IPsec for road warriors in PfSense 2.0.1 with PSK

This article describes how to set up IPsec tunneling in PfSense 2.0.1 with a passkey in stead of xauth and how to configure the Shrew Soft VPN Client to connect to it. The client is available for free for Windows, Linux and BSD at shrew.net.

For information on using xauth and connecting mobile devices like Android phones or iPhones, go here: Mobile_IPsec_on_2.0

Note: in this article I advise to use SHA1 and DES3. I would now recommend using SHA256 and AES256.

Before we start:

  • Make sure your lan is using your PfSense router as its default gateway and that it’s working.
  • Make sure your client has a functioning internet connection.

If either condition is not met your tunnel will not work. In this howto I’ll describe how to get IPsec tunneling working. IPsec, tunneling and VPN mean the same in this article.

A lot of information in this howto I gained in the PfSense forum. Thanks to the folks on the forum for providing the information.

On your pfSense router

Begin by enabling IPsec.

Go to VPN > IPsec, tic Enable IPsec and click Save.

Vb_howto_ipsec_003

 Now, to create a phase 1 entry.

Do not click the [+]-button to create a phase 1 entry. If you do, you will not go the page you need to create a phase 1 for mobile clients but will find a page to create a phase 1 for lan-to-lan-tunneling instead.

Just go to the Mobile clients tab.

Vb_howto_ipsec_005

You will get a warning saying Support for IPsec Mobile clients is enabled but a Phase1 definition was not found. Please click Create to define one.

Click the Create Phase1 button.

Vb_howto_ipsec_007

 You’ll be taken to the appropriate page to create a Phase 1 for mobile clients.

On the VPN: IPsec: Edit Phase 1: Mobile Client page, enter the following values:

Key Value Remark
Disabled not checked
Interface WAN
Description Mobile Clients This can be anything, name it something appropriate.
Authentication method Mutual PSK
Negotiation mode aggressive
My identifier My IP address
Policy Generation Unique Might prevent traffic to the lan if set to something else.
Proposal Checking Strict
Encryption algorithm AES, 256 bits Choose any, just keep it identical on router and client.
Hash algorithm SHA1
DH key group 2
Lifetime 3600
NAT Traversal Force Might prevent traffic to the lan if set to something else.
Dead Peer Detection not checked


Vb_howto_ipsec_008

Click Save.

You will get a warning The IPsec tunnel configuration has been changed. You must apply the changes in order for them to take effect.

Click Apply changes.

Vb_howto_ipsec_009

 You may ignore the The changes have been applied successfully. notices. The neurotics among us may click the Closebutton but that’s optional.

With phase 1 created, we can create a phase 2.

Click the [+]-button to list the Phase 2 entries under the newly created Phase 1.

Vb_howto_ipsec_010

Surprise! There aren’t any. Let’s create one by clicking the [+]-button.

ipsec_012

This will open the VPN: IPsec: Edit Phase 2: Mobile Client page.

On the VPN: IPsec: Edit Phase 2: Mobile Client page, enter these values:

Key Value Remark
Disabled not checked
Mode Tunnel
Local Network LAN subnet
Description Phase 2 for road warriors Enter something appropriate.
Protocol ESP
Encryption algorithms select only 3DES The best is chosen at handshake time. Others will probably work too. 3DES works for me because I have a mobile application that will work only with this.
Hash algorithms Select SHA1 and MD5
PFS key group You can’t change that here.
Lifetime 3600
Automatically ping host leave empty

Vb_howto_ipsec_013

Click Save.

Don’t forget to click the Apply changes button.

Vb_howto_ipsec_015

Tell the client about available services. The more you enter here, the less your clients have to enter manually.

On the VPN: IPsec page, go to the Mobile clients tab and enter the following values.

Key Value Remark
IKE Extensions checked
User Authentication system
Group Authentication system
Virtual Address Pool checked, network: 192.168.79.0/24 Enter a network here that is not in use in your lan and preferably not in your clients’ lan either. It can be any subnet, just don’t pick a much used one (e.g. don’t use 192.168.0.0/24 or 192.168.1.0/24). It will confure the clients.
Network List checked
Save Xauth Password unchecked I don’t use Xauth. If you do, perhaps you want to check this.
DNS Default Domain Check if your clients connect to your Active Directory. Optional but if you have a domain (I use it for Active Directory) your clients will be able to resolve your servers faster.
DNS Servers Check if your clients connect to your Active Directory. If you have an Active Directory, enter its DNS servers here. If it’s a home network, why not use OpenDNS here?
WINS Servers Check if you run WINS Superfluous if you also provide DNS but I’m not here to judge.
Phase2 PFS Group checked, group 2 You should probably enter the PFS Group you entered in [#phase1 phase 1].
Login Banner Optional Client software which honours the login banner will present this text to the user upon login. You may need to enter some legal information or so, or a limerick.

