Jump to content






Photo

PFSense VPN Easy Peasy way

Posted by pete_c , 12 June 2016 · 1792 views

Base: 2.3.2-DEVELOPMENT (amd64) - Note PFSense interface has been rewritten.  Much easier navigation.
 
Note this is a post from over here on Cocoontech.  PFSense navigation / gui has been updated a bit over the years and this post relates to using current beta version.

Base: 2.3.2-DEVELOPMENT (amd64) - Note PFSense interface has been rewritten.  Much easier navigation.
 
1 - Log in to your pfSense box and select
VPN -> IPsec. Go to the Tunnels tab and make sure Enable IPsec is checked.
Then, add a phase 1 entry and make sure, the following values are set:
  • Section Setting Value General Information Disabled Unchecked   
  • Internet  Protocol IPv4   
  • Interface WAN   
  • Description (empty) Phase 1 proposal  (authentication) Authentication method Mutual PSK + Xauth   
  • Negotiation  mode aggressive   
  • My identifier My IP address   
  • Peer identifier Type:  Distinguished name
  • Value: <identifier>   Pre-Shared Key  <pre-shared secret>   
  • Policy Generation Unique
  • Proposal Checking  Default  
  • Encryption algorithm AES 256 bits   
  • Hash algorithm SHA1   
  • DH  key group 2 (1024 bit)   
  • Lifetime 86400 seconds Advanced Options NAT  Traversal Enable   
  • Dead Peer Detection Unchecked
 
2 - In my case, I have choosen vpnusers as value for <identifier>,  but you can choose whatever you like. Just choose some simple to  remember name here. Once it works, do not forget to choose something  stronger. Save your settings and go back to the VPN -> IPsec menu. Now, add a phase 2 entry to the already existing phase 1 entry having the following values set:

  • Section Setting Value General Information Disabled Unchecked   
  • Mode  Tunnel IPv4   
  • Local Network Type: LAN subnet   
  • Description (empty) Phase  2 proposal (SA/Key Exchange) Protocol ESP   
  • Encryption algorithms AES  256 bits   
  • Hash algorithms SHA1   
  • PFS key group off   
  • Lifetime 28800 seconds
  • Advanced Options Automatically ping host (empty)
 
3 - Again, save your changes and go back to VPN -> IPsec menu. Now select the Mobile clients tab and make sure the following values are set as follows:
  • Section Setting Value   
  • IKE Extensions Enable IPsec Mobile Client  
  • Support Extended Authentication (Xauth) User Authentication Source:  Local Database   
  • Group Authentication Source: system Client  Configuration (mode-cfg)
  • Virtual Address Pool Provide a virtual IP  address to clients: Checked
  • Network: 192.168.111.0/24   
  • Network List  
  • Provide a list of accessible networks to clients: Unchecked   
  • Save Xauth  
  • Password Allow clients to save Xauth passwords: Checked   
  • DNS Default  Domain Provide a default domain name to clients: Checked
  • Value: localdomain   
  • Split DNS Provide a list of split DNS domain names to clients: Unchecked
  • Value: (empty)   
  • DNS Servers Provide a DNS server list to clients: Checked
  • Server #1: 8.8.8.8
  • Server #2: (empty)
  • Server #3: (empty)
  • Server #4: (empty)   WINS Servers Provide a WINS server list to clients: Unchecked
  • Server #1: (empty)
  • Server #2: (empty)   Phase 2 PFS
  • Group Provide the Phase 2 PFS group to clients: Unchecked
  • Group: off   
  • Login Banner Provide a login banner to clients: Checked
  • Value: (Whatever text you like)
 
4 - Save your changes. Now go to System -> User Manager and select the Group tab.
  • Add a new group called vpnusers. Make sure, the group has the privilege User – VPN – IPsec xauth Dialin set. Save it.
  • Now go to the Users tab and create a user which will later be used to connect to your VPN box. Make sure the user has the group vpnusers set.

