• Pfsense Ipsec RoadWarrior VPN.
  • Purpose:
  • Establish a Client based VPN from you to your pf box where ever it may be.

Requirements:

  • Pfsense system running at least version 1.2.3 stable(as of Jan 19, 2011)
  • ShrewSoft IPSEC VPN Client (Windows/Linux/BSD) 2.1.7-Stable as of Jan, 19 2010.
  • DynDNS Account /w setup completed on your Pfsense system (assuming you do not have a static IP. This is optional).
  • Basic knowledge of networking, VPN's and troubleshooting.

Sections:

  • Configuring Pfsense for your VPN
    • Adding Users
  • Configuring ShrewSoft VPN for your client machine (laptop or etc).
    • Basic configuration

Configuring PF-Sense for your RoadWarrior VPN setup.

  • Log into your PF-sense system. Navigate to the IP Sec configuration page. (VPN->IPSEC)

  • Check the “Enable IPSEC” box shown in the below image and click “save”.

pfsense_enableipsec.png

  • Click on the “Mobile Clients” tab at the top of the page. Fill out the [Phase1] settings using the below image as your base configuration Make changes where needed.

pfsense_ipsecPhase1.png

  • Fill out the [Phase2] settings using the below image as your base configuration, making changes where needed.

pfsense_ipsecPhase2.png

Click the “Save” button at the bottom of the page. If prompted, make sure to also click the “Apply Changes” button and wait for the page to reload.

You should now be able to Add your first user. In our case this is just a test user, you will want to use a better password/identifier.

  • Navigate to the “Pre-Shared Keys” page of the VPN configuration. (VPN->IPSEC->Pre-Shared Keys).

  • Click on the small “+” button at the bottom right of the screen. You will see a page that looks similar to the one below. Fill in your user's details. Click the “Save” button.

pfsense_userSetup.png

  • At this point you have the option of adding all of your users and moving on or just continue with the next section if you want to test everything first.

 

Configuring ShrewSoft VPN for your client machine (laptop or etc).

  • Download and install the ShrewSoft VPN Client to your computer and install it. At the time of writing the version we used is 2.1.7-release (stable). We have not had any problems with it at this point. ( http://www.shrew.net/download/ike )

  • If you need help installing the VPN client for Linux see the following .pdf from “Global Technology Associates”. It dose a very good job of assisting you to get the VPN client installed if you have to build from source.

  •  http://www.gta.com/downloads/external/54/General/ShrewSoftVPN_LinuxInstall.pdf

  • Once you have completed installation we are prepared to configure the VPN client. Load the ShrewSoft VPN Access Manager and follow the next few screenshots to build your first basic configuration. Make sure to change things as needed in relation to the User/PSK you setup as well as th IP/Hostname of your setup.

  • Click the “+” button to add a new VPN connection profile to your system. You will see a dialog similar to the one below. Use it as a template to get youre basic configuration setup.

pfsense_ShrewSoft_1.png

  • Take note that “Auto Configuration” has been Disabled, Also note that we select “Use the Virtual Adapter and assigned address”. This is due to an issue with trying to use DHCP over the VPN.

  • Under the “Address” range make sure to make this a network that is NOT the same as the one you are connecting to. If you do not do this it will break your routing and you may be able to ping the gateway but will not be able to ping any other hosts on the remote network! (Ex. If your VPN network is 192.168.1.0/24 then your IP address should be on a different range like 172.16.100.0/24). Take note of your netmask settings as incorrect settings here will also cause problems later.

  • Click on the “Client” tab and make its settings match the following image.

pfsense_clientTab.png

  • Click on “Name Resolution” tab and make sure it looks similar to the below image. Replace the listed IP address with the DNS server ip on your remote network.

pfsense_nameResTab.png

  • Click on the “Authentication” tab. Make sure it looks similar to the below image. The “Identification Type” is very important. Setting to “User fully qualified domain name” worked for me. This will be the same as the identifier we set when setting up the “Pre-Shared Key” on the PF sense system. If this is not correct you will get “could not find PSK” errors in your IPSEC logs.

pfsense_authTab.png

  • On the “Authentication” tab, click the sub tab “Remote Identity”. I use the “ANY” setting here. This is the easy way of doing it.
  • Click on the small arrow to the right of “Remote Identity” tab to reveal the “Credentials” tab. Here is where you will set you “PSK” or your certificates. Below is an example.

pfsense_credTab.png

  • On the very top set of tabs click on the arrow to the right of the “Authentication” tab to show the following tabs. “Phase1”, “Phase2”, “Policy”. Click on the “Phase1” tab.
  • See the below image for my example of the “Phase1” settings. Make sure to change these to match the settings you have on your PFsense Phase1 settings under “Mobile Clients”.

pfsense_phase1Tab.png

  • Click on the “Phase2” tab and use the below image to help you setup your settings. Make sure that this matches your settings on the Pfsense Phase2 settings under “Mobile Clients”.

pfsense_phase2Tab.png

  • Click on the “Policy” tab. Un-check the “Obtain topology automatically...” and make sure “Maintain Persistent...” is also unchecked. Click on the “ADD” button. Follow the below image for an example of what to put here. This is the IP range of your REMOTE network (the pfsense LAN network).

pfsense_authTopo.png

  • Click “OK” and “Save”. Click on the numbers/name below the newly created VPN profile to setup a new/logical name. Ex. “VPN to Home” “VPN to Work”...etc.

 

Congratulations!

You should now have a working Ipsec VPN to your Pfsense system. I will note that you will not be able to test this on the same network you are trying to VPN into. It will likely cause strange routing issues and will not work properly.