Vb_howto_ipsec_016

When you’re done, click the Save button. Don’t forget to click Apply changes after the page is saved.

We’re almost done here. We need to create user accounts so someone can actually use the tunnel.

On the VPN: IPsec page, go to the Pre-shared keys tab. (My screenshots may look a bit different from yours because I have in-use keys edited out here.)

There are different ways to set up pre-shared keys for users. You can also do it under System > User Manager. However you’d get a lot more options there and those are beyond our current scope.

Click the [+]-button[ to create a new account.

Vb_howto_ipsec_018

 For identifiers I tend to use e-mail addresses as they are more unique than first or last names. Use anything you like just as long as it is unique to the person using the account. I’d go with e-mail addresses. They don’t really need to exist, it’s just for identification.

Get your pre-shared keys here: https://www.grc.com/passwords.htm. Use the string in the middle: 63 random printable ASCII characters.

CAUTION: if you triple-click in the box with the ASCII chars, all characters PLUS ONE EXTRA LINE BREAK are selected and you’ll spend a long time wondering why the IPsec tunnel won’t come up. So check if you really copied just the characters.

Vb_howto_ipsec_019

Press Save, wait for the page to load, note that your account is now in the list and press Apply changes.

Vb_howto_ipsec_020

Congratulations, you’re done configuring your router. In the olden days you needed to configure your firewall to allow IPsec tunneling. In version 2.0.1 that’s no longer necessary.

The client

This part is done on the user’s computer. My screenshots were taken in Windows but Shrew Soft VPN is available for Linux and BSD (so probably Mac) too.

Download and install Shrew Soft VPN. I’m using version 2.2.0-beta-2. In my experience it’s as stable as the stable releases.

Once you’re done, open ipseca.exe. You will be presented with a VPN Access Manager window. (My screenshot capturing program is a bit weird about its window style so the Window title bar is missing in the screenshots.)

Vb_howto_ipsec_024

Press the big round Add button to set up a tunnel configuration.

On the General tab, enter your PfSense router’s ip address or host name. Leave the rest as it is. I don’t know if the default values in new versions of the Shrew Soft VPN client will be different so in case of doubt, stick to the screenshots.

Vb_howto_ipsec_025

On the Client tab, set NAT Traversal to force-rfc and uncheck ‘Enable Dead Peer Detection’. If you get these settings wrong you may end up with an established tunnel that doesn’t let any traffic through. This was different with earlier versions of PfSense so if you’ve upgraded, pay attention to this.

Vb_howto_ipsec_026

Don’t change anything on the Name Resolution tab; these settings are all automatically set by PfSense. You could enter relevant information here but if you followed the router part of this howto, you don’t need to.

Vb_howto_ipsec_028

Vb_howto_ipsec_029

Vb_howto_ipsec_030

Go to the Authentication tab. Set Authentication Method to Mutual PSK. Under Local Identity, choose Key Identifieras the Identification Type and enter the user’s e-mail address (or whatever you used as identifiers) in the Key ID String field.

Vb_howto_ipsec_031

Under Remote Identity, set Identification Type to IP Address and check Use a discovered remote host address.

Vb_howto_ipsec_032

Finally, under Credentials, enter the Pre Shared Key associated with the e-mail address.

Vb_howto_ipsec_033

Now scroll over to the Phase 1 tab. Set the Cipher Algorithm to aes or whatever you entered on the Phase 1 page in PfSense. Cipher Key Length to 256 (or whatever etc.) and Hash Algorithm to sha1. Set the Key Life Time limit to 3600.

Vb_howto_ipsec_034

Phase 2 tab: set Transform Algorithm to esp-3desHMAC Algorithm to sha1 and PFS Exchange to group 2.

Vb_howto_ipsec_035

Nearly there! Go to the Policy tab and set Policy Generation Level to unique.

Vb_howto_ipsec_036

Click Save and give the newly created configuration an appropriate name.

Vb_howto_ipsec_037

Double-click the configuration and the tunnel window will pop up. Click Connect to start the tunnel.

Vb_howto_ipsec_038

Click Disconnect to… disconnect the tunnel.

Vb_howto_ipsec_040

That’s it! You now have a working IPsec tunneling system.

 

Client tweaks

Personally I like to tweak it a little bit so the windows hide themselves nicely in the system tray. This is optional but I find it improves the user experience.

In the VPN Access Manager, go to File > Preferences.

