This how-to aims to create an IPSec VPN for iPhone/iMac/MacBook(Pro) based on TLS authentication with a RADIUS backend server

First of all, you need to create an Internal Root CA on your pfSense appliance.

• To do it, go to System > Cert. Manager > CAs > Click on Add button
• In Create / Edit CA section, fill the following fields:
  • Give a descriptive Name, for example My Own CA
  • Choose Create an Internal Certificate Authority method
• In Internal Certificate Authority section, fill the following fields:
  • Then, select 4096 in Key length (bits) field
  • In Digest Algorithm, choose sha512
  • Let default value of Lifetime (days) to 3650
  • Choose your Country Code, for example FR
  • Enter your State or Province, for example Occitanie
  • Enter your City, for example Toulouse
  • Enter your Organization name, for example Mon Entreprise
  • Specify your Organizational Unit, for example Network & Security Unit
  • Fill an email address, for example [email protected]
  • Finally, the last field but not the least, fill the Comman Name, for example Mon Entreprise Root CA
• Click on the Save button once all field are filling

• Once Internal Root CA is created, we need to create some certificates

• To create an IPSec certificate, go to System > Cert. Manager > Certificates > Click on Add button
• In Add/Sign a New Certificate section, fill the following fields:
  • Select Create an internal Certificate method
  • Give a Descriptive name like IPSec VPN Server
• In Internal Certificate section, fill the following fields:
  • Select the internal root certificate authority create previously, for example My Own CA
  • Select 4096 in Key length field
  • Select sha512 in Digest Algorithm
  • Change the default value of Lifetime (days) field to 365 for example
    • As you can see, Country code, State or Province, City, Organization and Email Address fields are automaticaly fill in. Don't modify those one
  • Specify an Organization Unit if necessary, for example Network & Security Unit
  • Specify the Common Name, for example vpn.monentreprise.fr or public IP Address of your pfSense Appliance if you don't have an official FQDN.
    • Be careful, if you choose a FQDN, please verify the dns resolution to point to Public IP Address of your pfSense Appliance. It is recommanded to specify a FQDN than IP Address
• In Certificate Attributes section, fill the following fields:
  • Select Server Certificate type
  • In Alternative Names field, you can specify an alternate name to contact your IPSec VPN, for example, in case of DNS issue, you can specify your Public IP Address directy by selecting IP address type and give this in Value field
  • By Clicking on the Add button, you add an other alternate name
  • It is recommanded to add the value of Common Name field in Alternative Names, for example if you entered vpn.monentreprise.fr, select FQDN or Hostname type and vpn.monentreprise.fr in the Value field
• To validate, click on Save button

• To create an IPSec certificate, go to System > Cert. Manager > Certificates > Click on Add button
• In Add/Sign a New Certificate section, fill the following fields:
  • Select Create an internal Certificate method
  • Give a descriptive name like IPSec VPN User
• In Internal Certificate section, fill the following fields:
  • Select the internal root certificate authority create previously, for example My Own CA
  • Select 4096 in Key length field
  • Select sha512 in Digest Algorithm
  • Change the default value of Lifetime (days) field to 365 for example
    • As you can see, Country code, State or Province, City, Organization and Email Address fields are automaticaly fill in. Don't modify those one except Email Address. Change to the email addresse of the user who wants to connect to
  • Specify an Organization Unit if necessary, for example Network & Security Unit
  • Specify the Common Name, for example user1
• In Certificate Attributes section, fill the following fields:
  • Select User Certificate type
  • In Alternative Names field, choose FQDN or Hostname type, enter the same value of Common Name field
  • Add an other alternate name, choose email address type and enter the same value of Email Address field of Internal Certificate section
• To validate, click on Save button

• To create an IPSec certificate, go to System > Cert. Manager > Certificates > Click on Add button
• In Add/Sign a New Certificate section, fill the following fields:
  • Select Create an internal Certificate method
  • Give a descriptive name like RADIUS Server
• In Internal Certificate section, fill the following fields:
  • Select the internal root certificate authority create previously, for example My Own CA
  • Select 4096 in Key length field
  • Select sha512 in Digest Algorithm
  • Change the default value of Lifetime (days) field to 365 for example
    • As you can see, Country code, State or Province, City, Organization and Email Address fields are automaticaly fill in. Don't modify those one except Email Address. Change to the email addresse of the user who wants to connect to
  • Specify an Organization Unit if necessary, for example Network & Security Unit
  • Specify the Common Name, radius.monentreprise.lan
• In Certificate Attributes section, fill the following fields:
  • Select Server Certificate type
  • In Alternative Names field, select IP address and enter the IP address of RADIUS server in value field
  • Click on the Add button, select FQDN or Hostname type and enter the same value of Common Name field of Internal Certificate Section in Value field
• To validate, click on Save button

