IPsec

Most PCs and Handhelds come with an IPsec client built in. This removes the need to download and install software and is especially handy on mobile and other low-power devices where IPsec is often hardware accelerated¹. A lower barrier to entry and better speed is always good.

Server

Let’s use pfSense as an example. It (or OPNsense) is available in an appliance model and Netgate maintains reasonable documentation, so we can focus on implementation details. The main steps are;

• Install pfSense
• Add the FreeRADIUS plugin
• Add a Certificate
• Add an Authentication Server
• Add the IPsec VPN.

pfSense Installation

Use the installation ISO and configure with just a WAN interface.

https://docs.netgate.com/pfsense/en/latest/install/install-walkthrough.html

FreeRADIUS plugin

If you want to use an existing password database you must employ a RADIUS server as the middleman. The VPN server used by pfSense (Strongswan) doesn’t support checking passwords directly via LDAP. Your only choices are to store a password on the pfSense box itself (aka pre-shared-key), or use RADIUS.

In situations where entering pre-shared keys on the firewall in plain text is undesirable, a RADIUS server may be used instead…[^4]

https://docs.netgate.com/pfsense/en/latest/packages/freeradius.html

Add A Certificate

A VPN uses a different type of cert than a web server so you probably can’t use one you already have. The good news is you can take advantage of the Let’s Encrypt project at no cost and this is better than managing a private CA and wrangling bring-your-own devices into installing certificates. If you want to know more about the details, check out the certificate background page.

Using the stand-alone, disabled the redirect, allow port 80 to this firewall

https://docs.netgate.com/pfsense/en/latest/packages/acme/index.html

Authentication Server

System -> User Manager -> Authentication Servers,

Click the “Add” button and configure a source as follows

Server Settings
          Descriptive name: (Your RADIUS Server's name)
                      Type: RADIUS

RADIUS Server Settings
                   Protocol: MS-CHAPv2
     Hostname or IP address: (Your RADIUS IP)
              Shared Secret: (From the NPS client setup, above)
           Services offered: Authentication and Accounting
        Authentication port: 1812
            Accounting port: 1813
     Authentication Timeout:
    RADIUS NAS IP Attribute: WAN

Now test under the diagnostic menu

Diagnostics -> Authentication

If you have trouble, head to the Event Viewer’s Server Roles Network Policy log to see what’s up with NPS or other locally with the FreeRADIUS plugin

Authorization

(Not sure if this is needed)

• Create Matching Groups in AD + Local pfSense

• pfSense Side Group Configuration:

  System>User Manager> Groups: Scope: Remote, Assigned Privileges: “User - VPN: IPsec xauth Dialin”.

IPsec

You must enable the IKE extensions and select the RADIUS server as a first step. This is under the Mobile Clients tab

VPN -> IPsec

Select the Mobile Clients (tab) and configure as follows

Enable IPsec Mobile Client Support
    IKE Extension: x (check this)

Extended Authentication (Xauth)
    User Authentication: RADIUS
    Group Authentication: none

Client Configuration (mode-cfg)
    Virtual Address Pool: x (check this)
            192.168.1.0     24
    (Leave the rest un-checked)

At the top, you’ll have an alert prompting you to Create Phase 1. Select that to create a phase 1 tunnel and configure as bellow. You won’t have an option to select EAP-RADIUS as a tunnel option if you tried to navigate to Tunnels othewise.

General Information
    Disabled: (Un-checked)
    Key Exchange version: IKEv2  **Non Default**
    Internet Protocol: IPv4
    Interface: WAN
    Remote Gateway:
    Description:
Phase 1 Proposal (Authentication)
    Authentication Method: EAP-RADIUS **Non Default**
    My Identifier: My IP Address **possibly actual address, non default**
    Peer Identifier: Any **non default**
    My Certificate: (Your Cert from above)
Phase 1 Proposal (Encryption Algorithm)
    Encryption Algorithm: 3DES      SHA1        2 (1024 bit)
    (leave the rest a default)

Save and apply

Encryption Algorithm: The following settings were chosen for MAC Client compatibility, based on guides; other settings might be better or possible with further testing on MAC clients.

Phase 2: Select “+ Add P2” a. Mode: Tunnel IPv4 b. Local Network: Test Environment Selected LAN Subnet- LAN Specified in the next step c. Phase 2 Proposal: i. AES, 3DES d. Hash Algorithms: i. SHA1, SHA256

ONLY the CA Cert needs to be installed on clients: a. Double-click to open this certificate.

i. Windows: Install>Local Machine> Trusted Certificate Authorities ii. MAC: Open With> Keychain.app> Login> Select CA Cert> Get Info> Dropdown “Trust”> When Using this Certificate Always Trust.

Windows Setup: Start>Settings>Network & Internet>VPN>Add a VPN Connection> Provider: Windows Built-in Connection Name: VPN Test Server Name or Address: WAN Address of Server OR FQDN, either worked for testing (a DNS A Record is set for the test external IP, so it does resolve an address) VPN Type: IKEv2 Type of Sign-in Info: Username & Password Recommend Uncheck “Remember my Sign-In Info

---

(As per above) Mac Client Test Add the Cert (testing only)

1. Save the file to your downloads
2. Double click to open with archiver
3. Double click the cert and add to login certs
4. Double click the cert in the keychain access, drop down the trust settings and select ‘Always Trust’

Added the VPN

• Apple Menu -> System Preferences -> Network
• Click the ‘+’ and select – Interface: VPN – VPN Type: IKEv2 – Service Name: VPN (IKEv2)
• Configure the Settings as – Server Address: 205.133.146.157 – Remote ID: 205.133.146.157 – Local ID: (Leave Blank)
• Click “Authentication Settings…” button – Authentication Settings: Username – Username: (Your User ID without the @your.edu part) – Password: (Your current password)
• Click “Apply” at the bottom, then click “Connect” to test
• Lastly, select “Show VPN Status in the menu bar”, “Apply” again and quit System Preferences App

To use

• In the top menu bar, click on the new VPN icon (next to the WiFi icon) and select “Connect VPN (IKEv2)

Notes

For VLANs https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-configure#configure-nps-for-vlans

Client Config

• Deiban
• -https://thesafety.us/vpn-setup-ikev2-ubuntu17
• • sudo apt-get install -y strongswan network-manager-strongswan libcharon-extra-plugins – set that mod14 thing in phase 1

I read that Windows 10 gets a default route to devices on the same network as its virtual IP but otherwise you must use the command lets to add the routes and that it doesn’t accept route pushdown. Of course I read that in random forums so I take it with a grain of salt

In the strongswan documentation they say that “…windows sends DHCP request upon connection and add routes supplied in option 249 of DHCP reply.”

https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients

https://forum.netgate.com/topic/67684/explained-example-dhcp-option-121-249

using local dhcp, but not internal https://www.reddit.com/r/PFSENSE/comments/3hql33/configuring_openvpn_bridge_with_local_dhcp/

We may be able to hand off to a lan network can configure the pfSense dhcp server on the same box.

It also appears there is a newer windows VPN client or something that takes XML files. But this might just be their MDM

https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-routing

And here is a cool doc that details some of the config options we needs if we had to do it by hand.

https://blog.arrogantrabbit.com/vpn/IKEv2-VPN-setup-on-Apline-Linux/#configuring-client-devices

---

unknown - probably for the cert mac footnote https://www.personalvpn.com/support/mac/ikev2