Vb_howto_ipsec_041

For Access Manager and VPN Connect, set Windows Style to Visible in System Tray only and check Remember when connection succeeds. No need to remember the user name since we’re not using user names but pre-shared keys.

Vb_howto_ipsec_042

You can create a shortcut directly to the tunnel: create a shortcut to ipsecc.exe (in c:\program files etc.). Right-click the shortcut and choose Properties. In the Target field, add -a -r “MyTunnel”. -a means: start automatically. This starts the connection without the user having to press the Connect button. -r specifies the tunnel name. If you named you tunnel “Work”, write “Work” in stead of “MyTunnel”.

Vb_howto_ipsec_043

Now if you doubleclick the shortcut, your tunnel is automatically started.

Backup your tunnel profile by selecting it in the VPN Access Manager and going to File > Export. Restoring works by choosing Import.

Troubleshooting

I’ve been using PfSense in combination with Shrew Soft VPN for a long time and in my experience it is a very stable combination. However things can always go wrong. If it doesn’t work, here are some hints to help you troubleshoot.

  • Check the router and the client settings.
  • Check the router and the client settings again.
  • In PfSense, go to Status > System Logs and there to the IPsec tab. Hit the Clear log button, have the client try and start the connection and click the IPsec tab again to refresh the page. This is usually very inspiring.
  • In PfSense, go to Status > Services and reset the racoon service. This sometimes helps.
  • Reboot the client machine.
  • Reboot the PfSense machine. Should not be necessary but you never know.
  • Use a simple pre-shared key so you can be certain you didn’t make a mistake there. When done troubleshooting, use the hard key again!
  • If a user calls you and says Shrew Soft VPN wants to know his user name and password, it’s almost always because the user has either no internet connection or no dns service. Or they are on a guest network and need to open their browser for identification or something.
  • Roy Blüthgen wrote in to say: I am running a pfSense 2.0.2 installation and followed your guide to set up IPsec server/client. Afterwards when testing I was running into this issue: http://redmine.pfsense.org/issues/1351. I tried the pfSense config suggested in note 30 (by Jim) and that fixed my problem: System >> Advanced >> Miscellaneous >> IP Security: disable/uncheck “Prefer older IPsec SAs” (added this info as note 35 for issue 1351)

 

This article is also published on http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth.

 

 

Basaltwoorden

Een basaltwoord is een woord dat innerlijk tegenstrijdig is. De naam is ontleend aan het woord basalt: bas-alt. Voorbeelden van basaltwoorden zijn volledig, vuurwater en staren.

In Opperlandse taal- & letterkunde is een lijst te vinden die volgens de auteur compleet is. Desalniettemin is hij dat niet. De volgende woorden staan niet op de lijst van Battus:

  1. koperdief (@Vorkbaard)
  2. tweeën (@Vorkbaard)
  3. drieën (@Vorkbaard)
  4. dimlicht, poepies, wortelloof (Eric via @esssie31)
  5. tweederde (@Abeljasses)
  6. leerstof
  7. (@Vorkbaard)

  8. bekerglas (@esssie31)
  9. motorfiets (@Tikkeltjes)
  10. vliegenval (Eric via @esssie31)
  11. kruisboog (@esssie31)
  12. evenlang (@mhazelaar)
  13. loopfiets (@Abeljasses)
  14. relatie (Eric via @esssie31)
  15. hopsake (@McSchee) (hop maar ook sake)
  16. vraagstelling, voorpost, bovenlaag (@twoerd)
  17. huurkoop (@prei_pot)
  18. traplift, eentweetje (@T_Fitzright)
  19. zitstand (@keesvanvuuren)
  20. ligstand (@PuurAva)
  21. Antieknieuws (dat is wat @newslock_antiek brengt)
  22. lachtraan (@esssie31)
  23. rechthoek (@Henk_de_Groot)
  24. stalig (@bami)
  25. waterkant, waterstof (@Wouter1898)
  26. waterlander (waterland stond al in de originele lijst maar waterlander overtreft dat natuurlijk) (de tamelijk briljante @Rovalo57)
  27. live-opname (H. Verstappen in de comments)
  28. startklaar, startend (@plagvreugd)
  29. eikels (@mhazelaar)
  30. Burger King (@Vorkbaard)
  31. Valkuil (@pluisbaard)

Ter referentie volgt hier de lijst met basaltwoorden uit Ot&l.

