If you have an existing VPN client and would like to connect to a pfSense firewall this is how to do it.
I am currently connecting to my pfSense firewall which you can deploy with a click of a button on Piggybank Cloud.
This will set up your public IP address and also give you your local LAN subnet. Alternatively you can add a virtual Ethernet adapter and configure your own private IP subnet.
Step1. Enable and configure Mobile Clients
Click on the IPSEC under VPN tab on the top menu.
Click on the mobile Clients Tab – VPN/IPSEC/Mobile Clients
Tick the box next to Enable IPSEC Mobile Client Support.
Set user authentication to local database
Set group authentication to system
Configure your Virtual Address pool – this will be the subnet addresses that are assigned to the VPN clients.
Configure DNS servers
Click Save and apply
Step 2. Configure IPSEC Mobile Clients Phase 1
Once you finish configuring the Mobile Clients setting you will be presented with a TAB to edit the Phase 1 of Mobile Clients.
Enter the following settings (you can apply your own encryption, hash, DHgroup, lifetime etc.) You need to ensure that both ends of the tunnel configuration (client and pfSense) match in terms of ike VPN settings.
- Authentication method: Mutual PSK + Xauth
- Negotiation mode: aggressive
- My identifier: My IP address
- Peer identfier: User Distinguished Name, for example “email@example.com”
- Pre-Shared Key: “Your PSK”
- Encryption Algorithm: AES 128
- Hash Algorithm: SHA1
- DH Key Group: 2
- Lifetime: 86400
- NAT Traversal: Force
- Click Save
Step 3. Configure IPSEC Mobile Clients Phase 2
The IPSEC settings can be configured to your own specification in terms of encryption, hash, pfs etc. as long as the client and the pfsense firewall IPSEC phase2 settings match.
- Click inside the Mobile Phase 1 to expand its Phase 2 list.
- Click (add P2) to add a new Phase 2
- Enter the following settings:
- Mode: Tunnel
- Local Network: Phase 2 network address to be access by the VPN client (in this case the LAN subnet)
- Protocol: ESP
- Encryption Algorithms: AES 128 only
- Hash Algorithms: SHA1 only
- PFS key group: off
- Lifetime: 28800
- Add additional phase 2 (created separately)
- Click Save
- Click Apply Changes
Step 4. Configure a user on the local database
System > User Manager
Configure your users by entering a username and password and allocating them to groups.
Please make sure you authorise users for VPN – IPsec xauth Dialin permission as per below otherwise your users will fail authentication.
Step 5. Create a rule to allow traffic
Under Firewall tab click rules and create a rule to allow IPSEC traffic under the IPSEC tab.
Step 6. Configure your VPN Client
You can download a copy of the VPN client and a base config from Piggybank Cloud’s Demo account.
Navigate to the following url
Check out the following guide to give you a tour of the platform and to get you familiar with the layout if you need help finding the client.
Click View VPN Details
Click Download VPN Config and Download VPN Client
This will give you the Demo accounts VPN’s details which you can change the following once the config is imported
Install the VPN Client
Import the downloaded config into the VPN Client by clicking file and then import.
Change the remote Host name of IP address (pfSense in this case)
Change the Identification type – change this to User Fully Qualified Domain Name and add your UFQDN string that you have configured on the pfSense.
Change the PSK (Pre Shared Key) to match what you have configured on your pfSense.
Change the phase 1 settings to match what you have configured on the pfsense
Change the phase 2 settings to match what you have configured on the pfSense
Save your configuration
Step 6. Connect and test your VPN
Highlight your VPN and click connect., enter you password and you should see the tunnel enabled.
You can click on network to make sure that it is established.
You should now be able to connect to your firewall on the LAN gateway address or test by pinging a device connect on the pfSenses LAN interface.
Thank you for reading and be sure to check out our growing number of guides.
Please feel free to leave your feedback below.