5 - Now we need to open the firewall to allow VPN connections to pass through. Go to Firewall -> Rules and select the WAN tab. Configure the following rules:

  • Proto Source Port Destination Port Gateway Queue Schedule Description  IPv4 UDP * * * 500 (ISAKMP) * None (empty) IPsec IPv4 UDP * * * 4500  (IPsec NAT-T) * None (empty) IPsec
  • Select the IPsec  tab and add a rule which allows all traffic to go through the VPN  connection: Proto Source Port Destination Port Gateway Queue Schedule  Description IPv4 * * * * * * None (empty) Allow all
 
6 - Configuring Your iPhone:
In  order to get your iPhone, iPad or MacBook running, just enter the  following parameters:
 
  • Parameter Value VPN Type IPsec Description  <Description>
  • Server <IP/hostname of your VPN endpoint>  
  • Account <user> Password <password>
  • Group <identifier>  
  • Shared Secret <pre-shared secret> Proxy Off
 
7 -  Configuring Your Android Device
  • Parameter Value Name <Description>  
  • Type IPSec Xauth PSK Server address <IP/hostname of your VPN  endpoint> IPSec identifier <identifier>
  • IPSec pre-shared key  <pre-shared key>
 
8 - Configuring Your Windows PC.  Use the Shrew Soft VPN client. The current version is 2.2.2. Personally tested on Windows XP embedded and connected VPN to a wireless T-Mobile tether (LTE).

The configuration options I use are as follows:

  • Tab Section/Tab Setting Value General
  • Remote Host Host Name or IP  Address <IP/hostname of your VPN endpoint>     
  • Port 500
  • Auto  Configuration ike config pull   
  • Local Host Adapter Mode Use a virtual  adapter and assigned address     Obtain automatically Checked     
  • MTU  1380
  • Client Firewall Options NAT Traversal enable     
  • NAT Traversal Port  4500     
  • Keep-alive packet rate 15     
  • IKE Fragmentation enable      
  • Maximum packet size 540   
  • Other Options Enable Dead Peer Detection  Checked     
  • Enable ISAKMP
  • Failure Notifications Checked     
  • Enable  Client Login Banner Checked
  • Name Resolution DNS Enable DNS Checked      
  • Obtain Automatically Checked     
  • Obtain Automatically (DNS Suffix)  Checked   
  • WINS Enable WINS Unchecked Authentication   
  • Authentication  Method Mutual PSK + XAuth
  • Authentication Local Identity Identification  
  • Type User Fully Qualified Domain Name
  • UFQDN String  <identifier>   
  • Remote Identity Identification Type IP Address      
  • Address String (empty)     
  • Use a discovered remote host address Checked    
  • Credentials Server Certificate Authority File (empty)     
  • Client  Certificate File (empty)     
  • Client Private Key File (empty)     
  • Pre  Shared Key <pre-shared key> Phase 1 Proposal Parameters Exchange  Type aggressive     
  • DH exchange group 2     
  • Cipher Algorithm auto      
  • Cipher Key Length (empty)     
  • Hash Algorithm auto     
  • Key Life Time  limit 86400 seconds     
  • Key Life Data limit 0 Kbytes Phase 1   
  • Enable  Check Point Compatible Vendor ID Unchecked
  • Phase 2 Proposal Parameters Transform Algorithm auto     
  • Transform Key Length (empty)     
  • HMAC  algorithm auto     
  • PFS Exchange disabled     
  • Compress Algorithm disabled      
  • Key Life Time limit 3600 seconds     
  • Key Life Data limit 0 Kbytes  Policy IPSEC Policy Configuration Policy Generation Level auto      
  • Maintain Persistent Security Associations Unchecked     
  • Obtain Topology  Automatically or Tunnel All Checked     
  • Remote Network Resource (empty)
 
8 - Configuring Your Linux PC
 
use vpnc as a VPN client on Linux. VPNC should also be available on Ubuntu and Debian systems.
It is command-line based  and works pretty well. Install it using the command:
 
sudo apt-get install vpnc
 
After that, navigate to /etc/vpnc/ and create a copy of the default.conf configuration file, for example:
 
cp default.conf my-vpn.conf
 
Edit the newly created file and fill in the parameters like this:
 
IPSec gateway
IP/hostname of your VPN endpoint
IPSec ID
IPSec secret
IKE Authmode psk
Xauth username
Xauth password

 
<identifier> and <pre-shared secret> are the values choosen earlier during pfSense configuration and are the values entered for the user in  pfSense user manager.

To connect using vpnc, just enter the following  command:
 
sudo vpnc /etc/vpnc/my-vpn.conf
 
If you would like to disconnect later, just enter the following command to restore the previous routing configuration:

sudo vpnc-disconnect




Pete, can you give me your opinion on doing it this way Vs. using OpenVpn in pfsense?

 

Thank you!

  • Report

I just noticed your post and apologies for not getting to it here.

 

I picked using IPSec VPN on a lark sort of. 

 

When I upgraded PFSense to 2.3.2-DEVELOPMENT I decided to rebuild the configuration from scratch.

 

Here I will repost from a similar discussion from a month or so ago on CT's sister forum.

