IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2¶

IKEv2 Server Configuration¶

There are several components to the server configuration for mobile clients:

Creating a certificate structure for the VPN
Configuring the IPsec Mobile Client settings
Creating the phase 1 and phase 2 for the client connection
Adding IPsec firewall rules.
Create user credentials for the VPN

IKEv2 Certificate Structure¶

Create a Certificate Authority¶

If a suitable Certificate Authority (CA) is not present in the Cert Manager, creating one is the first task:

Navigate to System > Cert Manager on the pfSense® firewall
Click Add to create a new certificate authority
Select Create an internal Certificate Authority for the Method
Fill in the rest of the fields as desired with company or site-specific information
Click Save

Create a Server Certificate¶

Warning

Follow these directions exactly, paying close attention to how the server certificate is created at each step. If any one part is incorrect, some or all clients may fail to connect.

Navigate to System > Cert Manager, Certificates tab on the pfSense firewall
Click Add to create a new certificate
Select Create an internal certificate for the Method
Enter a Descriptive Name such as IKEv2 Server
Select the appropriate Certificate Authority created in the previous step
Choose the desired Key Type, Key length, Digest algorithm, and Lifetime
Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here instead
Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
Set the Certificate Type to Server Certificate
Click Add to add a new Alternative Name
Enter FQDN or Hostname in the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field
Click Add to add another new Alternative Name
Enter IP Address in the Type field
Enter the WAN IP address of the firewall in the Value field
Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
Click Save

Tip

As an alternative, the ACME package (ACME package) can generate a server certificate which will be trusted natively by many clients.

Mobile Client Settings¶

Before configuring a mobile IPsec instance, first choose an IP address range to use for mobile clients. Ensure that IP addresses do not overlap any existing network; The IP addresses must differ from those in use at the site hosting the mobile tunnel as well as the LAN from which the client will be connecting. In this example, 10.3.200.0/24 will be used, but it can be any unused subnet.

First, enable IPsec on the firewall if it has not already been enabled:

Navigate to VPN > IPsec
Check Enable IPsec
Click Save

Mobile client support must also be enabled:

Navigate to VPN > IPsec
Click on the Mobile clients tab (Figure Enable Mobile IPsec Clients).
Check Enable IPsec Mobile Client Support

../_images/ipsec-ipsec_mobile_enable.png

Enable Mobile IPsec Clients¶

Leave the authentication sources set to Local Database, as seen in Figure Mobile Clients Authentication. This setting is not needed for EAP- MSCHAPv2, but it must have something selected. RADIUS servers defined in the User Manager (User Management and Authentication) can be selected here for authenticating users when using EAP-RADIUS.

../_images/ipsec-ipsec_mobile_modecfg_auth.png

Mobile Clients Authentication¶

Some settings may be pushed to the client, such as the client IP address and DNS servers. These options are shown in Figure Mobile Clients Pushed Settings. Support for these options varies between clients, but is common and well-supported in most current operating systems.

Virtual Address Pool: Defines the pool of IP addresses that will be handed out to clients. Use 10.3.200.0/24 for this example.
Virtual IPv6 Address Pool: Same as above, but for IPv6 addresses.
Network List: Controls whether the client will attempt to send all of its traffic across the tunnel, or only traffic for specific networks. If this option is checked, then the networks defined in the Local Network options for the mobile phase 2 definitions will be sent to the client. If this option is unchecked, the clients will attempt to send all of their traffic, including Internet traffic, across the tunnel. Not all clients respect this option. For this example, the client can only reach the network in the phase 2, so check this option.
Save Xauth Password: When checked, clients that support this control will allow the user to save their credentials when using Xauth. This is mainly respected by Cisco-based clients like the one found on iOS and Mac OS X. Since IKEv2 is being used in this example, it is not important.
DNS Default Domain: When checked, the value entered into the box will be pushed to clients as their default domain suffix for DNS requests. For example if this is set to example.com and a client requests host, then the DNS request will be attempted for host.example.com.
Split DNS: Controls how the client will send DNS requests to the DNS Server supplied (if any). If this option is unchecked, the client will send all of its DNS requests to a provided DNS Server. If the option is checked, but left empty, and a DNS Default Domain is set, then only requests for that domain name will go to the provided DNS Server. If it’s checked and a value is entered, then only requests for the domain(s) entered in the box will be forwarded to the provided DNS Server. In this example, both example.com and example.org are used and DNS requests for those two domains will to go to the VPN servers, so enter those values here separated by a space.
DNS Servers: When Provide a DNS server list to clients is checked, and IP addresses are entered for the local DNS servers, such as 10.3.0.1, these values are sent to clients for use while the VPN is connected.

