Beruflich Dokumente
Kultur Dokumente
VIEWS
Log in
Page
Discussion
View source
History
NAVIGATION
Main Page
New articles
Recent changes
Available categories
Random page
Help
TOOLBOX
What links here
Related changes
Special pages
Printable version
Permanent link
You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS
(iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.
This document covers the most common setup for mobile devices, which is IPsec using Xauth and a mutual Pre-Shared Key.
This setup has been tested and working on Android 2.3.3 and iOS 4.3.5. Others may work as well, including the actual
software Cisco client.
Contents
1 IPsec Server Setup
1.1 Mobile Clients
1.2 Phase 1 settings
1.3 Phase 2 settings
1.4 User Settings
1.5 Firewall Rules
1.6 IPsec SA Preference
2 Device Setup (Android)
3 Device Setup (iOS)
4 Troubleshooting
Mobile Clients
Check "Enable IPsec Mobile Client Support"
Check "Provide a virtual IP address to clients"
pdfcrowd.com
Phase 1 settings
Authentication method: Mutual PSK + Xauth
Negotiation mode: aggressive
My identifier: My IP address
Peer identfier: User Distinguished Name, vpnusers@example.com
Pre-Shared Key: aaabbbccc
Policy Generation: Unique
Proposal Checking: Strict
Encryption Algorithm: AES 128
Hash Algorithm: SHA1
DH Key Group: 2
Lifetime: 86400
NAT Traversal: Force
Save
Phase 2 settings
Mode: Tunnel
Local Network: (your local network)
Protocol: ESP
Encryption Algorithms: AES 128 *only*
Hash Algorithms: SHA1 *only*
PFS key group: off
Lifetime: 28800
Save, apply
User Settings
Go to System > User Manager
Add a user, grant the user the xauth dialin permission, or add to a group with this permission.
Note that for xauth, the password used is the password for the user, not the "IPsec Pre-Shared Key" field. That is used
for non-xauth IPsec.
Firewall Rules
Don't forget to add firewall rules to pass traffic from clients
pdfcrowd.com
IPsec SA Preference
System > Advanced, Miscellaneous tab.
Uncheck "Prefer Old IPsec SA"
pdfcrowd.com
Troubleshooting
By default iOS will tunnel all traffic over the VPN, including traffic going to the Internet. If you are unable to access Internet
sites once connected, you may need to push a DNS server to the client for it to use, such as the LAN IP address of your
firewall if you have the DNS forwarder enabled, or a public DNS server such as 8.8.8.8/8.8.4.4.
The reason for the above is that your 3G provider is likely giving your mobile devices DNS servers that are only accessible
from their network. Once you connect to the VPN the DNS servers are now being accessed via the VPN instead of the 3G
network, and the queries are likely to be dropped. Supplying a local/public DNS server will work around that.
PRIVACY POLICY
ABOUT PFSENSEDOCS
DISCLAIMERS
This page w as last modified on 16 January 2013, at 22:28. This page has been accessed 35,341 times.
pdfcrowd.com