I recently had to configure the open-source firewall pfSense to allow VPN access for mobile clients, particularly those using OS X on Macs and iOS on iPhones and iPads.
I haven’t found too many examples out there from people who have set this up successfully, so I thought it might be helpful to share this information for others who are trying to set up a similar VPN configuration.
N.B. This works for pfSense 2.1. In pfSense 2.2 they completely changed the IPSec backend, so things are a little different at the frontend.
In System -> User Manager set up a suitable user as needed, and under Effective Privileges add User – VPN – IPsec xauth Dialin for that user.
Then go to VPN -> IPsec and set up the mobile IPsec client configuration as follows.
Tunnels: Phase 1 (Mobile Client)
- Disabled off
- Internet Protocol IPv4
- Interface WAN
- Description Remote access VPN [modify as needed]
Phase 1 proposal (Authentication)
- Authentication method Mutual PSK + Xauth
- Negotiation mode aggressive
- My identifier My IP address
- Peer identifier Distinguished name
MyIdentifier[modify as needed]
- Pre-Shared Key
MyPresharedKey[modify as needed]
- Policy Generation Default
- Proposal Checking Default
- Encryption algorithm 3DES
- Hash algorithm SHA1
- DH key group 2 (1024 bit)
- NAT Traversal Force
- Dead Peer Detection on
Tunnels: Phase 2 (Mobile Client)
- Disabled off
- Mode Tunnel IPv4
- Local Network LAN subnet (NAT/BINAT None)
- Description [empty]
Phase 2 proposal (SA/Key Exchange)
- Protocol ESP
- Encryption algorithms AES auto, Blowfish auto, 3DES, CAST128
- Hash algorithms MD5, SHA1
- PFS key group off
- Automatically ping host [empty]
- IKE Extensions on
Extended Authentication (Xauth)
- User Authentication LocalDatabase
- Group Authentication none
Client Configuration (mode-cfg)
- Virtual Address Pool on Network:
192.168.100.0/ 24 [modify as needed]
- Network List off
- Save Xauth Password off
- DNS Default Domain on
local.foo.com[modify as needed]
- Split DNS off
- DNS Servers on Server #1:
192.168.1.200[modify as needed]
- WINS Servers off
- Phase2 PFS Group off
- Login Banner on
Warning: don't be naughty![modify as needed]
MyIdentifier[modify as needed, should match Peer identifier above]
- Pre-Shared Key
MyPresharedKey[modify as needed, should match Pre-Shared Key above]
In Firewall -> Rules, go to the IPsec tab and make sure there’s a rule to allow all IPv4 traffic from anywhere to anywhere.
OS X configuration
In System Preferences -> Network, add a new interface of type VPN, VPN Type Cisco IPSec, and Service Name of your choice.
Server Address is the public IP of your firewall. Account Name is the pfSense user you set up earlier.
In Authentication Settings, Shared Secret is the pre-shared key you created on pfSense earlier, and Group Name is the identifier you created on pfSense earlier.
In Settings -> VPN, add a new VPN configuration of type IPSec.
Description is up to you. Server is the public IP of your firewall. Account is the pfSense user you set up earlier. Group Name is the identifier you created on pfSense earlier. Secret is the pre-shared key you created on pfSense earlier.