pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Log in

VIEWS

PageDiscussionView sourceHistory

TOOLBOX

What links hereRelated changesSpecial pagesPrintable versionPermanent link

Mobile IPsec on 2.0

You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS(iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.

This document covers the most common setup for mobile devices, which is IPsec using Xauth and a mutual Pre-Shared Key.

This setup has been tested and working on Android 2.3.3 and iOS 4.3.5. Others may work as well, including the actualsoftware Cisco client.

Contents

1 IPsec Server Setup1.1 Mobile Clients1.2 Phase 1 settings1.3 Phase 2 settings1.4 User Settings1.5 Firewall Rules1.6 IPsec SA Preference

2 Device Setup (Android)3 Device Setup (iOS)4 Troubleshooting

IPsec Server Setup

This is the setup for the pfSense side of the connection

Mobile ClientsCheck "Enable IPsec Mobile Client Support"Check "Provide a virtual IP address to clients"

SEARCH

NAVIGATION

Main PageNew articlesRecent changesAvailable categoriesRandom pageHelp

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Check "Provide a virtual IP address to clients"Enter an unused subnet in the box, pick a subnet maskSet any other desired options hereSave, apply, create p1 if it doesn't exist.

Phase 1 settingsAuthentication method: Mutual PSK + XauthNegotiation mode: aggressiveMy identifier: My IP addressPeer identfier: User Distinguished Name, vpnusers@example.comPre-Shared Key: aaabbbcccPolicy Generation: UniqueProposal Checking: StrictEncryption Algorithm: AES 128Hash Algorithm: SHA1DH Key Group: 2Lifetime: 86400NAT Traversal: ForceSave

Phase 2 settingsMode: TunnelLocal Network: (your local network)Protocol: ESPEncryption Algorithms: AES 128 *only*Hash Algorithms: SHA1 *only*PFS key group: offLifetime: 28800Save, apply

User SettingsGo to System > User ManagerAdd a user, grant the user the xauth dialin permission, or add to a group with this permission.

Note that for xauth, the password used is the password for the user, not the "IPsec Pre-Shared Key" field. That is usedfor non-xauth IPsec.

Firewall RulesDon't forget to add firewall rules to pass traffic from clients

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Firewall > Rules, IPsec tabAdd rules that match the traffic you want to allow, or add a rule to pass any protocol/any source/any destination to alloweverything.

IPsec SA PreferenceSystem > Advanced, Miscellaneous tab.Uncheck "Prefer Old IPsec SA"

Device Setup (Android)

NOTE: These settings are not present on all Android devices. See Android VPN Connectivity for more info.

Settings, Networks & Wireless, VPN Settings, Advanced IPsec VPNsFrom there, press the menu button, then add.Connection Template: PSK v1 (AES, xauth, aggressive)VPN Name: whatever you wantVPN Server: IP of the server

The phone forces the keyboard to numbers, not sure if a hostname is supported.Pre-Shared Key Type: textPre-Shared Key: PSK from the Phase 1 aboveIdentity Type: User FQDNIdentity: vpnusers@example.comUsername: your xauth usernamePassword: your xauth passwordInternal Subnet IP: Whatever subnet(s) you specified in p2 above.Finish

Device Setup (iOS)

Settings > General > Network > VPNAdd VPN ConfigurationClick IPsecDescription: whatever you wantServer: IP of the serverAccount: your xauth usernamePassword: your xauth password (or leave blank to be prompted every time)Group Name: vpnusers@example.comSecret: PSK from the Phase 1 above

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

TroubleshootingBy default iOS will tunnel all traffic over the VPN, including traffic going to the Internet. If you are unable to access Internetsites once connected, you may need to push a DNS server to the client for it to use, such as the LAN IP address of yourfirewall if you have the DNS forwarder enabled, or a public DNS server such as 8.8.8.8/8.8.4.4.

The reason for the above is that your 3G provider is likely giving your mobile devices DNS servers that are only accessiblefrom their network. Once you connect to the VPN the DNS servers are now being accessed via the VPN instead of the 3Gnetwork, and the queries are likely to be dropped. Supplying a local/public DNS server will work around that.

PRIVACY POLICY ABOUT PFSENSEDOCS DISCLAIMERS

This page w as last modif ied on 16 January 2013, at 22:28. This page has been accessed 35,341 times.