Install IPsec VPN for iPhone Android on pfSense 2.0
You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS (iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.
This document covers the most common setup for mobile devices, which is IPsec using Xauth and a mutual Pre-Shared Key.
This setup has been tested and working on Android 2.3.3 and iOS 4.3.5. Others may work as well, including the actual software Cisco client.
Mobile Clients
Go to VPN > IPsec > Mobile Clients
IKE Extensions: check "Enable IPsec Mobile Client Support".
User Authentication: select "Local Database".
Group Authentication: select "system".
Virtual Address Pool: check "Provide a virtual IP address to clients".
Virtual Address Pool: Netowrk: "10.0.0.0" / 24
DNS Servers: check "Provide a DNS server list to clients.
DNS Servers: Server #1: 8.8.8.8.
DNS Servers: Server #2: 8.8.4.4.
Click on "Save" button.
Click on "Apply changes" button.
Next, Create phase1 if it doesn't exist.
Phase 1 settings
Interface: WAN.
Description: IPsecVPN.
Authentication method: Mutual PSK + Xauth.
Negotiation mode: aggressive.
My identifier: My IP address.
Peer identifier: Distinguished name: MY_VPN_GROUP_NAME.
Pre-Shared Key: MY_VPN_PRE_SHARED_KEY.
Policy Generation: default.
Proposal Checking: Obey.
Encryption algorithm: AES 128 bits/
Hash algorithm: SHA1.
DH key group: 2.
Lifetime: 28800.
NAT Traversal: Force.
Note: Some have had more success with the following settings:
Policy Generation: Unique.
Proposal Checking: Strict.
NAT Traversal: Force.
Phase 2 settings
Mode: Tunnel.
Local Network: Network
Local Network: 10.0.0.0 / 24
Protocol: ESP
Encryption algorithms: check "AES 128 bits" only.
Hash algorithms: check "SHA1" only.
PFS key group: off.
Lifetime: 28800 seconds.
Click on "Save" button.
Click on "Apply changes" button.
Enable IPsec
VPN > Tunnels tab:
Check "Enable IPsec".
Create a IPsecVPN group with a privilege
Go to System > User Manager > Groups tab > Add a new group:
Group Name: IPsecVPN.
Description: IPsecVPN.
Click on "Save" Button. Then, edit the "IPsecVPN " group we just created again:
At the Assigned Privileges section, click on the "Add" button: select "User - VPN - IPsec xauth Dialin".
Click on "Save" Button.
User Settings - create a new user
Go to System > User Manager > Users tab > Add a new user:
Username: MyName_iphone
Password: ********
Group Memberships: IPsecVPN.
Click on "Save" Button.
Make sure the "Effective Privileges" field: Inherited from "IPSecVPN" has been set after saved.
Firewall Rule - allow VPN clients to connect to WAN interface:
Go to Firewall > Rules > WAN tab > Add new rule:
Interface: WAN.
Protocol: ESP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: ISAKMP (500)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: IPsec NAT-T (4500)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Firewall Rule - disable VPN clients access to LAN network:
Go to Firewall > Rules > IPsec tab > Add new rule:
Interface: IPsec.
Protocol: any.
Source Address: 10.0.0.0 / 24
Destination: check "not".
Destination: type "WAN net" (or "WAN address" depends on your situation)
Click on "Save" button.
Click on "Apply changes" button.
Interface: IPsec.
Protocol: any.
Source Address: 10.0.0.0 / 24
Destination: check "not".
Destination: type "Network"
Destination: Address "192.168.0.0 / 16" (we don't want VPN clients to access LAN subnet).
Click on "Save" button.
Click on "Apply changes" button.
Firewall Rule - NAT Outbound:
Go to Firewall > NAT > Outbound tab:
Click on "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" > click on "Save" button. Some rules will be set automatically.
Add a new mapping rule:
Interface: WAN.
Protocol: any.
Source: type "network".
Source: address "10.0.0.0 / 24".
Destination: check "not".
Destination: type "Network"
Destination: Address "192.168.0.0 / 16" (we don't want VPN clients to access LAN subnet).
Click on "Save" button.
Click on "Apply changes" button.
Device Setup (iOS)
Go to iPhone > Settings > General > Network > VPN
Add VPN Configuration
Click IPsec
Description: whatever you want
Server: IP of the server
Account: your xauth username
Password: your xauth password (or leave blank to be prompted every time)
Group Name: MY_VPN_GROUP_NAME
Secret: MY_VPN_PRE_SHARED_KEY
Device Setup (Android)
NOTE: These settings are not present on all Android devices. See Android VPN Connectivity for more info.
Settings, Networks & Wireless, VPN Settings, Advanced IPsec VPNs
From there, press the menu button, then add.
Connection Template: PSK v1 (AES, xauth, aggressive)
VPN Name: whatever you want
VPN Server: IP of the server
The phone forces the keyboard to numbers, not sure if a hostname is supported.
Pre-Shared Key Type: text
Pre-Shared Key: PSK from the Phase 1 above
Identity Type: User FQDN
Identity: vpnusers@example.com
Username: your xauth username
Password: your xauth password
Internal Subnet IP: Whatever subnet(s) you specified in p2 above.
Finish
Troubleshooting
By default iOS will tunnel all traffic over the VPN, including traffic going to the Internet. If you are unable to access Internet sites once connected, you may need to push a DNS server to the client for it to use, such as the LAN IP address of your firewall if you have the DNS forwarder enabled, or a public DNS server such as 8.8.8.8/8.8.4.4.
The reason for the above is that your 3G provider is likely giving your mobile devices DNS servers that are only accessible from their network. Once you connect to the VPN the DNS servers are now being accessed via the VPN instead of the 3G network, and the queries are likely to be dropped. Supplying a local/public DNS server will work around that.
Reference:
http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0
Saturday, July 26, 2014
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment