IPsec: Mobile Clients and Certificate Management¶
This page covers IPsec roadwarrior (mobile client) configuration and certificate authority management. For site-to-site IPsec and L2TP/IPsec basics, see VPN Quick Reference.
IPsec implementation¶
t1n1wall uses ipsec-tools (racoon + setkey) for all IPsec operations. StrongSwan was used in earlier releases but was removed in the FreeBSD 11 release. All deployments on current t1n1wall use ipsec-tools only.
Mobile clients (roadwarrior)¶
Mobile client configuration allows remote users to connect to the firewall using an IPsec client on their device. Unlike site-to-site IPsec (where both endpoints are fixed), mobile clients may connect from any IP address.
Web UI location¶
VPN > IPsec > Mobile clients
Only one mobile client configuration is supported per appliance.
Enable and NAT traversal¶
| Field | Notes |
|---|---|
| Enable mobile clients | Master toggle for roadwarrior support |
| NAT Traversal (NAT-T) | Encapsulates ESP in UDP port 4500 to pass through NAT devices between client and firewall |
NAT-T should be enabled unless you can guarantee all mobile clients have direct IP connectivity to the WAN address (no intervening NAT).
Dead Peer Detection (DPD)¶
| Field | Notes |
|---|---|
| DPD interval | Seconds between DPD keepalive checks; blank = DPD disabled |
DPD detects dead clients and cleans up stale SAs. Enable it to reclaim resources when mobile clients disconnect without proper termination.
Phase 1 (IKE / authentication exchange)¶
| Field | Options | Notes |
|---|---|---|
| Negotiation mode | Main, Aggressive | Aggressive is faster but exposes the identity; Main is more secure |
| My identifier | Address, FQDN, user@FQDN, ASN.1 DN, auto | How this firewall identifies itself to clients |
| Encryption algorithm | 3DES, Blowfish, CAST128, Rijndael | Must match client configuration |
| Hash algorithm | SHA1, MD5 | Must match client |
| DH key group | 1 (768-bit), 2 (1024-bit), 5 (1536-bit), and higher | Higher groups are more secure but slower |
| Lifetime | Seconds | How long before Phase 1 must renegotiate |
| Authentication method | Pre-shared key, RSA signature | PSK is simpler; RSA requires certificates |
Algorithm notes: - 3DES — broadest client compatibility - Blowfish — fastest in software when AES-NI is not used - AES-NI acceleration is built into the kernel since FreeBSD 12
Phase 2 (IPsec SA / data encryption)¶
| Field | Options | Notes |
|---|---|---|
| Protocol | ESP, AH | ESP encrypts payload; AH authenticates only (no encryption) |
| Encryption algorithms | 3DES, Blowfish, CAST128, Rijndael | Select all that the client may propose |
| Hash algorithms | HMAC-SHA1, HMAC-MD5 | Select supported options |
| PFS key group | Disabled, or 1–5+ | Perfect Forward Secrecy; each Phase 2 uses independent keying |
| Lifetime | Seconds | Phase 2 renegotiation interval |
RSA certificate configuration¶
When using RSA signature authentication:
- Upload a PEM-format X.509 certificate and matching RSA private key for the firewall
- The CA that signed the firewall certificate (and the client certificate) must be added to the CA list (see Certificate Authorities below)
- Clients present their own certificates, which are validated against the stored CAs
Certificate Authorities¶
Web UI location¶
VPN > IPsec > CA
The CA list stores trusted Certificate Authority certificates and Certificate Revocation Lists (CRLs) used to validate peer certificates in IPsec connections.
Adding a CA¶
Each entry requires:
| Field | Notes |
|---|---|
| Identifier | Human-readable name for this CA |
| CA certificate | PEM-format X.509 CA certificate |
| CRL | Optional: PEM-format Certificate Revocation List for this CA |
Usage¶
- For RSA-signature-authenticated IPsec (both site-to-site and mobile clients), the CA that signed the peer's certificate must be present here
- A CRL can be uploaded alongside the CA certificate to revoke specific client certificates without removing the CA entirely
- CA entries cannot be deleted while referenced by active IPsec tunnel configurations
Pre-shared keys¶
VPN > IPsec > Pre-shared keys
For PSK-authenticated mobile clients, pre-shared keys are managed separately. Each entry maps an identifier (FQDN or IP) to a shared secret.
Firewall rules for mobile clients¶
Mobile client IPsec connections arrive on the WAN interface. Required firewall rules:
- UDP 500 (IKE) —
WAN → firewall— permit IKE negotiation - UDP 4500 (NAT-T) —
WAN → firewall— permit if NAT-T is enabled - ESP (protocol 50) —
WAN → firewall— permit ESP data plane (if NAT-T is not used)
After the tunnel establishes, mobile client traffic appears from the assigned client address pool. Create firewall rules on the relevant interface to control what mobile clients can reach.