Note

If mobile clients will route to the Internet over the VPN, ensure the clients get a DNS Server from the firewall using this option, and that they do not have Split DNS enabled. If this is not done, the clients will attempt to get DNS from whatever server they were assigned by their ISP, but route the request across the tunnel and it will most likely fail.

WINS Servers: Works similar to DNS servers, but for WINS. Rarely used these days, best left disabled.
Phase 2 PFS Group: Overrides the PFS setting for all Mobile Phase 2 entries. Generally best to set this value on the P2 entries individually, so leave unchecked.
Login Banner: Optional, and only works on Xauth clients. Leave unchecked and blank.

../_images/ipsec-ipsec_mobile_modecfg.png

Mobile Clients Pushed Settings¶

Click Save and pfSense will display a warning that there is no phase 1 definition for mobile clients
Click Create Phase 1 to make a new Phase 1 entry for mobile clients
Click the Tunnels tab

../_images/ipsec-ipsec_mobile_p1_create.png

Mobile Clients Phase 1 Creation Prompt¶

Phase 1¶

The Phase 1 configuration for mobile clients is presented, and must be configured as follows:

Key Exchange Version

Set to V2

Internet Protocol

Set to IPv4 for this example

Interface

Set to WAN

Description

Set to Mobile IPsec

Authentication Method

Set to EAP-MSCHAPv2

My identifier

Choose Distinguished Name from the drop-down list and then enter the hostname of the firewall, same as it was entered into the server certificate, vpn.example.com

Peer Identifier

Set to Any

My Certificate

Choose the IPsec Server Certificate created earlier

My Certificate Authority

Choose the Certificate Authority created earlier

Encryption Algorithm

Algorithm: Set to AES
Key Length: Set to 256 bits
Hash: Set to SHA256
DH Group: Set to 14 (2048 bit)

Multiple combinations of encryption, hash, and DH options may be created to accommodate various clients with different requirements. Click fa-plus Add Algorithm to add more entries.

Lifetime

Must be set to 28800

Disable Rekey

Leave unchecked

Disable Reauth

Leave unchecked

Responder Only

Leave unchecked

MOBIKE

Set to Enable to allow clients to roam between IP addresses, otherwise set to Disable.

DPD

Enable DPD: Checked
Delay: 10 seconds
Max failures: 5

Click Save

Phase 2¶

Click Show Phase 2 Entries to expand the list of mobile phase 2 entries
Click Add P2 to add a new mobile phase 2.

Mode

Set to Tunnel IPv4

Local Network

Set to LAN subnet or another local network.

To tunnel all traffic over the VPN, use Network and enter 0.0.0.0 with a mask of 0

NAT/BINAT

Set to None

Protocol

Set to ESP, which will encrypt tunneled traffic

Encryption algorithms

Set to AES with Auto selected for key length.

Hash algorithms

Select SHA256

PFS

Set to off

Lifetime

Set to 3600

Click Save
Click Apply changes

The tunnel setup for mobile clients is complete.

Mobile IPsec User Creation¶

The next step is to add users for use by EAP-MSCHAPv2.

Navigate to VPN > IPsec, Pre-Shared Keys tab
Click Add to add a new key
Configure the options as follows:

Identifier: The username for the client, can be expressed in multiple ways, such as an e-mail address like jimp@example.com
Secret Type: Set to EAP for EAP-MSCHAPv2 users
Pre-Shared Key: The password for the client, for example abc123

Click Save
Repeat as many times as needed for additional VPN users.

A complete user is shown in Figure Mobile IPsec User.

Mobile IPsec User¶

Firewall Rules¶

As with the static site-to-site tunnels, mobile tunnels will also need firewall rules added to the IPsec tab under Firewall > Rules. In this instance the source of the traffic would be the subnet chosen for the mobile clients and the destination will be the LAN network, or any if tunneling all traffic. For more details, IPsec and firewall rules.

Client Configuration¶

Each mobile client computer will need to have a VPN instance added. In some cases a third-party IPsec client may be required. There are many different IPsec clients available for use, some free, and some commercial applications. With IKEv2, as used in this example, many operating systems have native VPN clients and do not need extra software.