This, hopefully, will serve as the one document that definitively defines how to get a secure IPSEC VPN on PFSense that works on both Windows 10 and OSX.
This document is the result of a lot of trial-and-error, and research. I have included the PowerShell stuff kapara contributed, so credit to him on that part.
The original document, seen as the official go-to for IKEv2 VPN is https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
. This document is close, it's author did a good job at the time. However it is either out-of-date, unclear, and perhaps inaccurate in certain areas. The OSX instructions don't work at all for example.
This new document is based directly on that original document, with all the appropriate updates and changes. I'd love to just update the original if someone would give me access to to do. (I can do Wiki format).
Note: This document is for SPLIT VPN
, meaning, the client will retain local access to the Internet and the only traffic that will pass through your VPN is traffic destined for servers on your LAN side. (IE: This is not a VPN meant for hiding your Netflix country
This is copy/pasted from a Word doc so it's not going to format nicely here.IKEv2 with EAP-MSCHAPv2SECTION A: Set Up Certificates
1) Create a Certificate Authority
- Navigate to System > Cert Manager on pfSense.
- On the “CA” tab, click “Add” to create a new certificate authority.
- “Descriptive Name”: This will be the name of the certificate you give to people. Name is accordingly, no spaces or punctuation. IE: “vpnca”.
- Method: ‘Create an internal Certificate Authority’.
- Key length: 2048
- Digest Algorithm: sha256
- Lifetime: 3650 days (whatever you want but unless you want to keep having to re-issue this, just make it 10 years).
- Fill in the rest of the fields as desired with company or site-specific information. As this is a non-registered self-issued certificate, this doesn’t need to be accurate so long as you don’t care that people connecting could see wrong information if you do fudge it).
- “Common Name”: Put same as you used for “Descriptive Name” above.
- Click Save.
2) Create a Server Certificate
• Navigate to System > Cert Manager on pfSense.
• On the “Certificates” tab, click “Add” to create a new certificate.
• Method: “Create an internal certificate”.
• Enter a Descriptive Name such as IKEv2 VPN.
• For “Certificate Authority”, select the one you just created in Step 1.
• Choose the desired Key length, Digest algorithm, and Lifetime. The default of 2048, sha256 works fine. Lifetime, as in Step 1, leave at the 10 years (3650 days) unless you want to reissue certs to clients more frequently.
• “Certificate Type”: Server Certificate.
• The regional and company values are copied from the CA and may be left as-is.Common and Alternative Names:
Some people put their VPN server address in DNS. Others don’t and just give out the IP address. Some do both. The below steps should cover all 3 scenarios.
• “Common Name”: The hostname of this PFSense firewall as it exists in DNS. If clients will connect by IP address, place the WAN IP address here.
• Click “Add” to add a new Alternative Name
• Select “FQDN or Hostname” in the Type drop-down.
• Enter the same value you just used in Common Name.
• Click “Add” to add a 2nd new Alternative Name
• Select “IP address” in the Type drop-down.
• Enter the WAN IP address of the firewall in the Value field
• Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect.
• Click SaveSECTION B: Set up Mobile IPsec for IKEv2+EAP-MSCHAPv2
1) Mobile Clients
• Navigate to VPN > IPsec, Mobile Clients tab on pfSense
• “IKE Extensions”: Check “Enable IPsec Mobile Client Support”
• “User Authentication”: Local Database
• “Group Authentication”: None.
• “Virtual Address Pool”: Check “Provide a virtual IP address to clients”.
For “Network configuration for Virtual Address Pool”: Getting this wrong means your clients will not be able to see any inside network resources. (IE: Anything on the LAN side of the firewall). The network range you put here must be completely off the LAN network that’s on your firewall. This includes, for example, if you have taken an entire /16, EG 10.1.0.0/16 as your LAN. Putting a pool of 10.1.2.0/24 here will not work, since the /16 covers everything that starts with 10.1.* If that’s how your network is set up, then do something completely different here, such as 172.16.1.0/24.
