Configure IKEv2 IPsec VPN Server with PSK or RSA in pfSense

The pfSense operating system allows us to configure different types of VPN, one of the most secure is IPsec IKEv2, which is a fairly new protocol that is incorporated by default in Windows operating systems, and also in some mobile brands such as Samsung. Unfortunately, this protocol is not compatible with many VPN clients that we can find on other mobiles such as Huawei. Today in this article we are going to teach you how to configure an IPsec IKEv2 VPN server so that you can connect remotely to your local network safely.

What is an IPsec IKEv2 VPN server for?

The IPsec protocol is one of the most used and well-known VPN protocols, it is used both at the home level and also at the business level. Normally the IPsec IKEv2 protocol is used to connect different sites, configuring Site-to-Site VPN that will allow us to interconnect different sites through the Internet in a secure way, since all traffic will be encrypted, authenticated and the integrity of the data will be checked. .

Configure IKEv2 IPsec VPN Server with PSK or RSA in pfSense

In this case, we will use the IKEv2 protocol, which is a more secure protocol than IKEv1 for data encryption negotiation between the different clients and the server, in addition, we create a PSK-based authentication to authenticate the clients. Within the IPsec IKEv2 protocol, we have two authentication methods:

  • Mutual PSK: a Pre-shared Key associated with an identity is established, one for each VPN client that wants to connect. This key will be on both the server and all VPN clients.
  • Mutual RSA: a CA must be created with server certificates and also certificates for the VPN clients, once the authentication with these certificates has been established, we will have access to the VPN without having to enter any password.

In this tutorial we will see how to configure the IPsec IKEv2 protocol in the pfSense operating system, so that VPN clients can connect to the corporate network and start sharing data.

IPsec IKEv2 Protocol Configuration

This IKEv2 IPsec protocol is oriented for environments where we can create a Site-to-Site VPN and interconnect venues, however, it is also suitable for configuring remote access VPNs, as long as the clients are compatible with this type of VPN. For example, any Linux operating system is compatible, but also the latest version of Windows 10 and Samsung smartphones, as they incorporate an IPsec IKEv2 client.

Configure the «Mobile Clients»

The first thing we have to do to configure the VPN server is to go to the ” VPN / IPsec / Mobile Clients ” section, we must select the following options:

  • Enable IPsec Mobile Client Support
  • Virtual Address Pool: provide a virtual IP address to clients, and we put a subnet that is not in use, such as 192.168.100.0/24.
  • DNS Server: provide a DNS Server to clients: here we can put local DNS or public DNS such as Google or Cloudflare.

The final configuration would be as follows:

Once we have saved it, we click on «Save» and above it will put a green button to apply changes, we click on apply changes and when it loads again, we must click on the green button of «Create Phase 1».

With the IPsec IKEv2 protocol, the establishment of the connection is also divided into two phases, phase 1 will perform the authentication, and phase 2 will negotiate the encryption of the tunnel with symmetric cryptography for the exchange of information.

First we must configure phase 1 with a set of ciphers compatible with most clients, in principle, IKEv2 gives less problems when selecting more robust ciphers, because it is a newer protocol, and we will not have problems choosing more secure ciphers .

Configure IPsec Phase 1

In this menu we will have to configure the IPsec protocol to use it with IKEv2. It is possible that the security configuration changes if you use VPN clients for Android, iOS, external programs for Windows, etc., because depending on the software integrated in the devices themselves, they will support a higher or lower level of security. We will use a conservative configuration, but quite secure, and that it is compatible with most VPN clients, but you must take this into account, because you may have to modify some parameter to lower or increase security.

The options that we must configure for it to work correctly are the following:

  • General Information
    • Key Exchange version: IKEv2
    • Internet Protocol: IPv4 or IPv6
    • Interface: Internet WAN
    • Description: we put a description.
  • Phase 1 Proposal (Authentication)
    • Authentication Method: Mutual PSK
    • Negotiation Mode: Aggresive; selecting “Main” is more secure, but VPN clients may not connect. If the VPN is able to connect well with the configuration we offer, you can later switch to “Main” to see if it works too.
    • My identifier: distinguished name: vpn.redeszone.net
  • Phase 1 Proposal (Encryption)
    • Encryption Algorithm: AES 256-bit, SHA256, DH Group 14 (2048-bit).

pfSense supports much higher security, and even allows you to activate PFS (Perfect Forward Secrecy), the problem is that VPN clients may not support it. For this reason, we have not used the more robust algorithms such as SHA-512 or a higher DH group of 4096 bits, and even made use of EC. To configure it with the best security, it is necessary to review the connection logs, where we will see the different encryption sets that the different IPsec clients that are going to connect to support support. In this way, and knowing which device models and operating system are going to be connected, we can choose the safest configuration that is compatible with all of them.

