If you are not hip to pfSense I suggest you check it out. It is an open source firewall that is making waves in InfoSec. The pfSense guys have a great howto for configuring IPSec VPN on the pfSense firewall as well as making connections via a freeware Windows IPSec VPN client called Shrew Soft which can be read by clicking here. The only item lacking in the article is a recommendation for a Mac OSX client as well as configuration tips for a Mac OSX client which is the sole point of this article. Below is information about where to download a freeware Mac OSX IPSec VPN client and then the necessary configuration to make a connection to the suggested settings noted in the howto of the pfSense web site.
**NOTE** Please note that if you are able to make a successful IPSec connection but it appears that no traffic is traversing the connection back to you then likely the issue is with Policy Generation. I would suggest modifying the settings in the Phase 1 portion of the IPSec VPN settings on the pfSense firewall. Change Policy Generation from “default” to “unique” and things should start to work properly.
Free IPSec VPN Client For OSX For IPSec VPN Connection To pfSense:
I have only been using this IPSec VPN client for OSX for a couple days but so far I have not had any issues and it appears to be stable. Make sure you download the proper version of the client though for your version of OSX. There are two download links below which include the OSX Lion version of the IPSec VPN client and then all other OSX versions. At the time of writing this article the Lion version is in beta but it is working without issue for me.
Download IPSecuritas Freeware IPSec VPN Client For OSX:
IPSecuritas Download Page For All Version
IPSecuritas OSX Lion IPSec VPN Client
IPSecuritas OSX Pre Lion IPSec VPN Client
Once downloaded and installed the below instructions and screenshots will help you make a successful connection to a pfSense firewall that has IPSec configured using the instructions at this URL.
Configure IPSecuritas IPSec VPN Client For pfSense Mobile Warrior Connections:
After you have IPSecuritas installed launch it from the Applications Finder window within OSX. The first time you launch the IPSecuritas application it will ask if you want to install the IPSecuritas IPSec VPN Widget on Mac OSX which looks similar to the below depending on the version of IPSecuritas that is installed.
IPSecuritas IPSec VPN Widget On OSX:
I personally don’t use many of the widgets on OSX however this one is useful because you can simply click “Ctrl-Left Arrow” and the make a connection to one of your IPSec VPN connections by highlighting it and clicking the Start button. So once the widget installation is complete you will see the IPSecuritas connection window without any connections listed since you have yet to configure one as shown in the below example image.
IPSecuritas IPSec VPN Client Connections Window:
In the example above I have a connection listed since I have already configured one. With the IPSecuritas Connections window active click Connections in the top navigation menu and select Edit Connections from the drop down as shown in the below example image.
IPSecuritas Navigation Menu: Connections >> Edit Connections
Once Edit Connections has been selected a new window will open as shown in the below example image. If the first connection is not highlighted allowing you to modify the name of the connection click the + symbol near the bottom of the window to add a new connection and name it accordingly. For this example I have selected pfSense IPSec VPN as the name of the connection.
IPSecuritas IPSec VPN New Connection Window: General Tab Settings
Once you have named the connection as shown in the above example window you will need to modify a couple settings on the first tab of the new connection. First enter the IP address of the pfSense firewall accepting the IPSec VPN connections which in this example is 10.10.10.10 (likely a public IP in your case). Next enter a private IP address (RFC 1918 compliant) that should not conflict with any of the remote networks you are connecting to or any of the private networks you are connecting from. In this example the RFC 1918 address selected is 192.168.111.111. The last section that needs to be modified under the IPSecuritas General tab for this new connection is the Remote Side. Here you can configure a single host, a network, networks, or you can send all traffic through the IPSec VPN connection by selecting Anywhere from the drop down. In this example we will be configuring a single network which is 10.1.50.0/24. Notice after you enter the network address you can modify the Network Mask or CIDR (Classless Inter-Domain Routing) which again in this example is /24 or 255.255.255.0.
IPSecuritas IPSec VPN New Connection Window: Phase 1 Tab Settings
Once all of the General tab settings have been configured click the Phase 1 tab located near the top of the Connections window to the right of General. Here you can mirror the settings in the example image above which include setting the Timeout to 86400 seconds, DH Group to 1024 (2), Encryption to 3DES, Authentication to SHA-1, Exchange Mode to Aggressive, Proposal Check to Obey, and Nonce Size to 16. Once these settings are configured click the Phase 2 tab located to the right of Phase 1 in the Connections window.
IPSecuritas IPSec VPN New Connection Window: Phase 2 Tab Settings
On the Phase 2 tab set Lifetime to 3600 seconds, PFS Group to 1024 (2), uncheck everything underneath Encryption except for 3DES, and uncheck everything under Authentication except for SHA-1. Once these settings have been configured properly move to the ID tab as shown in the below example image.
IPSecuritas IPSec VPN New Connection Window: ID Tab Settings
On the ID tab set the Local Identifier Key ID, add the email address you configured in the pfSense howto (should be unique for each user making a connection for auditing purposes), Remote Identifier should be set to Address which means the IP address making the connection, Authentication Method should be set to Pre-Shared Key or PSK, and then enter the PSK associated to the email address specified for Key ID. Now click the DNS tab as shown in the below example image.
IPSecuritas IPSec VPN New Connection Window: DNS Tab Settings
The DNS tab does not need to have any settings modified. Just make sure that the Enable Domain Specific DNS Servers is not checked and then move on to the Options tab.
IPSecuritas IPSec VPN New Connection Window: Options Tab Settings
The only setting I modified on the Options tab was to enable NAT-T as shown in the above example. You can also configure the Connection Check if you like which will verify the connection is active before allowing it to be used. If you do enable Connection Check then set the IP address to something on the remote network that accepts ICMP requests.
If you run into any issues or have further suggestions that expand on the above article please note them in the comments section below.
**NOTE** If you run into issues you might try making the IPSec VPN connection from a different Internet connection or by using a service such as CloakVPN that encrypts all traffic through a different gateway. Likely the issue will end up being the UDP ports needed to establish a successful connection are being blocked on the firewall outbound towards the pfSense firewall. Happy secure connections.
pfSense 2 Cookbook (Paperback)
|
||||||||
pfSense: The Definitive Guide (Paperback)
|
||||||||