 

I did test my IPSec stuff one weekend a few weeks ago on one of my Joggler tabletop tablets.  It used the built in tabletop wireless to my LTE Wintel Mobile phone just fine connecting to the Home automation mothership (actually everything at home).

 

The Joggler is an old dual threaded Intel CPU/512Mb of memory with a Capacitance touchscreen which utilizes an EFI boot rom.  It runs Linux/Android or Wintel just fine.

 

Wintel works with the EFI boot rom (figured out in the Pacific Rim - China) and a replacement Seabios ROM provided to us via an old Openpeak employee.

 

OpenVPN

OpenVPN uses open-source technologies like the OpenSSL encryption library and SSL v3/TLS v1 protocols. It can be configured to run on any port, so you could configure a server to work over TCP port 443. The OpenSSL VPN traffic would then be practically indistinguishable from standard HTTPS traffic that occurs when you connect to a secure website. This makes it difficult to block completely.

It’s very configurable, and will be most secure if it’s set to use AES encryption instead of the weaker Blowfish encryption. OpenVPN has become a popular standard. We’ve seen no serious concerns that anyone (including the NSA) has compromised OpenVPN connections.

OpenVPN support isn’t integrated into popular desktop or mobile operating systems. Connecting to an OpenVPN network requires a a third-party application — either a desktop application or a mobile app.

In Summary: OpenVPN is new and secure, although you will need to install a third-party application. This is the one you should probably use.

 

Here personally got involved with this stuff as a global money saving endeavor for a client base of around 100k users.  Easy to use and with many layers of security......I did utilize it once in a bind stuck at a location due to a major snow storm....I was able to get to back end systems and do the doo of what I needed to to to get out and home....vpn dot ual dot com....(mid 2000's). 

L2TP/IPsec

Layer 2 Tunnel Protocol is a VPN protocol that doesn’t offer any encryption. That’s why it’s usually implemented along with IPsec encryption. As it’s built into modern desktop operating systems and mobile devices, it’s fairly easy to implement. But it uses UDP port 500 — that means it can’t be disguised on another port, like OpenVPN can. It’s thus much easier to block and harder to get around firewalls with.

IPsec encryption should be secure, theoretically. There are some concerns that the NSA could have weakened the standard, but no one knows for sure. Either way, this is a slower solution than OpenVPN. The traffic must be converted into L2TP form, and then encryption added on top with IPsec. It’s a two-step process.

In Summary: L2TP/IPsec is theoretically secure, but there are some concerns. It’s easy to set up, but has trouble getting around firewalls and isn’t as efficient as OpenVPN. Stick with OpenVPN if possible, but definitely use this over PPTP.

 

Comments...

 

The router the OP has can also do pure IPSec. That would better than L2TP/IPSec and it uses TCP instead of UDP.

With IPSec you need several ports open but if it's your router you control the show. The only problem might be an ISP that blocks incoming ports. Getting a business internet connection is one way to overcome that.

I seriously doubt OpenVPN is faster than IPSec because OpenVPN seems to be done mostly with software while IPSec is done mostly with hardware (for the VPN server side). The packet overhead is about the same.

I have reservations using a NAS as VPN endpoint. It's a giant ball of software with who-knows-what vulnerabilities. A dedicated hardware box like a router would be less risky since it is dedicated to routing/VPN.

 

There are some concerns that the NSA could have weakened the standard, but no one knows for sure.

 

If a rumor has floated and I find the technology plausible I assume the rumor is true. That assumption has been 100% accurate to this point.

I've said before that you can't stop the TLA's if they are interested in you. The problem is if someone has backdoored something the door will be discovered by someone else eventually. That assumption has never been proven wrong yet either. There are 65,535 ports and maybe 5 or 6 protocols that are practical threats for remote attacks. That's a few hundred thousand places to hide a back door with 3.2 billion internet users out there. It's about 8000 users for every potential hiding place.

We are all monkeys typing at keyboards. Eventually one of us will write Macbeth by accident.

 

Personally here as stated earlier utilize VPN here to get to my automation mothership and at home resources. 

 

While I do the best I can to secure my network I am not and never have been concerned all of this snooping chit chat stuff as mostly I have seen that a majority of folks these days don't care about personal postings relating to their last bowel movements to the public as if it is supposed to mean something.

 

I do see the have to use reasons these days relating to the nefarious ways of countries that block global news in or out of a country.  That is bad and well it's always been like this with radio / television / print et al type of stuff.  Well that and the dissemination of what is real or truthful versus what is made up for just media attention.

 

''''to be continued...

  • Report

January 2017

S M T W T F S
1234567
891011121314
1516171819 20 21
22232425262728
293031    

Recent Comments