HackTheory: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN

HackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
7/17/13 10:22 AM
Home
About
Search
Links
Contact Us
ByLaws
Mailing List
Projects
Search...
HackTheory
Pfsense Ipsec RoadWarrior VPN. Purpose: Establish a Client based VPN from you to your pf box where ever it may be. Requirements: Pfsense system running at least version 1.2.3 stable(as of Jan 19, 2011) ShrewSoft IPSEC VPN Client (Windows/Linux/BSD) 2.1.7-Stable as of Jan, 19 2010. DynDNS Account /w setup completed on your Pfsense system (assuming you do not have a static IP. This is optional). Basic knowledge of networking, VPN's and troubleshooting. Sections: Configuring Pfsense for your VPN Adding Users Configuring ShrewSoft VPN for your client machine (laptop or etc). Basic configuration
Home About Search Links Contact Us ByLaws Mailing List Projects
Configuring PF-Sense for your RoadWarrior VPN setup. Log into your PF-sense system. Navigate to the IP Sec configuration page. (VPN->IPSEC) Check the Enable IPSEC box shown in the below image and click save.
Click on the Mobile Clients tab at the top of the page. Fill out the [Phase1] settings using the below image as your base configuration Make changes where needed.
http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
Page 1 of 7
7/17/13 10:22 AM
Fill out the [Phase2] settings using the below image as your base configuration, making changes where needed.
Click the Save button at the bottom of the page. If prompted, make sure to also click the Apply Changes button and wait for the page to reload. You should now be able to Add your first user. In our case this is just a test user, you will want to use a better password/identifier. Navigate to the Pre-Shared Keys page of the VPN configuration. (VPN->IPSEC->Pre-Shared Keys). Click on the small + button at the bottom right of the screen. You will see a page that looks similar to the one below. Fill in your user's details. Click the Save button.
Page 2 of 7
7/17/13 10:22 AM
At this point you have the option of adding all of your users and moving on or just continue with the next section if you want to test everything first.
Configuring ShrewSoft VPN for your client machine (laptop or etc). Download and install the ShrewSoft VPN Client to your computer and install it. At the time of writing the version we used is 2.1.7-release (stable). We have not had any problems with it at this point. ( http://www.shrew.net/download/ike ) If you need help installing the VPN client for Linux see the following .pdf from Global Technology Associates. It dose a very good job of assisting you to get the VPN client installed if you have to build from source. http://www.gta.com/downloads/external/54/General/ShrewSoftVPN_LinuxInstall.pdf Once you have completed installation we are prepared to configure the VPN client. Load the ShrewSoft VPN Access Manager and follow the next few screenshots to build your first basic configuration. Make sure to change things as needed in relation to the User/PSK you setup as well as th IP/Hostname of your setup. Click the + button to add a new VPN connection profile to your system. You will see a dialog similar to the one below. Use it as a template to get youre basic configuration setup.
Take note that Auto Configuration has been Disabled, Also note that we select Use the Virtual Adapter and assigned address. This is due to an issue with trying to use DHCP over the VPN. Under the Address range make sure to make this a network that is NOT the same as the one you are connecting to. If you do not do this it will break your routing and you may be able to ping the gateway but will not be able to ping any other hosts on the remote network! (Ex. If your VPN network is 192.168.1.0/24 then your IP address should be on a different range like 172.16.100.0/24). Take note of your netmask settings as incorrect settings here will also cause problems later. Click on the Client tab and make its settings match the following image.
Page 3 of 7
7/17/13 10:22 AM
Click on Name Resolution tab and make sure it looks similar to the below image. Replace the listed IP address with the DNS server ip on your remote network.
Click on the Authentication tab. Make sure it looks similar to the below image. The Identification Type is very important. Setting to User fully qualified domain name worked for me. This will be the same as the identifier we set when setting up the Pre-Shared Key on the PF sense system. If this is not correct you will get could not find PSK errors in your IPSEC logs.
Page 4 of 7
7/17/13 10:22 AM
On the Authentication tab, click the sub tab Remote Identity. I use the ANY setting here. This is the easy way of doing it. Click on the small arrow to the right of Remote Identity tab to reveal the Credentials tab. Here is where you will set you PSK or your certificates. Below is an example.
On the very top set of tabs click on the arrow to the right of the Authentication tab to show the following tabs. Phase1, Phase2, Policy. Click on the Phase1 tab. See the below image for my example of the Phase1 settings. Make sure to change these to match the settings you have on your PFsense Phase1 settings under Mobile Clients.
Page 5 of 7
7/17/13 10:22 AM
Click on the Phase2 tab and use the below image to help you setup your settings. Make sure that this matches your settings on the Pfsense Phase2 settings under Mobile Clients.
Click on the Policy tab. Un-check the Obtain topology automatically... and make sure Maintain Persistent... is also unchecked. Click on the ADD button. Follow the below image for an example of what to put here. This is the IP range of your REMOTE network (the pfsense LAN network).
Click OK and Save. Click on the numbers/name below the newly created VPN profile to setup a new/logical name. Ex. VPN to Home VPN to Work...etc.
Congratulations!
You should now have a working Ipsec VPN to your Pfsense system. I will note that you will not be able to test this on the same network you are trying to VPN into. It will likely cause strange routing issues and will not work properly.
Page 6 of 7
7/17/13 10:22 AM
2013 HackTheory. All rights reserved. Sign In to Edit this Site concrete5 - open source CMS
Theme by Site5. Converted by Mnkras.
Page 7 of 7

HackTheory: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

HackTheory: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN

Transféré par

Droits d'auteur :

Formats disponibles

HackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN

Home About Search Links Contact Us ByLaws Mailing List Projects