Embed Size (px)
Citation preview
7/17/13 10:22 AMHackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
Page 1 of 7http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
Pfsense Ipsec RoadWarrior VPN.
Purpose:
Establish a Client based VPN from you to your pf box where ever it may be.
Requirements:
Pfsense system running at least version 1.2.3 stable(as of Jan 19, 2011)
ShrewSoft IPSEC VPN Client (Windows/Linux/BSD) 2.1.7-Stable as of Jan, 19 2010.
DynDNS Account /w setup completed on your Pfsense system (assuming you do not have a static IP. This isoptional).
Basic knowledge of networking, VPN's and troubleshooting.
Sections:
Configuring Pfsense for your VPN
Adding Users
Configuring ShrewSoft VPN for your client machine (laptop or etc).
Basic configuration
Configuring PF-Sense for your RoadWarrior VPN setup.
Log into your PF-sense system. Navigate to the IP Sec configuration page. (VPN->IPSEC)
Check the “Enable IPSEC” box shown in the below image and click “save”.
Click on the “Mobile Clients” tab at the top of the page. Fill out the [Phase1] settings using the below imageas your base configuration Make changes where needed.
Home
About
Search
Links
Contact Us
ByLaws
Mailing List
Projects
HackTheory
Home Search Links Contact Us ByLaws Mailing List Search...ProjectsAbout
7/17/13 10:22 AMHackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
Page 2 of 7http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
Fill out the [Phase2] settings using the below image as your base configuration, making changes whereneeded.
Click the “Save” button at the bottom of the page. If prompted, make sure to also click the “Apply Changes” buttonand wait for the page to reload.
You should now be able to Add your first user. In our case this is just a test user, you will want to use abetter password/identifier.
Navigate to the “Pre-Shared Keys” page of the VPN configuration. (VPN->IPSEC->Pre-Shared Keys).
Click on the small “+” button at the bottom right of the screen. You will see a page that looks similar to theone below. Fill in your user's details. Click the “Save” button.
7/17/13 10:22 AMHackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
Page 3 of 7http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
At this point you have the option of adding all of your users and moving on or just continue with the nextsection if you want to test everything first.
Configuring ShrewSoft VPN for your client machine (laptop or etc).
Download and install the ShrewSoft VPN Client to your computer and install it. At the time of writing theversion we used is 2.1.7-release (stable). We have not had any problems with it at this point. (http://www.shrew.net/download/ike )
If you need help installing the VPN client for Linux see the following .pdf from “Global TechnologyAssociates”. It dose a very good job of assisting you to get the VPN client installed if you have to build fromsource.
http://www.gta.com/downloads/external/54/General/ShrewSoftVPN_LinuxInstall.pdf
Once you have completed installation we are prepared to configure the VPN client. Load the ShrewSoft VPNAccess Manager and follow the next few screenshots to build your first basic configuration. Make sure tochange things as needed in relation to the User/PSK you setup as well as th IP/Hostname of your setup.
Click the “+” button to add a new VPN connection profile to your system. You will see a dialog similar to theone below. Use it as a template to get youre basic configuration setup.
Take note that “Auto Configuration” has been Disabled, Also note that we select “Use the Virtual Adapter andassigned address”. This is due to an issue with trying to use DHCP over the VPN.
Under the “Address” range make sure to make this a network that is NOT the same as the one you areconnecting to. If you do not do this it will break your routing and you may be able to ping the gateway but willnot be able to ping any other hosts on the remote network! (Ex. If your VPN network is 192.168.1.0/24 thenyour IP address should be on a different range like 172.16.100.0/24). Take note of your netmask settings asincorrect settings here will also cause problems later.
Click on the “Client” tab and make its settings match the following image.
7/17/13 10:22 AMHackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
Page 4 of 7http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
Click on “Name Resolution” tab and make sure it looks similar to the below image. Replace the listed IPaddress with the DNS server ip on your remote network.
Click on the “Authentication” tab. Make sure it looks similar to the below image. The “Identification Type” isvery important. Setting to “User fully qualified domain name” worked for me. This will be the same as theidentifier we set when setting up the “Pre-Shared Key” on the PF sense system. If this is not correct you willget “could not find PSK” errors in your IPSEC logs.
7/17/13 10:22 AMHackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
Page 5 of 7http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
On the “Authentication” tab, click the sub tab “Remote Identity”. I use the “ANY” setting here. This is the easyway of doing it.
Click on the small arrow to the right of “Remote Identity” tab to reveal the “Credentials” tab. Here is where youwill set you “PSK” or your certificates. Below is an example.
On the very top set of tabs click on the arrow to the right of the “Authentication” tab to show the followingtabs. “Phase1”, “Phase2”, “Policy”. Click on the “Phase1” tab.
See the below image for my example of the “Phase1” settings. Make sure to change these to match thesettings you have on your PFsense Phase1 settings under “Mobile Clients”.
7/17/13 10:22 AMHackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
Page 6 of 7http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
Click on the “Phase2” tab and use the below image to help you setup your settings. Make sure that thismatches your settings on the Pfsense Phase2 settings under “Mobile Clients”.
Click on the “Policy” tab. Un-check the “Obtain topology automatically...” and make sure “MaintainPersistent...” is also unchecked. Click on the “ADD” button. Follow the below image for an example of what toput here. This is the IP range of your REMOTE network (the pfsense LAN network).
Click “OK” and “Save”. Click on the numbers/name below the newly created VPN profile to setup anew/logical name. Ex. “VPN to Home” “VPN to Work”...etc.
Congratulations!You should now have a working Ipsec VPN to your Pfsense system. I will note that you will not be able to test this onthe same network you are trying to VPN into. It will likely cause strange routing issues and will not work properly.
7/17/13 10:22 AMHackTheory :: PFsense Road Warrior VPN + ShrewSoft IPSEC VPN
Page 7 of 7http://www.hacktheory.org/index.php/projects/projects-by-eureka/pfsense-road-warrior-vpn-shrewsoft-ipsec-vpn/
© 2013 HackTheory. All rights reserved. Sign In to Edit this Site concrete5 - open source CMS
Theme by Site5. Converted by Mnkras.
