Example 2 – IPsec tunnel for mobile remote access

Our second example involves a scenario in which we need to set up an IPsec tunnel to provide a means for remote mobile users to connect to our network using an IPsec client on their computer. The users might be workers on site at a client's workplace, or perhaps on a business trip, or working at home. Fortunately, we can set up such a connection with relative ease, and, although not all IPsec clients are easy to configure, there are IPsec clients for all of the major desktop operating systems, so we should be able to get our remote users up and running.

To set up a client-server tunnel for mobile access, we must first complete Phase 1 and Phase 2 IPsec configuration, and then add users to the user manager. To complete IPsec configuration, follow these steps:

1. Navigate to VPN | IPsec and click on the Mobile Clients tab.
2. Check the Enable IPsec Mobile Client support checkbox.
3. Even though there is only one choice in the User Authentication box, we have to select it. Select Local Database in this box.
4. In the Group Authentication drop-down box, select system.
5. Check the Provide a virtual IP address to clients checkbox, and enter a subnet and CIDR for the virtual address pool.
6. Check the Save Xauth Password checkbox.

7. Check the DNS Default Domain checkbox, and enter localdomain as the default domain name.

8. Check the Provide a DNS server list checkbox. For Server #1, enter 1.1.1.1, and for Server #2, enter 1.0.0.1.
9. Check the Login banner checkbox and enter a login banner.
10. Click the Save button at the bottom of the page.
11. pfSense will prompt you to create a Phase 1 entry for the mobile client configuration. Click on the Create Phase 1 button to begin IPsec tunnel configuration. This will take you to the Edit Phase 1 page.
12. On the Edit Phase 1 page, you will probably want to keep the Key Exchange version set to IKEv1, because it works with a greater range of clients.
13. Set the Authentication Mode to Mutual PSK + Xauth.
14. Change Peer identifier to User distinguished name, and enter an appropriate string, such as your email address.
15. In the Pre-Shared Key box, enter a pre-shared key.
16. Scroll down to Advanced Options, and change the NAT Traversal setting to Force. This will force the use of NAT-T on port 4500.
17. When you are finished, click the Save button, and then click on Apply Changes.
18. On the main IPsec page, click on the Show phase 2 Entries button, and then click on Add P2.
19. Most of the default settings for the Phase 2 entry can be kept. It is recommended, however, to change the value in Encryption Algorithms to 256. (You can keep the algorithm set to AES; you may want to set a longer Lifetime, as well.)
20. Click on the Save button when done, and then click on Apply Changes.

That completes Phase 1 and Phase 2 configuration, but we still must create a user group and users for the VPN tunnel:

1. Navigate to System | User Manager and click on the Groups tab.
2. Click on the Add button to add a new group.
3. Enter a group name of vpnusers, and, in the Scope drop-down box, select Remote.
4. Click on the Save button.
5. When the page reloads, the newly-created group should be listed in the table. Click on the Edit icon for vpnusers in this table.
6. There will now be a section on the configuration page for the group called Assigned Privileges. Click on the Add button in this section.
7. In the Assigned Privileges box, select User – VPN: IPsecxauthDialin and click on Save.
8. From the main configuration page, click on Save.
9. The group is now created, but it needs some users. Click on the Users tab, and then click on the Add button to create a new user.
10. Set an appropriate Username and Password for the new user.
11. Under Group Memberships, select the vpnusers group.
12. For the IPsec Pre-Shared Key, enter the key you entered during Phase 1 configuration.
13. Click on the Save button.
14. Repeat steps 9 through 13 for as many users as you wish to add.

This completes both the mobile client IPsec configuration and the User Manager configuration. Now, all that remains is to configure the mobile client. There are many different IPsec mobile clients available, and it is beyond the scope of this chapter to show you how to configure them, but the following guidelines should help:

• The settings made during Phase 1 and Phase 2 configuration must be matched in the settings on the client end. For example, Key Exchange must be set to IKEv1 and Exchange Type must be set to aggressive. Also, the encryption algorithms must match.
• Since we are using NAT traversal, this must be enabled on the client's end.
• There should be fields for the username and password. Enter the username/password combination for one of the users created during User Manager configuration.