Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2

IKEv2 Server Configuration

There are several components to the server configuration for mobile clients:

  • Creating a certificate structure for the VPN

  • Configuring the IPsec Mobile Client settings

  • Creating the phase 1 and phase 2 for the client connection

  • Adding IPsec firewall rules.

  • Create user credentials for the VPN

IKEv2 Certificate Structure

Create a Certificate Authority

If a suitable Certificate Authority (CA) is not present in the Cert Manager, creating one is the first task:

  • Navigate to System > Cert Manager on the pfSense® firewall

  • Click fa-plus Add to create a new certificate authority

  • Select Create an internal Certificate Authority for the Method

  • Fill in the rest of the fields as desired with company or site-specific information

  • Click Save

Create a Server Certificate

Warning

Follow these directions exactly, paying close attention to how the server certificate is created at each step. If any one part is incorrect, some or all clients may fail to connect.

  • Navigate to System > Cert Manager, Certificates tab on the pfSense firewall

  • Click fa-plus Add to create a new certificate

  • Select Create an internal certificate for the Method

  • Enter a Descriptive Name such as IKEv2 Server

  • Select the appropriate Certificate Authority created in the previous step

  • Choose the desired Key Type, Key length, Digest algorithm, and Lifetime

  • Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here instead

  • Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is

  • Set the Certificate Type to Server Certificate

  • Click fa-plus Add to add a new Alternative Name

  • Enter FQDN or Hostname in the Type field

  • Enter the hostname of the firewall as it exists in DNS again in the Value field

  • Click fa-plus Add to add another new Alternative Name

  • Enter IP Address in the Type field

  • Enter the WAN IP address of the firewall in the Value field

  • Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect

  • Click Save

Tip

As an alternative, the ACME package (ACME package) can generate a server certificate which will be trusted natively by many clients.

Mobile Client Settings

Before configuring a mobile IPsec instance, first choose an IP address range to use for mobile clients. Ensure that IP addresses do not overlap any existing network; The IP addresses must differ from those in use at the site hosting the mobile tunnel as well as the LAN from which the client will be connecting. In this example, 10.3.200.0/24 will be used, but it can be any unused subnet.

First, enable IPsec on the firewall if it has not already been enabled:

  • Navigate to VPN > IPsec

  • Check Enable IPsec

  • Click Save

Mobile client support must also be enabled:

  • Navigate to VPN > IPsec

  • Click on the Mobile clients tab (Figure Enable Mobile IPsec Clients).

  • Check Enable IPsec Mobile Client Support

../_images/ipsec-ipsec_mobile_enable.png

Enable Mobile IPsec Clients

  • Leave the authentication sources set to Local Database, as seen in Figure Mobile Clients Authentication. This setting is not needed for EAP- MSCHAPv2, but it must have something selected. RADIUS servers defined in the User Manager (User Management and Authentication) can be selected here for authenticating users when using EAP-RADIUS.

../_images/ipsec-ipsec_mobile_modecfg_auth.png

Mobile Clients Authentication

Some settings may be pushed to the client, such as the client IP address and DNS servers. These options are shown in Figure Mobile Clients Pushed Settings. Support for these options varies between clients, but is common and well-supported in most current operating systems.

Virtual Address Pool

Defines the pool of IP addresses that will be handed out to clients. Use 10.3.200.0/24 for this example.

Virtual IPv6 Address Pool

Same as above, but for IPv6 addresses.

Network List

Controls whether the client will attempt to send all of its traffic across the tunnel, or only traffic for specific networks. If this option is checked, then the networks defined in the Local Network options for the mobile phase 2 definitions will be sent to the client. If this option is unchecked, the clients will attempt to send all of their traffic, including Internet traffic, across the tunnel. Not all clients respect this option. For this example, the client can only reach the network in the phase 2, so check this option.

Save Xauth Password

When checked, clients that support this control will allow the user to save their credentials when using Xauth. This is mainly respected by Cisco-based clients like the one found on iOS and Mac OS X. Since IKEv2 is being used in this example, it is not important.

DNS Default Domain

When checked, the value entered into the box will be pushed to clients as their default domain suffix for DNS requests. For example if this is set to example.com and a client requests host, then the DNS request will be attempted for host.example.com.

Split DNS

Controls how the client will send DNS requests to the DNS Server supplied (if any). If this option is unchecked, the client will send all of its DNS requests to a provided DNS Server. If the option is checked, but left empty, and a DNS Default Domain is set, then only requests for that domain name will go to the provided DNS Server. If it’s checked and a value is entered, then only requests for the domain(s) entered in the box will be forwarded to the provided DNS Server. In this example, both example.com and example.org are used and DNS requests for those two domains will to go to the VPN servers, so enter those values here separated by a space.

