Scribd Logo
Upload

Welcome to Scribd!

  • PfSense Config VPN

    Uploaded by

    romo
    5 views4 pages

    Original Title

    491631014-PfSense-Config-VPN

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    5 views4 pages

    PfSense Config VPN

    Uploaded by

    romo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    L2TP/IPsec Remote Access VPN Configuration

    Example
    On current versions of pfSense® software, L2TP/IPsec may be configured for mobile
    clients, though it is not a configuration we recommend.

    Warning

    Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will
    be behind NAT, Windows clients will most likely not function. Consider an IKEv2
    implementation instead.
    As warned at the start of the chapter, the Windows client, among others, and the
    strongSwan IPsec daemon are not always compatible, leading to failure in many cases. We
    strongly recommend using another solution such as IKEv2 instead of L2TP/IPsec.

    See also

    IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 contains a
    walkthrough for configuring IKEv2.
    Before configuring the IPsec portion, setup the L2TP server as described in L2TP Server
    Configuration and add users, firewall rules, etc, as covered there.

    Setup IPsec
    These settings have been tested and found to work with some clients, but other similar
    settings may function as well. Feel free to try other encryption algorithms, hashes, etc.

    Mobile Clients Tab


     Navigate to VPN > IPsec, Mobile Clients tab in the pfSense WebGUI
     Check Enable IPsec Mobile Client Support
     Set User Authentication to Local Database (Not used, but the option must have
    something selected)
     Uncheck Provide a virtual IP address to clients
     Uncheck Provide a list of accessible networks to clients
     Click Save
    Phase 1

     Click the Create Phase1 button at the top if it appears, or edit the existing Mobile IPsec
    Phase 1

     If there is no Phase 1, and the Create Phase1 button does not appear, navigate back
    to the Mobile Clients tab and click it there.
     Set Key Exchange version to v1
     Enter an appropriate Description
     Set Authentication method to Mutual PSK
     Set Negotiation Mode to Main
     Set My Identifier to My IP address
     Set Encryption algorithm to AES 256
     Set Hash algorithm to SHA1
     Set DH key group to 14 (2048 bit)
    Note

    iOS and other platforms may work with a DH key group of 2 instead.
     Set Lifetime to 28800
     Uncheck Disable Rekey
     Set NAT Traversal to Auto
     Check Enable DPD, set for 10 seconds and 5 retries
     Click Save
    Phase 2

     Click Show Phase 2 Entries to show the Mobile IPsec Phase 2 list
     Click Add P2 to add a new Phase 2 entry if one does not exist, or click to edit an
    existing entry
     Set Mode to Transport
     Enter an appropriate Description
     Set Protocol to ESP
     Set Encryption algorithms to ONLY AES 128
     Set Hash algorithms to ONLY SHA1
     Set PFS Key Group to off
     Set Lifetime to 3600
     Click Save
    Pre-Shared Key

    The Pre-Shared Key for the connection, which is common for all clients, must be configured
    in a special way.

     Navigate to VPN > IPsec, Pre-Shared Keys tab on pfSense


     Click Add to add a new PSK
     Set the Identifier to allusers
    Note

    The allusers name is a special keyword used by pfSense to configure a wildcard PSK,
    which is necessary for L2TP/IPsec to function. Do not use any other Identifier for this
    PSK!
     Set Secret Type to PSK
     Enter a Pre-Shared Key, such as aaabbbccc – ideally one a lot longer, more random, and
    secure!
     Click Save
     Click Apply Changes
    IPsec Firewall Rules

    Firewall rules are necessary to pass traffic from the client host over IPsec to establish the
    L2TP tunnel, and inside L2TP to pass the actual tunneled VPN traffic to systems across the
    VPN. Adding the L2TP rules was covered in the previous section. To add IPsec rules:

     Navigate to Firewall > Rules, IPsec tab


     Review the current rules. If there is an “allow all” style rule, then there is no need to add
    another. Continue to the next task.
     Click Add to add a new rule to the top of the list
     Set the Protocol to any
     Set the Source and Destination to any
    Note

    This does not have to pass all traffic, but must at least pass L2TP (UDP port 1701 ) to the
    WAN IP address of the firewall
     Click Save
     Click Apply Changes
    DNS Configuration

    If DNS servers are supplied to the clients and the Unbound DNS Resolver is used, then the
    subnet chosen for the L2TP clients must be added to its access list.

     Navigate to Services > DNS Resolver, Access Lists tab


     Click Add to add a new access list
     Enter an Access List Name, such as VPN Users
     Set Action to Allow
     Click Add Network under Networks to add a new network
     Enter the VPN client subnet into the Network box, e.g. 10.3.177.128
     Choose the proper CIDR, e.g. 25
     Click Save
     Click Apply Changes
    Client Setup

    When configuring clients, there are a few points to look for:

     Ensure that the client operating system configuration is set to connect to the proper
    external address for the VPN.
     It may be necessary to force the VPN type to L2TP/IPsec on the client if it has an
    automatic mode.
     The client authentication type must match what is configured on the L2TP server
    (e.g. CHAP)

    You might also like