How to create a pfSense Mobile (dialup) IPSEC VPN for a remote VPN client.

Hi all,

If you have an existing VPN client and would like to connect to a pfSense firewall this is how to do it.

I am currently connecting to my pfSense firewall which you can deploy with a click of a button on Piggybank Cloud.

pfsense_1.PNG

This will set up your public IP address and also give you your local LAN subnet. Alternatively you can add a virtual Ethernet adapter and configure your own private IP subnet.

Step1. Enable and configure Mobile Clients

Click on the IPSEC under VPN tab on the top menu.

Click on the mobile Clients Tab – VPN/IPSEC/Mobile Clients

Tick the box next to Enable IPSEC Mobile Client Support.

Set user authentication to local database

Set group authentication to system

pfsense_2.PNG

Configure your Virtual Address pool – this will be the subnet addresses that are assigned to the VPN clients.

Configure DNS servers

Click Save and apply

Step 2. Configure IPSEC Mobile Clients Phase 1 

Once you finish configuring the Mobile Clients setting you will be presented with a TAB to edit the Phase 1 of Mobile Clients.

pfsense_3.PNG

pfsense_4.PNG

Enter the following settings (you can apply your own encryption, hash, DHgroup, lifetime etc.) You need to ensure that both ends of the tunnel configuration (client and pfSense) match in terms of ike VPN settings.

  • Authentication methodMutual PSK + Xauth
  • Negotiation modeaggressive
  • My identifierMy IP address
  • Peer identfierUser Distinguished Name, for example “support@piggybank.cloud”
  • Pre-Shared Key: “Your PSK”
  • Encryption AlgorithmAES 128 
  • Hash AlgorithmSHA1
  • DH Key Group2
  • Lifetime86400
  • NAT TraversalForce
  • Click Save

Step 3. Configure IPSEC Mobile Clients Phase 2

The IPSEC settings can be configured to your own specification in terms of encryption, hash, pfs etc. as long as the client and the pfsense firewall IPSEC phase2 settings match.

pfsense_5.PNG

  • Click  inside the Mobile Phase 1 to expand its Phase 2 list.
  • Click (add P2) to add a new Phase 2
  • Enter the following settings:
    • ModeTunnel
    • Local Network: Phase 2 network address to be access by the VPN client (in this case the LAN subnet)
    • ProtocolESP
    • Encryption AlgorithmsAES 128 only
    • Hash AlgorithmsSHA1 only
    • PFS key groupoff
    • Lifetime28800
  • Add additional phase 2 (created separately)
  • Click Save
  • Click Apply Changes

pfsense_6.PNG

Step 4. Configure a user on the local database

System > User Manager

Configure your users by entering a username and password and allocating them to groups.

Please make sure you authorise users for VPN – IPsec xauth Dialin permission as per below otherwise your users will fail authentication.

pfsense_7.PNG

Step 5. Create a rule to allow traffic 

Under Firewall tab click rules and create a rule to allow IPSEC traffic under the IPSEC tab.

pfsense_28.PNG

Step 6. Configure your VPN Client

You can download a copy of the VPN client and a base config from Piggybank Cloud’s Demo account.

Navigate to the following url

https://piggybank.cloud/home/Demo.html

Check out the following guide to give you a tour of the platform and to get you familiar with the layout if you need help finding the client.

Get the full tour of Piggybank Cloud’s Client Portal and Virtual Datacentre.

pfsense_9.PNG

Click View VPN Details

Click Download VPN Config and Download VPN Client

This will give you the Demo accounts VPN’s details which you can change the following once the config is imported

pfsense_10.PNG

Install the VPN Client

Import the downloaded config into the VPN Client by clicking file and then import.

pfsense_14.PNG

Change the remote Host name of IP address (pfSense in this case)

pfsense_13.PNG

Change the Identification type – change this to User Fully Qualified Domain Name and add your UFQDN string that you have configured on the pfSense.

pfsense_12.PNG

Change the PSK (Pre Shared Key) to match what you have configured on your pfSense.

pfsense_11.PNG

Change the phase 1 settings to match what you have configured on the pfsense

pfsense_15.PNG

Change the phase 2 settings to match what you have configured on the pfSense

pfsense_16.PNG

Save your configuration

Step 6. Connect and test your VPN 

Highlight your VPN and click connect., enter you password and you should see the tunnel enabled.

pfsense_21.PNG

You can click on network to make sure that it is established.

pfsense_19.PNG

You should now be able to connect to your firewall on the LAN gateway address or test by pinging a device connect on the pfSenses LAN interface.

Thank you for reading and be sure to check out our growing number of guides.

Please feel free to leave your feedback below.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s