Skip to content

IPsec: Mobile Clients and Certificate Management

This page covers IPsec roadwarrior (mobile client) configuration and certificate authority management. For site-to-site IPsec and L2TP/IPsec basics, see VPN Quick Reference.

IPsec implementation

t1n1wall uses ipsec-tools (racoon + setkey) for all IPsec operations. StrongSwan was used in earlier releases but was removed in the FreeBSD 11 release. All deployments on current t1n1wall use ipsec-tools only.


Mobile clients (roadwarrior)

Mobile client configuration allows remote users to connect to the firewall using an IPsec client on their device. Unlike site-to-site IPsec (where both endpoints are fixed), mobile clients may connect from any IP address.

Web UI location

VPN > IPsec > Mobile clients

Only one mobile client configuration is supported per appliance.

Enable and NAT traversal

Field Notes
Enable mobile clients Master toggle for roadwarrior support
NAT Traversal (NAT-T) Encapsulates ESP in UDP port 4500 to pass through NAT devices between client and firewall

NAT-T should be enabled unless you can guarantee all mobile clients have direct IP connectivity to the WAN address (no intervening NAT).

Dead Peer Detection (DPD)

Field Notes
DPD interval Seconds between DPD keepalive checks; blank = DPD disabled

DPD detects dead clients and cleans up stale SAs. Enable it to reclaim resources when mobile clients disconnect without proper termination.

Phase 1 (IKE / authentication exchange)

Field Options Notes
Negotiation mode Main, Aggressive Aggressive is faster but exposes the identity; Main is more secure
My identifier Address, FQDN, user@FQDN, ASN.1 DN, auto How this firewall identifies itself to clients
Encryption algorithm 3DES, Blowfish, CAST128, Rijndael Must match client configuration
Hash algorithm SHA1, MD5 Must match client
DH key group 1 (768-bit), 2 (1024-bit), 5 (1536-bit), and higher Higher groups are more secure but slower
Lifetime Seconds How long before Phase 1 must renegotiate
Authentication method Pre-shared key, RSA signature PSK is simpler; RSA requires certificates

Algorithm notes: - 3DES — broadest client compatibility - Blowfish — fastest in software when AES-NI is not used - AES-NI acceleration is built into the kernel since FreeBSD 12

Phase 2 (IPsec SA / data encryption)

Field Options Notes
Protocol ESP, AH ESP encrypts payload; AH authenticates only (no encryption)
Encryption algorithms 3DES, Blowfish, CAST128, Rijndael Select all that the client may propose
Hash algorithms HMAC-SHA1, HMAC-MD5 Select supported options
PFS key group Disabled, or 1–5+ Perfect Forward Secrecy; each Phase 2 uses independent keying
Lifetime Seconds Phase 2 renegotiation interval

RSA certificate configuration

When using RSA signature authentication:

  • Upload a PEM-format X.509 certificate and matching RSA private key for the firewall
  • The CA that signed the firewall certificate (and the client certificate) must be added to the CA list (see Certificate Authorities below)
  • Clients present their own certificates, which are validated against the stored CAs

Certificate Authorities

Web UI location

VPN > IPsec > CA

The CA list stores trusted Certificate Authority certificates and Certificate Revocation Lists (CRLs) used to validate peer certificates in IPsec connections.

Adding a CA

Each entry requires:

Field Notes
Identifier Human-readable name for this CA
CA certificate PEM-format X.509 CA certificate
CRL Optional: PEM-format Certificate Revocation List for this CA

Usage

  • For RSA-signature-authenticated IPsec (both site-to-site and mobile clients), the CA that signed the peer's certificate must be present here
  • A CRL can be uploaded alongside the CA certificate to revoke specific client certificates without removing the CA entirely
  • CA entries cannot be deleted while referenced by active IPsec tunnel configurations

Pre-shared keys

VPN > IPsec > Pre-shared keys

For PSK-authenticated mobile clients, pre-shared keys are managed separately. Each entry maps an identifier (FQDN or IP) to a shared secret.


Firewall rules for mobile clients

Mobile client IPsec connections arrive on the WAN interface. Required firewall rules:

  • UDP 500 (IKE)WAN → firewall — permit IKE negotiation
  • UDP 4500 (NAT-T)WAN → firewall — permit if NAT-T is enabled
  • ESP (protocol 50)WAN → firewall — permit ESP data plane (if NAT-T is not used)

After the tunnel establishes, mobile client traffic appears from the assigned client address pool. Create firewall rules on the relevant interface to control what mobile clients can reach.