• Enter an unused private Network and appropriate subnet mask (such as /24). For this example, let’s use 172.16.1.0/24. (Unless that’s on your LAN then use something else that isn’t).
• Check “Provide a list of accessible networks to clients".
• Rest of options are unchecked.
• Click Save, then Apply.
2) IPSEC Phase 1
• If the “Create Phase 1” button appeared at the top of the page after you clicked Apply in the previous step, click it. Otherwise, go to the Tunnels Tab and “Add P1”.
• “Key Exchange version”: to IKEv2.
• “Description”: ‘Mobile Phase 1’ (Or whatever you want, it doesn’t matter).
• “Authentication method” to “EAP-MSChapv2”
• “My Identifier”: ‘Distinguished name’, and enter in either the hostname or WAN IP address.
• NOTE: This MUST match what you used as the “Common Name” of the server certificate, in Step 1.
• “Peer Identifier”: any.
• “My Certificate”: Select the server certificate created in Step 1.
• “Encryption algorithm”: “AES” and “256”
• “Hash algorithm”: SHA256
• Set DH key group to 2 (1024 bit) (Windows 10 doesn’t natively support anything else!)
• Set Lifetime to 28800
• Uncheck Disable Rekey
• Uncheck Disable Reauth
• Check Enable DPD, set for 10 seconds and 5 retries
• Click “Save”, then “Apply”.
3) IPSec Phase 2
• Back on the Tunnels tab, you will see the entry for “Mobile Client” you just created. Under it, click “Show Phase 2 Entries”, then click “Add P2”.
• “Mode”: Tunnel IPv4
• Set Local Network as desired, usually “LAN subnet”. (Select this if not sure).
• If your intent is to pass all traffic, including Internet traffic, across the VPN, set “Local Network” to “Network”, and enter 0.0.0.0 for the address, and /0 for the subnet.
• “NAT/BINAT”: None.
• Description”: ‘Mobile Phase 2’.
• “Protocol”: ESP
• “Encryption Algorithms”:
• Just “AES, 256”.
• “Hash Algorithms”: SHA1 (Windows 10 needs this), SHA256, SHA384, SHA512.
• “PFS Key Group”: off
• “Lifetime”: 3600
• “Automatically ping host”: leave blank.
• Click Save, then Apply.
4) Create Client Pre-Shared Keys
Mobile user logins and passwords are defined as a Pre-Shared Key. This document covers using EAP, the default way. The draw-back with the default way is that the usernames and passwords are visible in plain-text to anyone who has access to your PFSense web admin. (Not anywhere else – just the web admin). In theory that should only be you, or certain sysadmins, and this isn’t a problem. However, if that doesn’t float your boat you can always set up and use a RADIUS server service. The setup is nearly identical. Follow the directions on this page and then see IKEv2 with EAP-RADIUS for the needed adjustments. Some changes for EAP-RADIUS to work effectively are only found in pfSense 2.2.5-RELEASE and later.
• Navigate to VPN > IPsec, Pre-Shared Keys tab on pfSense to add EAP users
• Click “Add” to add a new user
• “Identifier” is the username.
• “Secret type”: EAP
• “Pre-Shared Key”: This is the password. Note that PFSense, oddly, doesn’t like certain commonly-recommended characters such as certain punctuation in its passwords. So just use varying case and numbers if you have a problem.
• Click Save.
• Repeat as needed for additional users.
• When done, Click “Save”, then “Apply”.
5) Add Firewall Rules for IPsec
• Navigate to Firewall > Rules, IPsec tab
• Review the current rules. If there is an "allow all" style rule, then there is no need to add another. Continue to the next task.
• Click “Add” to add a new rule
• “Action”: Pass
• “Interface”: IPsec
• “Address Family”: IPv4
• “Protocol”: any
• “Source”: any
• “Destination”: any
• Click “Save”, then “Apply”.SECTION C: Client Setups
Common for all: Export Certificate
• Navigate to System > Cert Manager, CA tab on pfSense.
