Netgate is offering COVID-19 aid for pfSense software users, learn more.
IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2¶
IKEv2 Server Configuration¶
There are several components to the server configuration for mobile clients:
Creating a certificate structure for the VPN
Configuring the IPsec Mobile Client settings
Creating the phase 1 and phase 2 for the client connection
Adding IPsec firewall rules.
Create user credentials for the VPN
IKEv2 Certificate Structure¶
Create a Server Certificate¶
Follow these directions exactly, paying close attention to how the server certificate is created at each step. If any one part is incorrect, some or all clients may fail to connect.
Navigate to System > Cert Manager, Certificates tab on the pfSense firewall
Click Add to create a new certificate
Select Create an internal certificate for the Method
Enter a Descriptive Name such as
Select the appropriate Certificate Authority created in the previous step
Choose the desired Key Type, Key length, Digest algorithm, and Lifetime
Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here instead
Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
Set the Certificate Type to Server Certificate
Click Add to add a new Alternative Name
FQDN or Hostnamein the Type field
Enter the hostname of the firewall as it exists in DNS again in the Value field
Click Add to add another new Alternative Name
IP Addressin the Type field
Enter the WAN IP address of the firewall in the Value field
Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
As an alternative, the ACME package (ACME package) can generate a server certificate which will be trusted natively by many clients.
Mobile Client Settings¶
Before configuring a mobile IPsec instance, first choose an IP address range to use for mobile clients. Ensure that IP addresses do not overlap any existing network; The IP addresses must differ from those in use at the site hosting the mobile tunnel as well as the LAN from which the client will be connecting. In this example, 10.3.200.0/24 will be used, but it can be any unused subnet.
First, enable IPsec on the firewall if it has not already been enabled:
Navigate to VPN > IPsec
Check Enable IPsec
Mobile client support must also be enabled:
Navigate to VPN > IPsec
Click on the Mobile clients tab (Figure Enable Mobile IPsec Clients).
Check Enable IPsec Mobile Client Support
Leave the authentication sources set to Local Database, as seen in Figure Mobile Clients Authentication. This setting is not needed for EAP- MSCHAPv2, but it must have something selected. RADIUS servers defined in the User Manager (User Management and Authentication) can be selected here for authenticating users when using EAP-RADIUS.
Some settings may be pushed to the client, such as the client IP address and DNS servers. These options are shown in Figure Mobile Clients Pushed Settings. Support for these options varies between clients, but is common and well-supported in most current operating systems.
- Virtual Address Pool
Defines the pool of IP addresses that will be handed out to clients. Use
10.3.200.0/24for this example.
- Virtual IPv6 Address Pool
Same as above, but for IPv6 addresses.
- Network List
Controls whether the client will attempt to send all of its traffic across the tunnel, or only traffic for specific networks. If this option is checked, then the networks defined in the Local Network options for the mobile phase 2 definitions will be sent to the client. If this option is unchecked, the clients will attempt to send all of their traffic, including Internet traffic, across the tunnel. Not all clients respect this option. For this example, the client can only reach the network in the phase 2, so check this option.
- Save Xauth Password
When checked, clients that support this control will allow the user to save their credentials when using Xauth. This is mainly respected by Cisco-based clients like the one found on iOS and Mac OS X. Since IKEv2 is being used in this example, it is not important.
- DNS Default Domain
When checked, the value entered into the box will be pushed to clients as their default domain suffix for DNS requests. For example if this is set to
example.comand a client requests
host, then the DNS request will be attempted for
- Split DNS
Controls how the client will send DNS requests to the DNS Server supplied (if any). If this option is unchecked, the client will send all of its DNS requests to a provided DNS Server. If the option is checked, but left empty, and a DNS Default Domain is set, then only requests for that domain name will go to the provided DNS Server. If it’s checked and a value is entered, then only requests for the domain(s) entered in the box will be forwarded to the provided DNS Server. In this example, both
example.orgare used and DNS requests for those two domains will to go to the VPN servers, so enter those values here separated by a space.
- DNS Servers
When Provide a DNS server list to clients is checked, and IP addresses are entered for the local DNS servers, such as
10.3.0.1, these values are sent to clients for use while the VPN is connected.
If mobile clients will route to the Internet over the VPN, ensure the clients get a DNS Server from the firewall using this option, and that they do not have Split DNS enabled. If this is not done, the clients will attempt to get DNS from whatever server they were assigned by their ISP, but route the request across the tunnel and it will most likely fail.
- WINS Servers
Works similar to DNS servers, but for WINS. Rarely used these days, best left disabled.
- Phase 2 PFS Group
Overrides the PFS setting for all Mobile Phase 2 entries. Generally best to set this value on the P2 entries individually, so leave unchecked.
- Login Banner
Optional, and only works on Xauth clients. Leave unchecked and blank.
Click Save and pfSense will display a warning that there is no phase 1 definition for mobile clients
Click Create Phase 1 to make a new Phase 1 entry for mobile clients
Click the Tunnels tab
The Phase 1 configuration for mobile clients is presented, and must be configured as follows:
- Key Exchange Version
Set to V2
- Internet Protocol
Set to IPv4 for this example
Set to WAN
- Authentication Method
Set to EAP-MSCHAPv2
- My identifier
Choose Distinguished Name from the drop-down list and then enter the hostname of the firewall, same as it was entered into the server certificate,
- Peer Identifier
Set to Any
- My Certificate
Choose the IPsec Server Certificate created earlier
- My Certificate Authority
Choose the Certificate Authority created earlier
- Encryption Algorithm
Set to AES
- Key Length
Set to 256 bits
Set to SHA256
- DH Group
Set to 14 (2048 bit)
Multiple combinations of encryption, hash, and DH options may be created to accommodate various clients with different requirements. Click Add Algorithm to add more entries.
Must be set to
- Disable Rekey
- Disable Reauth
- Responder Only
Set to Enable to allow clients to roam between IP addresses, otherwise set to Disable.
- Enable DPD
- Max failures
Click Show Phase 2 Entries to expand the list of mobile phase 2 entries
Click Add P2 to add a new mobile phase 2.
Set to Tunnel IPv4
- Local Network
Set to LAN subnet or another local network.
To tunnel all traffic over the VPN, use Network and enter
0.0.0.0with a mask of 0
Set to None
Set to ESP, which will encrypt tunneled traffic
- Encryption algorithms
Set to AES with Auto selected for key length.
- Hash algorithms
Set to off
Click Apply changes
The tunnel setup for mobile clients is complete.
Mobile IPsec User Creation¶
The next step is to add users for use by EAP-MSCHAPv2.
Navigate to VPN > IPsec, Pre-Shared Keys tab
Click Add to add a new key
Configure the options as follows:
The username for the client, can be expressed in multiple ways, such as an e-mail address like
- Secret Type
Set to EAP for EAP-MSCHAPv2 users
- Pre-Shared Key
The password for the client, for example
Repeat as many times as needed for additional VPN users.
A complete user is shown in Figure Mobile IPsec User.
As with the static site-to-site tunnels, mobile tunnels will also need firewall rules added to the IPsec tab under Firewall > Rules. In this instance the source of the traffic would be the subnet chosen for the mobile clients and the destination will be the LAN network, or any if tunneling all traffic. For more details, IPsec and firewall rules.
Each mobile client computer will need to have a VPN instance added. In some cases a third-party IPsec client may be required. There are many different IPsec clients available for use, some free, and some commercial applications. With IKEv2, as used in this example, many operating systems have native VPN clients and do not need extra software.