IPSec VPNs with pfsense

I've been trying forever to get a mobile IPSec connection up between my OS X laptop and pfsense.   Finally, thanks to this outstanding blog post, it works.  I'm especially excited that it works with the default OS X and Android VPN clients.

My pfsense config closely mirrors the one specified by Mike Murray

pfsense

Phase 1

Key Exchange version: Auto
Internet Protocol: V4
Interface: <my ISP>

Authentication Method: Mutual PSK + Xauth
Negotiation Mode: Aggressive
My identifier: My IP Address
Peer identifier Distinguished Name: <my vpn name>
Pre-Shared Key: <my key>

Encryption Algorithm: AES 256
Hash Algorithm: SHA1
DH Group: 2
Lifetime (Seconds): 28800

Disable rekey: unchecked
Responder Only: checked
NAT Traversal: Forced
Dead Peer Detection: checked
Delay: 10
Max failures: 5

Phase 2

Mode Tunnel: IPv4
Local Network Network: 0.0.0.0/0
NAT/BINAT translation: None

Protocol: ESP
Encryption Algorithms: AES Auto
Hash Algorithms: SHA1
PFS key: group off
Lifetime: 3600

Mobile Cilents

IKE Extensions: checked
User Authentication: Local Database
Group Authentication: system

Virtual Address Pool: checked.  192.168.76.0 / 27

Virtual IPv6 Address Pool: unchecked
Network List: unchecked
Save Xauth Password checked
DNS Default Domain: checked  khubla.local

Split DNS unchecked
DNS Servers checked
192.168.75.1
8.8.8.8.

WINS Servers: unchecked
Phase2 PFS Group: unchecked
Login Banner unchecked

OS X

Add VPN and choose VPN Type "Cisco IPSEC".  Use the Group Name specified in Phase 1 "Peer identifier Distinguished Name"

Android

Add VPN and choose "IPSec VPN with pre-shared keys and XAuth authentication".     Use the IPSEC Identifier specified in Phase 1 "Peer identifier Distinguished Name"

Leave a Reply