The rest of the configuration options can be left as they come by default.

Once we have configured phase 1 of IPsec IKEv2, we are going to configure phase 2.

Configure IPsec Phase 2

In this menu, the first thing we will have to choose is the operating mode, we have chosen «Tunnel IPv4». In addition, we will also have to put the «Local Network» that we want the VPN clients to have access to, we have several options, the most common is to choose a LAN subnet or a specific subnet that we define. In the «NAT» option we will leave it at «none».

In this configuration menu we must put the following:

  • General Information
    • Mode: tunnel IPv4.
    • Local Network: LAN subnet.
    • Description: a description that we want.
  • Phase 2 Proposal (SA / Key Exchange):
    • Protocol: ESP.
    • Encryption Algorithm: AES auto and AES-128-GCM auto.

  • Phase 2 Proposal (SA / Key Exchange)
    • Hash algorithms: we select SHA-1 and SHA-256
    • PFS Key group: off, not supported by clients.

The rest of the options we can put the default ones, and click on save to save all the changes.

Once finished, we will be able to see the summary of the configuration carried out in the “IPsec / Tunnels” section.

Now we will have to create a username and password to access:

  • Identifier: redeszone@redeszone.net
  • Secrey Type: PSK
  • Pre-Shared Key: 12345678

Now that we have configured the IKEv2 IPsec VPN server, we need to open the ports on the WAN firewall.

Open ports in the pfSense firewall

In this VPN it is also necessary to open ports on the Internet WAN, we will have to open port 500 UDP and port 4500 UDP. Next, you have all the details to open both ports.

We will have to create a rule in the “Firewall / Rules / WAN” section with the following information:

  • Action: Pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: UDP
  • Source: any
  • Destination: WAN Address on port 500

The second rule would be:

  • Action: Pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: UDP
  • Source: any
  • Destination: WAN Address on port 4500

As you can see, we have the two rules to accept to allow traffic.

We save and apply changes, ensuring that this rule will be followed. Now we go to the “IPsec” section where we will do a “allow all”. Then when we connect, if we want to limit access, we can do so by putting the corresponding rules here.

  • Action: Pass
  • Interface: IPsec
  • Address Family: IPv4
  • Protocol: any
  • Source: any
  • Destination: any

Now that we have the IKEv2 IPsec VPN server configured and we also have it open in the firewall, we are going to perform a connection test with Android.

Connection test

In our case, we have established a VPN connection with an Android smartphone, specifically the Samsung S8 Plus that incorporates an IPsec IKEv2 PSK client. The configuration that we must carry out is the following (we cannot put capture because the operating system detects it as private content).

  • Name: we give the VPN a name
  • Type: IPsec IKEv2 PSK
  • Server: IP or DDNS domain of your VPN server
  • IPsec identifier: redeszone@redeszone.net
  • Initial IPsec Shared Key: 12345678; the key we put in the “Pre-Shared Key” section.

We click on save, and connect. Once done, it will connect us without problems to the VPN server and we will have access to the pfSense administration and any network.

Recommendations and advice

Although IPsec IKEv2 performs better than other types of IPsec-based VPN in terms of compatibility, we must pay special attention to the encryption algorithms that we put in the VPN server, because it could cause some IPsec clients to be unable to connect. This is quite common with the IPsec protocol, because we depend on what IPsec client software the devices carry, and what algorithms are supported. Logically, for security reasons it is always advisable to choose the safest ones, but it could prevent us from connecting VPN clients.

It is advisable to see the logs of the different IPsec connections, and check what “proposal” the IPsec clients send to the server for IKE negotiation, in this way, we can force the server to only have access to the best cryptographic algorithms, and allow to use those that are not safe.

With this same tutorial, you will be able to configure the IPsec IKEv2 RSA, modifying the “Mutual PSK” by “Mutual RSA” and configuring the corresponding server and client certificates. We will show you how to do it soon. This also brings added complications, because the VPN client may not be able to read the configured RSA or ECDSA certificate, due to too secure algorithms being used.