by Frank Ye
– 👌
First comes an external link. This is the official pfsense tutorial (“original tutorial”) for setting up IKEv2 VPN in mobile warrior mode. I think you must have read it if you are interested in this topic. If you haven’t, please read it before continuing, because I won’t steal its contents.
You might ask, “Then why are you repeating this topic here?”
I had issues setting up remote clients after following the original tutorial. After spending hours searching for answers and experimenting with solutions, I finally decided on it Several configurations in the above tutorial have to be modified to make remote clients work (especially for Windows 10 clients). I wrote this article to show you these changes.
The key to getting Windows 10 clients to work with this IKEv2 VPN is to include certain encryption algorithms that weren’t mentioned in the original tutorial. The built-in VPN client in Windows 10 does not support the algorithms (such as SHA256 and 2048-bit Diffie–Hellman) specified in the original out-of-the-box tutorial.
To make Windows 10 clients work, we need to add support for the following algorithms at the server end.
- DH 2 group (1024 bits) for stage 1
Figure 1. Selected Algorithms for Stage 1 Figure 2. Selected Algorithms for Stage 2
With the addition of these two slightly weaker algorithms, the built-in VPN client in Windows 10 will be able to connect to the pfSense IKEv2 VPN server.
There are other tutorials on how to force Windows 10 to use the default (and stronger) algorithms so the changes I mentioned here are no longer needed. I won’t go into the details of this because it’s intended for really advanced users. Additionally, although DH and SHA1 algorithms are considered 1024-bit by the security industry, they could be “good enough” if they weren’t protecting state secrets. This will be the appeal of your judgment.
With the server configuration changes complete, we can now connect using the built-in VPN clients in Windows 10. It’s worth noting that IKEv2 is a relatively new protocol and older Windows versions (such as Windows 7) do not support it.
There are two paths you can follow to get to the VPN setup page on Windows 10. Oddly enough, based on some online sources, the path you took will affect some of the default settings. We’ll touch on this in a later section when we talk about fixing remote gateway settings.
The path I used is the start menu and search for VPN settings. Once you are there, click on the Add VPN Connection button and use the following configurations. (If you followed the original tutorial, these are the settings. If you made your own changes on the server end, I’m assuming you know what to do here as well.)
Figure 3. Windows 10 VPN Client Configurations
One of the issues I spent hours locating and fixing was a misconfiguration around the remote gateway. Read on.
When you click the Save button to create a VPN connection, Windows will automatically create a virtual network interface for that VPN. You can find the Status button on the left side of the VPN Settings window. Click on it and you will see Change adapter options.
Figure 4. Locate the adapter options
Once you are there you will see the virtual network interface that Windows created. It has the same name you gave your VPN connection.
Right-click on this virtual adapter and select Properties. You will find the network settings there. Proceed through the screens as shown below, you will eventually get to the advanced TCP/IP settings window. You need to make sure that the “Use default gateway on remote network” option is checked, otherwise your computer will not send its traffic to the VPN.
Figure 5. Changing remote gateway settings
By following the above steps, your Windows 10 device is ready to establish an IKEv2 VPN connection. our end!
The Mac client is the easiest to set up with. Works out of the box with default settings.
To set up the macOS client, go to the Network section under System Preferences. Then click the “+” button to add a new network connection. Select IKEv2 as the VPN type.
Figure 6. Add a new VPN in macOS
Next, enter the VPN servers address and peer ID. If you follow the original tutorial, the server ID will be the same as the domain name. For the local ID part, you can use the username so that multiple users can connect to the VPN server under the same public IP address.
Figure 7. VPN settings for macOS
Finally, click on the Authentication Settings button and enter your credentials.
Figure 8. Entering VPN credentials on macOS
You can now create an IKEv2 VPN from your Mac. No additional configurations or modifications needed.
For this section, I will assume that readers are more or less tech savvy. So I won’t go into details like step-by-step screenshots. Feel free to leave a comment if you have unanswered questions after reading this section.
The first step to setting up a VPN client on Ubuntu 18.04 LTS or 20.04 LTS is to install the required packages. Assuming you’re using the default Ubuntu image (i.e. using Unity desktop), you’ll need to install the following.
sudo apt update
sudo apt install -y network-manager-strongswan libcharon-extra-plugins
This will add the IKEv2 option to the Add VPN window under Network Settings.
Choose IKEv2 as the VPN type, then enter the following configurations. Besides all the normal stuff, just make sure “Require internal IP address” is checked. Without this option, the Ubuntu client will not be able to talk to the VPN server.
Figure 9. Ubuntu VPN Settings
Click Apply and you are ready to connect to IKEv2 VPN server.
I hope you found this article a good complement to the original lesson. I also hope this article helped you solve your connection issues.
I love solving problems. Almost everything I learned came from solving problems, whether it was in person or from someone else. Feel free to contact me and leave a comment if you have other questions.
[ad_1]
Don’t forget to share this post with friends !