DNS Servers

When Provide a DNS server list to clients is checked, and IP addresses are entered for the local DNS servers, such as 10.3.0.1, these values are sent to clients for use while the VPN is connected.

Note

If mobile clients will route to the Internet over the VPN, ensure the clients get a DNS Server from the firewall using this option, and that they do not have Split DNS enabled. If this is not done, the clients will attempt to get DNS from whatever server they were assigned by their ISP, but route the request across the tunnel and it will most likely fail.

WINS Servers

Works similar to DNS servers, but for WINS. Rarely used these days, best left disabled.

Phase 2 PFS Group

Overrides the PFS setting for all Mobile Phase 2 entries. Generally best to set this value on the P2 entries individually, so leave unchecked.

Login Banner

Optional, and only works on Xauth clients. Leave unchecked and blank.

../_images/ipsec-ipsec_mobile_modecfg.png

Mobile Clients Pushed Settings

  • Click Save and pfSense will display a warning that there is no phase 1 definition for mobile clients

  • Click Create Phase 1 to make a new Phase 1 entry for mobile clients

  • Click the Tunnels tab

../_images/ipsec-ipsec_mobile_p1_create.png

Mobile Clients Phase 1 Creation Prompt

Phase 1

The Phase 1 configuration for mobile clients is presented, and must be configured as follows:

Key Exchange Version

Set to V2

Internet Protocol

Set to IPv4 for this example

Interface

Set to WAN

Description

Set to Mobile IPsec

Authentication Method

Set to EAP-MSCHAPv2

My identifier

Choose Distinguished Name from the drop-down list and then enter the hostname of the firewall, same as it was entered into the server certificate, vpn.example.com

Peer Identifier

Set to Any

My Certificate

Choose the IPsec Server Certificate created earlier

My Certificate Authority

Choose the Certificate Authority created earlier

Encryption Algorithm
Algorithm

Set to AES

Key Length

Set to 256 bits

Hash

Set to SHA256

DH Group

Set to 14 (2048 bit)

Multiple combinations of encryption, hash, and DH options may be created to accommodate various clients with different requirements. Click fa-plus Add Algorithm to add more entries.

Lifetime

Must be set to 28800

Disable Rekey

Leave unchecked

Disable Reauth

Leave unchecked

Responder Only

Leave unchecked

MOBIKE

Set to Enable to allow clients to roam between IP addresses, otherwise set to Disable.

DPD
Enable DPD

Checked

Delay

10 seconds

Max failures

5

  • Click Save

Phase 2

  • Click fa-plus-circle Show Phase 2 Entries to expand the list of mobile phase 2 entries

  • Click fa-plus Add P2 to add a new mobile phase 2.

Mode

Set to Tunnel IPv4

Local Network

Set to LAN subnet or another local network.

To tunnel all traffic over the VPN, use Network and enter 0.0.0.0 with a mask of 0

NAT/BINAT

Set to None

Protocol

Set to ESP, which will encrypt tunneled traffic

Encryption algorithms

Set to AES with Auto selected for key length.

Hash algorithms

Select SHA256

PFS

Set to off

Lifetime

Set to 3600

  • Click Save

  • Click Apply changes

The tunnel setup for mobile clients is complete.

Mobile IPsec User Creation

The next step is to add users for use by EAP-MSCHAPv2.

  • Navigate to VPN > IPsec, Pre-Shared Keys tab

  • Click fa-plus Add to add a new key

  • Configure the options as follows:

Identifier

The username for the client, can be expressed in multiple ways, such as an e-mail address like jimp@example.com

Secret Type

Set to EAP for EAP-MSCHAPv2 users

Pre-Shared Key

The password for the client, for example abc123

  • Click Save

  • Repeat as many times as needed for additional VPN users.

A complete user is shown in Figure Mobile IPsec User.

../_images/ipsec-ipsec_mobile_user.png

Mobile IPsec User

Firewall Rules

As with the static site-to-site tunnels, mobile tunnels will also need firewall rules added to the IPsec tab under Firewall > Rules. In this instance the source of the traffic would be the subnet chosen for the mobile clients and the destination will be the LAN network, or any if tunneling all traffic. For more details, IPsec and firewall rules.

Client Configuration

Each mobile client computer will need to have a VPN instance added. In some cases a third-party IPsec client may be required. There are many different IPsec clients available for use, some free, and some commercial applications. With IKEv2, as used in this example, many operating systems have native VPN clients and do not need extra software.