IPSec / IKEv2 VPN for Mobile Clients on pfSense 2.4.x with Let’s Encrypt Public Certificate

Tested with: iOS and MacOS devices, Android 8+ devices, Windows 10 (Built in VPN Client)
ENV: pfSense 2.4.5-RELEASE (amd64) on FreeBSD 11.3-STABLE running on Proxmox VE 6.1-8 as a full VM. 0.5GB RAM, 2 core common kvm64 proc.
AES-NI CPU Crypto: Yes (active).
Australian NBN Fibre (FttP) Ethernet WAN Service, dynamic public IP.

Side notes; public certificate is not automated. Certificate is signed with Let’s Encrypts (LE) certbot docker container on public IP web server and manually imported into pfSense for use.
This is a manual process every 70-80 days and will cause VPN connections to fail once it silently expires.

Prelim: Sort out your public hostname that VPN clients will connect to and generate/sign your LE certificate with its subject being the desired VPN server hostname.
ipsec.<domain-name> or vpn.<domain-name> are obvious choices.

pfSense Config

Certificate: Load your LE certificate and private key into pfSense under System> Certificate Manager > Certificates Tab> Add/Sign > Import an existing Certificate. I usually use the date of reg and hostname in the description field.

CA Certificate: IMPORTANT, download the CA certificate that signed your LE cert. At the time of writing this post it is the Let’s Encrypt Authority X3 certificate that is active. Available at: LE Certificates. Current expiry is 2021 March 18th.
Add this CA Intermediate Certificate to pfSense aswell, under System> Certificate Manager > CAs > Add >Import, description I have been using it “Let’s Encrypt Authority X3”
This CA certificate is required as it lets charon (IPSec VPN Service, possible related to strongswan?) create a certificate chain for clients to accept.

Follow the pfsense wizard for Mobile Clients setup.
Main changes include:

P1:

General:
Key Exchange V: IKEv2
IPv4

Auth:
Auth Method: EAP-MSChapv2
My Identifier: Distinguished Name: <LE Certificate subject/VPN Server hostname>
Peer Identifier: Any
My Certificate: <Imported LE Certificate>

Encrypt:
3 Lines to allow it to work with Apple, Andriod and Windows Devices
AES256-GCM – 128bit – SHA512 – 21
AES – 256bit – SHA256 – 14
AES – 256bit – SHA256 – 2

Lifetime: 28800
Responder Only: Enable
MOBIKE: Enable
DPD: Enable


P2:

Mode: Tunnel IPv4
Local Network – Network – 0.0.0.0/0
NAT/BINAT: None
Description: All Traffic

Protocol: ESP
Encryption Algos:
AES – Auto
AES256-CGM – Auto
Hash Algos
SHA1, SHA256, SHA284, SHA512
PFS Key Group: Off
Lifetime: 3600


Mobile Clients Tab:
User Auth: Local Database
Group Auth: system

Virtual Address Pool: Enabled
Currently I have a /25 subnet as there are apparently, not tested by myself, issues with subnets /24 and larger.
Virtual IPv6: Disabled
Network List: Enabled
Save Xauth Password: Enabled
DNS Default Domain: Enabled and specificed
DNS Server: Enabled, ip of pfSense set.
Leave Rest.


Pre-Shared Keys Tab:
Add user, I have used all identifiers as <device>.<user>@<domain-name>
Secret Type: EAP
Pre-Shared Key: device unique and long.
Identifier Type: Email.
Blank Rest

Device Config

iOS and MacOS:
IVEv2
Server: <hostname>
Remote ID: <hostname>
Local ID: blank
User Auth: Username
Username: full ’email’ from identifier field above
Password: <psk>
Proxy if you want it.

Android: <will add a config here next time I get a chance, I believe it is very simple>

Windows 10 (Built in VPN Client):
Under VPN Settings
Add VPN Connection
VPN Provider: Windows (Built IN)
Name it
Server: <hostname>
VPN Type: IKEv2 (last option in the list)
Type of Sign-in info: User name and password
Username: full ’email’ from identifier field above
Password: PSK
Remember Sign in info: Ticked

Modify Following Settings:
Created WAN miniport IKEv2 Adaptor
Properties > Networking Tab > V4 Properties > Advanced > Tick the Box for “Use Default Gateway on Remote Network”

Known Error / Issue:
IPv6 on LAN Adaptor Error
In some users setups IPv6 seems to interfere with VPN traffic. Data will send through the miniport adaptor but no packet return from server.
Disabling the IPv6 item on the computer LAN (Ethernet/Wifi Adaptor) seems to resolve this.

Interface Status > Interface Properties > Unticket IPv6 > Ok >Close and reconnect VPN.

Leave a Reply

Your email address will not be published.