• To configure communications between pfSense appliance, RADIUS server and Users, we need to export following certificates:
• Root CA: We need to install this on all components
• RADIUS Server : install private and public keys on the server
• Client's certificate : for each client, install private and public keys on each device used by the client
• To export Root CA certificate, go to System > Cert. Manager > CAs
  • Identify the Root CA and click on Export CA. DO NOT EXPORT PRIVATE KEY
• To export RADIUS' server and user's certificate, go to System > Cert. Manager > Certificates
  • Identify RADIUS server and user certificate and click on Export Certificate and Export Key buttons
• Save them on your administration station. You will have 5 files:
  • Root CA.pem
  • RADIUS server.pem
  • RADIUS server.key
  • User.pem
  • User.key

• As we used RADIUS based authentication, we have to define it
• To add a new RADIUS server, go to System > User Manager > Authentication Servers > Click on Add button
• In Server Settings section, fill the following fields:
  • Give a Descriptive name like My RADIUS server
  • Select RADIUS type
• In RADIUS Server Settings section, fill the following fields:
  • Select MS-SHAPv2 protocol
  • Specify an Hostname or IP address, for example radius.monentreprise.lan
  • Enter a Shared Secret, for example s3cr3p@$$w0rd
  • Select Authentication and Accounting services offered by the RADIUS server
  • Specify 1812 as Authentication port
  • Specify 1813 as Accounting port
  • Let the default value for Authentication Timeout to 5
• To validate, click on Save button

• To create the IPSec VPN, go to VPN > IPsec > Click on Add P1 button
• In General Information section, fill the following fields by these values:
  • Key Exchange version: IKEv2
  • Internet Protocol: IPv4
  • Interface: Select your Public interface, in common case select WAN
  • Description: Enter a descriptive name like VPN IPSec
• In Phase 1 Proposal (Authentication) section, fill the following fields by these values:
  • Authentication Method: EAP-RADIUS
  • My identifier: My IP address
  • Peer identifier: Any
  • My Certificate: Select the IPSec VPN server, previously IPSec VPN Server
• In Phase 1 Proposal (Encryption Algorihm), fill the following fields by these values:
  • Encryption Algorithm: AES256-GCM as Algorithm, 128 bits as Key length, SHA256 as Has, 20 (nist ecp384) as DH Group
• In Advanced Options section, fill the following fields by these values:
  • Disable rekey: Checked
  • Disable Reauth: Not checked
  • Responder Only: Not checked
  • MOBIKE: Enable
  • Split connections: Not checked
  • Dead Peer Detection: Checked
  • Delay: 10
  • Max failures: 5
• To validate, click on Save button

• To add a phase 2 associated to the previous phase 1, go to VPN > IPsec > Tunnels > Click on Show Phase 2 Entries > Click on Add P2 button
• In General Information section, fill the following fields by these values:
  • Disabled: Not checked
  • Mode: Tunnel IPv4
  • Local Network: Select Network as Type, 0.0.0.0 as Address, select 0 as Netmask
  • NAT/BINAT translation: None as Type
  • Description: Give a description of this Phase 2
• In Phase 2 Proposal (SA/Key Exchange) section, fill the following fields by these values:
  • Protocol: ESP
  • Encryption Algorithms: Select only AES256-GCM 128 bits
  • Hash Algorithms: SHA256
  • PFS key group: 20 (nist ecp384)
  • Lifetime: 3600
• To validate, click on Save

• To configure mobile clients, go to VPN > IPsec > Mobile Clients
• In Enable IPsec Mobile Client Support section, fill the following fields by these values:
  • IKE Extensions: Checked
• In Extended Authentication (Xauth) section, fill the following fields by these values:
  • User Authentication: Select the previous configured RADIUS server
  • Group Authentication: Select none
• In Client Configuration (mode-cfg) section, fill the following fields by these values:
  • Virtual Address Pool: Checked
    • Define a new network configuration for Virtual Address Pool
  • Virtual IPv6 Address Pool: Not checked
  • Network List: Not checked
  • Save Xauth Password: Checked
  • DNS Default Domain: Checked
    • Enter a domain name for example monentreprise.lan
  • Split DNS: Not checked
  • DNS Servers: Checked
  • Server #1: Specify an internal DNS of your enterprise
    • If you need more than one server, fill the field named Server #. You can define up to 4 DNS servers
  • WINS Servers: Not checked
  • Phase2 PFS Group: Not checked
  • Login Banner: Checked
    • Enter a custom login message. For example, Welcome to Monentreprise Network
• Click on Save button