• Click the seal icon (looks like a sun – mouse over it for a second to be sure it’s the one to download the CA NOT the key) icon under “Actions” to export the CA. It will download automatically.Windows 10 Client Setup
1) Import the VPN server CA certificate.
• Copy the .crt file you downloaded to the PC.
• Double click the CA file.
• Click “Install Certificate...”.
• Select “Local Machine”, then “Next”.
• Click Yes at the “User Account Control” box if it appears.
• Select Place all Certificates in the following store, then “Browse”.
• Select “Trusted Root Certification Authorities” and click “OK”.
• Click Next.
• Click Finish.
• Click OK.
2) Add the VPN connection
To get around limitations in the Windows 10 GUI, you must create the VPN connection, and its routes, manually via a PowerShell command line.
• Open a PowerShell window, as administrator.
• (type ‘powershell’ in the task bar search box. When it finds it, right-click on it and select “Run as Administrator).
• Enter the below command (or edit it somewhere then just copy/paste it), with the following changes:
• Replace “VPN_NAME” with whatever you want to call this VPN connection on the client’s computer.
• Replace “firewall.domain.com” with the address of your VPN server. (LAN IP of your PFSense box, or DNS name of it).
Add-VpnConnection -Name "VPN_NAME" -ServerAddress "firewall.domain.com" –TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling –AllUserConnection
Keep PowerShell open for the next step.
3) Add VPN Routes
Copy/paste the following into PowerShell, replacing 10.5.0.0/16 with the appropriate remote LAN subnet:
Add-VpnConnectionRoute -ConnectionName "VPN_NAME" -DestinationPrefix 10.5.0.0/16 -PassThru
That will tell Windows to send anything meant for 10.5.* over the VPN. Mac OS X Client Setup (10.10 or Greater)
Apple’s built-in support for the IKEv2 protocol either doesn’t exist (up to 10.12 Sierra), or doesn’t support common standards. You will need to download and install the StrongSwan VPN client for OSX to work with IKEv2 on PFSense.
StrongSwan is a long-running and trusted open-source VPN standard application. It’s very light-weight and easy to configure. Much easier than monkeying around with some convoluted Apple configurator tool.
1) Import the VPN server CA certificate.
• Copy the CA Certificate to the OS X system
• Double click the CA Certificate File in Finder, which opens Keychain Access. The certificate would have been added to the System keychain.
• In the list that appears, find the certificate.
• Right-click the Certificate and select Get Info.
• Expand Trust
• Set When using this certificate to Always Trust
• Close the window.
• Close Keychain Access.
2) Download and Install StrongSwan VPN Client.
• Download the current OSX client version here: https://download.strongswan.org/osx/
(Find the highest number.app.zip) EG: strongswan-22.214.171.124.app.zip.
• Once downloaded, double-click the zip file. It will emit a file called “strongSwan”. Drag and drop that to your Applications folder.
3) Set up VPN Connection in strongSwan
• Start the stongSwan app. (That you just put in your Applications folder).
• A swan icon will appear in your top toolbar.
• Click the swan icon, and select “Add connection..”
• “Connection name:” Name of your connection. EG: “Office”
• “Authentication:” Leave at default “IKEv2 EAP”
• “Server address:” DNS hostname or IP address of your VPN server. (WAN address of PFSense box).
• “Username:” Username of who this client is being set up for, as defined in Section B-4 ‘Pre-Shared Keys’.
• Click OK.
• If the Swan icon isn’t on the top tool bar, open strongSwan from Applications.
• Click the swan icon, and click the VPN you just set up.
• The first time you try and connect, strongSwan needs to do some configuration on the computer. It will ask to authenticate to the computer. Note: This is to the computer and not yet to the VPN. Supply the appropriate credentials.
• Reboot, and try connecting.