use. This could be the LAN IP address of the firewall if the DNS resolver is enabled or a public DNS server such as 8.8.8.8 and/or 8.8.4.4.

The reason for the above is that the cellular provider is likely giving mobile devices DNS servers that are only accessible from their network. Once connected to the VPN the DNS servers are now being accessed via the VPN instead of the provider network, thus the queries are likely to be dropped. Supplying a local or public DNS server will work around this problem.