• To configure advanced settings, go to VPN > IPsec > Advanced Settings
• In IPsec Logging Controls section, I let the default value
• In Advanced IPsec Settings section, fill the following fields by these values:
  • Configure Unique IDs: Yes
  • IP Compression: Not checked
  • Strict interface binding: Checked
  • Unencrypted payloads in IKEv1 Main Mode: Not checked
  • Enable Maximum MSS: Checked
  • Maximum MSS: 1300
  • Enable Cisco Extensions: Checked
  • Strict CRL Checking: Checked
  • Make before Break: Not checked
  • Auto-exclude LAN address: Not checked
  • Asynchronous Cryptography: Checked
• To validate, click on Save button

• For my own RADIUS server, I install it on a CentOS 7 server. I install the OS in minimal mode during the installation wizard.
• To install RADIUS package, enter this command:
  • yum install install freeradius

• Once installed, it's time to configure it. Firstly, add the following lines at the bottom of this file /etc/raddb/clients.conf

client <IP Address of pfSense appliance> {
  ipaddr = <IP Address of pfSense appliance>
  secret = <The shared secret previously configured in pfSense appliance>
  shortname = pfsense
  nastype = other
}

• Upload to the Radius server, RADIUS private & public keys and the Root CA to the /etc/raddb/certs folder.
• Create a DH file using the following command:
  • openssl dhparam -out /etc/raddb/certs/dh 2048
• Modify /etc/raddb/mods-available/eap:

eap {
  default_eap_type = ttls
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = ${max_requests}
  tls-config tls-common {
    private_key_file = ${certdir}/<RADIUS Server>.key
    certificate_file = ${certdir}/<RADIUS Server>.crt/pem
    ca_file = ${cadir}/<Root CA>.pem
    dh_file = ${certdir}/dh
    random_file = /dev/urandom
    fragment_size = 1024
    include_length = yes
    check_crl = no
    ca_path = ${cadir}
    check_cert_issuer = "/C=<Your Country Code>/ST=<Your State or Province>/L=<Your City>/O=<Your enterprise>/emailAddress=<Your CA email>/CN=<Your Root CA Common Name>"
    check_cert_cn = %{User-Name}
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    ecdh_curve = "prime256v1"
    cache {
      enable = no
      lifetime = 24
    }
  }
  tls {
    tls = tls-common
  }
  ttls {
    tls = tls-common
    default_eap_type = md5
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    virtual_server = "inner-tunnel"
  }
}

• Modify /etc/raddb/mods-config/files/authorize

<CN_OF_VPN_USER>  NAS-Port-Type == Virtual
  Auth-Type := EAP

• Modify /etc/raddb/sites-available/default

server default {
  listen {
    type = auth
    ipaddr = <IP ADDRESS OF RADIUS SERVER>
    port = 0
    limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
    }
  }
  listen {
    ipaddr = <IP ADDRESS OF RADIUS SERVER>
    port = 0
    type = acct
    limit {}
  }
  authorize {
    filter_username
    preprocess
    eap {
      ok = return
    }
    files
    expiration
    logintime
  }
  authenticate {
    eap
  }
  preacct {
    preprocess
    acct_unique
    files
  }
  accounting {
    detail
    exec
    attr_filter.accounting_response
  }
  session { }
  post-auth {
    update {
      &reply: += &session-state:
    }
    exec
    update reply {
      Reply-Message += "%{TLS-Cert-Serial}"
      Reply-Message += "%{TLS-Cert-Expiration}"
      Reply-Message += "%{TLS-Cert-Subject}"
      Reply-Message += "%{TLS-Cert-Issuer}"
      Reply-Message += "%{TLS-Cert-Common-Name}"
      Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
      Reply-Message += "%{TLS-Client-Cert-Serial}"
      Reply-Message += "%{TLS-Client-Cert-Expiration}"
      Reply-Message += "%{TLS-Client-Cert-Subject}"
      Reply-Message += "%{TLS-Client-Cert-Issuer}"
      Reply-Message += "%{TLS-Client-Cert-Common-Name}"
      Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
    }
    remove_reply_message_if_eap
    Post-Auth-Type REJECT {
      attr_filter.access_reject
      eap
      remove_reply_message_if_eap
    }
    Post-Auth-Type Challenge { }
  }
  pre-proxy { }
  post-proxy {
    eap
  }
}

• It's necessary to protect user's private key in a secure container.
• To achieve it, use openssl binary on the administration station to create this file
• Go to the folder where private and public keys are saved and run the following command:
  • openssl pkcs12 -export -out <vpn_user_common_name>.pfx -inkey <vpn_user_private_key>.key -in <vpn_user_public_key>.crt -name "VPN User 1"
• The OpenSSL binary ask you to enter a passphrase, enter and remember it.

It is necessary to install Apple Configurator on an Apple device (iMac/MacBook).