aankomstvertrek
aapmens
achterstevoren
afstijg
alleen
alsdan
androgyn
Anita
Anna
atoomsplitsing
autobus
balzak
basalt
bergdal
binnenstebuiten
bitterzoet
bitterzout
bolknak
bolster
bolvlak
boosaardig
broekrok
bijzonder
doodlopend
droefgeestig
duffel
eenieder
eenzaam
elkeen
flauwhartig
flauwzoet
gasolie
gaswater
gemeengoed
gemeenschappelijk
geneeslijk
geniepig (Engels)
Gentbrugge
gezeik (drie delen)
gistermorgen
glaswol
grondlucht
grondwater
herder
hetze
hetzij
hierheen
hoezo
hollebolle Gijs
hómaren
hondmens
horen
iedereen
inex (xr)
inuit (eij)
jeu
kalief
keileem
klapzoen
knielende
knoeigoed
Komrij
kortom
Kousbroek
kruiphol
kruispunt
kruizemunt
kuilbult
kussenslopen
kwaadaardig
lafhartig
Landsmeer
leedvermaak
loofden
lorrengoed
losvast
maanaarde
manwijf
Meander
meermin
meesterknecht
menu
middernachtzon
moedermaagd
monopoly
morgenmiddag
morgenavond
niet-dodelijk
nogal
onderop
ondersteboven
opengesloten
opvallend
oudheden
paardmens
pianoforte
plasdrank
plusminus
polymeer
Potgieter
prullengoed
rampzaligheid
rechtgebogen
reuma
reut (muzikaal)
reuze
reuzendwergen
reuzeklein
schemerdonker
slangenmens
snoepgoed
snorkelen
staakactie
stabal
staren
stilleven
stopgaren (drie delen)
stukgoed
sukkeldraf
terugweg
toendra
topdiepte
trekstoot
vakantiewerk
verdichter
vertegenwoordig
volledig
volop
vuilaardig
vuurwater
waarschijnlijk (drie delen)
waterbrood
watergas
waterijs
Waterland
welnee
werklui
werkstaking
wezenlijk
wolfram
wreedaardig
wijze
IJsbrand
ijswater
ijzerhout
Zeeland
zeemeermin (drie tegendelen)
zoetzuur
zuurzoet
zwartwitfoto

Zelfstandig naamwerkwoorden

Bij het woord dameshakken zie ik altijd bloederige taferelen voor me en bij vuilnisbakken denk ik aan de bereiding van een onsmakelijke maaltijd. Rembo&Rembo hadden het jaren geleden al over koffiekoppen. Het lijkt me dat er nog veel meer meervouden van zelfstandig naamwoorden moeten zijn die ook als werkwoord kunnen worden gelezen. Zoals met ‘zakkammen’.

@ExciteMant brengt het woord ‘lantaarnpalen’ in, n.a.v. een fetisjpraatgroep.

Ook uit het brein van @ExciteMant komen ‘kussenslopen’ en ‘negerzoenen’. Verder heeft @Stefanoekeltje het over ‘geilbakken’ en ‘werklozen’.

Wouter Scherphof meldt dat de Rubenslaan in Utrecht een enkelvoudig zelfstandig naamwerkwoord is. Hij komt verder met een flinke rij zelfstandig naamwerkwoorden. Ik presenteer u de grappigste:

  • varkensblazen
  • kussenslopen (telt dubbel, daarom na @ExciteMant ook in deze lijst)
  • gemeenteraden
  • oorbellen
  • Antillen
  • eilanden
  • Bolknakken
  • oordelen
  • broekzakken
  • lastpakken
  • hofnarren

M/E, Koevsjinka draagt het zelfstandig naamwerkwoord ‘vliegenzammen’ bij.

Anonieme share maken in Windows Server 2008R2

In Windows Server 2008R2 kan je niet makkelijk een share openbaar maken, dus voor iedereen toegankelijk zonder dat je een wachtwoord op moet geven. Op de volgende manier kan het wel.

  1. Schakel de Gues-account in. Dit kan een security-issue zijn.
  2. Open de lokale-group-policy-editor: gpedit.msc
  3. Ga naar Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options en dubbelklik in het rechtervenster op de policy Network access: Shares that can be accessed anonymously.
  4. Voeg de naam toe van de share die je anoniem toegankelijk wilt maken. Als je share WSUS heet, dan vul je in: WSUS. Dus niet \\server01\myshare maar enkel de naam van de share.
  5. Geef de lokale groep GUESTS ten minste leesrechten op share- en ntfs-niveau.
  6. Let op: als je naar de share probeert te gaan vanaf een externe computer waarop je bent aangemeld met een gebruikersaccount dat ook lokaal op de server bestaat (bv. Administrator) dan zal de server om de credentials van het account vragen. De workaround hiervoor is om de lokale account een andere naam te geven. Rename het lokale Administrator-account op de server bijvoorbeeld naar ServerAdmin of zo.

share