AWS pfSense VPN Server

  • VPN Server was deployed
  • Remote access for all employes was delivered
  • Employes that work on the same home (AKA Husband and Wife) can’t simultaneosly access the VPN
  • Nobody really understands why this is happening…

I know that some people doesn’t like IPSec because of it’s complexity. In the past, I used to had hard times debuging and understandig why some IPSec VPNs was beahving badly or simply are doesn’t working at all.

I understand that most of people uses OpenVPN, as it is easier to deploy and manage. But, if you are deploying it on Public Clouds, things can became a little expensive over time, as OpenVPN requires per user licenses (unless you are a Linux Pro). OpenVPN also needs more computing power than IPSec, as it uses SSL.

The VPN server will serve the current market operating systems: Windows, MacOS, Android and IOS.

Assunptions

You are using AWS Cloud, and has at your disposal a t2.small instance with Netgate pfSense deployed, and you have added a second NIC to it (for WAN/LAN individual routing). You can check it out here. Of course this deploy will work with any public cloud, as the pfSense works on them all.

Part 1: Create the Certificates

IKEv2 Certificate Structure

If a suitable Certificate Authority (CA) is not present in the Cert Manager, creating one is the first task:

  • Navigate to System > Cert Manager on the pfSense® firewall
  • Click “+” Add to create a new certificate authority
  • Select Create an internal Certificate Authority for the Method
  • Fill in the rest of the fields as desired with company or site-specific information
  • Click Save

Create a Server Certificate

  • Navigate to System > Cert Manager, Certificates tab on the pfSense firewall
  • Click “+” Add to create a new certificate
  • Select Create an internal certificate for the Method
  • Enter a Descriptive Name such as IKEv2 Server
  • Select the appropriate Certificate Authority created in the previous step
  • Choose the desired Key Type, Key length, Digest algorithm, and Lifetime
  • Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here instead
  • Fill in the regional and company values in the Distinguished name fields as desired, they are copied from the CA and may be left as-is
  • Set the Certificate Type to Server Certificate
  • Click “+” Add to add a new Alternative Name
  • Enter FQDN or Hostname in the Type field
  • Enter the hostname of the firewall as it exists in DNS again in the Value field
  • Click “+” Add to add another new Alternative Name
  • Enter IP Address in the Type field
  • Enter the WAN IP address of the firewall in the Value field
  • Add more Alternative Names as needed for additional hostnames or IP addresses on the firewall that clients may use to connect
  • Click Save

Part 2: Configuring IPSec VPN Mobile Access

IPSec VPNs have the characteristic of having an immense number of configurable options, where many of these need to fit in order for everything to work correctly. Be sure to pay attention to the details provided, as they are important. Think of IPSec as a machine, where some moving parts need to work together.

Server Requirements

  • A very long IPSec Client Pre-Shared key (as for example: f7f5f3A71cd83153e9d6b7473141cbd2edb54eccc7663f0302b93e7c)
  • A Internet Domain and 2 FQDNs: vpnipsec.yourdomain.goes.here and netgate.yourdomain.goes.here

Client Minimum Requirements

  • OSX 10.15
  • Windows 10
  • IOS 12
  • Android 10

Security Groups

Make sure to allow in your SGs:

  • UDP ports 500 and 4500
  • TCP ports 22 and 443 (temporarily while the server is being configured)

Phase 1

Make sure to configure your environment exactly as shown below.

Phase 1 Tunnels
Phase 1 Tunnels
Phase 1 Pre-Shared Key
Phase 1 Encryption Algorithm
Phase 1 Encryption Algorithm
Phase 1 Advanced Options
Phase 1 Advanced Options

Phase 2

Phase 2 Mobile Clients
Phase 2 Proposal (SA/Key Exchange)

Part 3: Creating User Accounts for VPN Access

Access the web configurator:

https://netgate.yourdomain.goes.here/

Defining VPN username and password
Secure Password Generator

Obtaining the User Access Profile

Browse Menus: VPN > IPsec Export (Apple Profile or Windows)

Apple Profile

Select the user in “VPN Client” menu, and download the configuration file.

Apple Client Export Screen

Windows

In the windows menu we do not have the option “VPN Client” on the export screen:

Windows Client Export Screen
  • add_pfSense_vpn_client.ps1
  • pfSense_ikev2_somehash.pem

Part 4: Configuring the Clients

MacOS Users

Click on the file provided to automatically configure the IPsec VPN. On the screen that will appear, enter the user name and the 16-character key.

Username and Password Fields
Waring Screen
MacOS VPN Configured
Connectig to the VPN
MacOS VPN Connected

Windows Users

This is a 3 part process. The VPN configuration file comes in ZIP format, and is named “VPN_ (netgate) _-_ Mobile_IPsec_clients.zip”. When unzipping it, we will get 2 files:

  • add_pfSense_vpn_client.exe
  • pfSense_ikev2_5f9c6e4977416.cer
Install certificate screen
Select Local Machine
Trusted Root Certification Authorities
Trusted Root Certification Authorities
Run As Administrator
Connecting to the VPN on Windows
Windows VPN connected

Android Users

The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Temporarily use Google Drive to gain access to the file.

  1. Open the strongSwan app
  2. Import the digital certificate (PEM file):
  3. Touch the settings icon (three vertical dots in the upper right corner)
  4. Touch CA Certificates
  5. Touch the settings icon (three vertical dots in the upper right corner)
  6. Touch Import Certificate
  7. Locate the previously copied certificate and tap it.
  8. Go to Imported and check if there is a CA Netgate VPN
  9. Touch Add VPN Profile
  10. In Server, enter vpnipsec.yourdomain.goes.here
  11. In Type, select IKEv2 EAP (username / password)
  12. Enter username
  13. Enter the password to be remembered, or leave it blank to request the password on each connection.
  14. Check Select automatically in CA Certificate
  15. Enter the profile name Company Mobile VPN
Android VPN Setup

iPhone Users

The first step is to gain access from the cell phone to the PEM file “pfSense_ikev2_5f9c6e4977416.pem”. It is a digital certificate. Email the attached file to yourself. For the process to work, use the iPhone’s native email application. The Gmail application is not suitable for this process. Then, follow the process of importing the certificate as described in this link.

  • Server: vpnipsec.yourdomain.goes.here
  • Remote ID: vpnipsec.yourdomain.goes.here
  • Username: as provided by the IT staff.
  • Password: as provided by the IT staff.

Linux Users

This is a 4 part process.

  • Name: Company
  • Address: vpnipsec.yourdomain.goes.here
  • Certificate: Select the PEM file stored in the “home” directory.
  • Authentication: EAP
  • Username: fill in the user name.
  • Password: will be requested at the VPN connection time.
  • Check: Request an inner IP address.

Troubleshooting

Troubleshooting OSX Connection Problems

Check the IPSEC debug using the Console tool. Filter the messages of the “NEIKEv2Provider” process. Look in the logs for markings with a yellow ball, to interpret the error. It should contain a string similar to this:

That’s It!

I hope this post has been helpful to you. If you need help, leave a message.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andre Rocha

Andre Rocha

I'm just a SysAdmin with some experience in OpenSource, DevOps and Datacenter Services, who likes to share knowledge.