• To install it, go to Mac App Store > Type Apple Configurator > Click on Get button > Click on Install App button

• Create a new profile
• In General section, fill the following fields:
  • Name: VPN IPsec
  • Identifier: VPNIPsecProfile
  • Organization: MonEntreprise
  • Description: VPN IPSec to MonEntreprise
  • Consent Message: Would you want to install VPNIPsecProfile profile on your Apple device
  • Security: Never
  • Automatically Remove Profile: Never
• In Certificates section, fill the following field:
  • Click on + button to add root CA of your enterprise
  • Name it, for example MonEntrepriseRootCA
  • Click on + button again to add PFX file
  • Name it, for example MonCertificatVPN
  • In password field, enter the passphrase defined previously
• In VPN section, fill the following field:
  • Name: MonVPNIPsec
  • Connection type: IKEv2
  • Server: Public IP Address or Public FQDN of pfSense Appliance
  • Remote identifier: Public IP Address or Public FQDN of pfSense Appliance
  • Local identifier: <COMMON_NAME_OF_VPN_USER_CERTIFICATE>
  • Machine Authentication: Certificate
  • Certificate type: RSA
  • Server Certificate Issuer Common Name: MonEntrepriseRootCA
  • Enable EAP: Checked
  • EAP Authentication: Certificate
  • Identity Certificate: Select VPN User's pfx file
  • Dead Peer Detection Rate: Medium
  • Disable Redirects: Not checked
  • Disable Mobility and Multihoming: Not checked
  • Use IPv4/IPv6 Internal Subnet Attributes: Checked
  • Enable Perfect Forward Secrecy: Checked
  • Enable Certificate Revocation Check: Checked
  • Click on IKE SA Params
    • Encryption Algorithm: AES-256-GCM
    • Integrity Algorithm: SHA2-384 (This will be disabled when you choose AES-256-GCM)
    • Diffie-Hellman Group: 20
    • Lifetime in Minutes: 480
    • Proxy Setup: None
  • Click on Child SA Params
    • Encryption Algorithm: AES-256-GCM
    • Integrity Algorithm: SHA2-256 (This will be disabled when you choose AES-256-GCM)
    • Diffie-Hellman Group: 20
    • Lifetime in Minutes: 60
    • Proxy Setup: None
• Save the profile File > Save
• To add this profile on the iPhone/iPad, send this profile by e-mail
• To add this profile on iMac/MacBook, double click on it.

• On the Radius server, it is very simple to verify RADIUS status service by the following command:
  • systemctl status radiusd.service

● radiusd.service - FreeRADIUS high performance RADIUS server.
  Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled)
  Active: active (running) since lun. 2018-05-21 08:22:59 UTC; 8min ago
  Process: 26029 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
  Process: 26025 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
  Process: 26023 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
  Main PID: 26033 (radiusd)
  CGroup: /system.slice/radiusd.service
           └─26033 /usr/sbin/radiusd -d /etc/raddb
mai 21 08:22:58 server.ibreizh.lan systemd[1]: Starting FreeRADIUS high performance RADIUS server....
mai 21 08:22:59 server.ibreizh.lan systemd[1]: Started FreeRADIUS high performance RADIUS server..

• You can check once a client is connected on the VPN by using this command:
  • tailf /var/log/radius/radius.log

Mon May 21 08:31:11 2018 : Auth: (24) Login OK: [<COMMON NAME OF VPN USER CERTIFICATE>/<via Auth-Type = eap>] (from client <shortname of pfSense appliance> port 11 cli <PUBLIC IP ADDRESS OF VPN USER>[4500]) Your password is correct - access granted

• To have more detail, use the following command:
  • tailf /var/log/radius/radacct/<IP ADDRESS OF PFSENSE APPLIANCE>/detail-20180521

Mon May 21 08:31:11 2018
  Acct-Status-Type = Start
  Acct-Session-Id = "1526331345-11"
  NAS-Port-Type = Virtual
  Service-Type = Framed-User
  NAS-Port = 11
  NAS-Port-Id = "con1"
  NAS-IP-Address = <PUBLIC IP ADDRESS OF PFSENSE APPLIANCE>
  Called-Station-Id = "<PUBLIC IP ADDRESS OF PFSENSE APPLIANCE>[4500]"
  Calling-Station-Id = "<PUBLIC IP ADDRESS OF VPN USER>[4500]"
  User-Name = "<COMMON NAME OF VPN USER CERTIFICATE>"
  Framed-IP-Address = <IP ADDRESS OF VPN USER IN VIRTUAL POOL>
  NAS-Identifier = "strongSwan"
  Event-Timestamp = "May 21 2018 08:31:11 UTC"
  Tmp-String-9 = "ai:"
  Acct-Unique-Session-Id = "bf27007d81162a0c013b43f31231e9a2"
  Timestamp = 1526891471