Getting your Android KitKat device to work with pfSense IPsec VPN server is a finicky process and the settings on both sides need to be exact. Android only supports a small subset of common encryption schemes and this article will show you what settings to use.
pfSense IPSec settings
System -> User Manager -> Groups
Add a new group with the following template.
Group name: Mobile VPN
Description: IPSec VPN users
Assigned Privileges: User – VPN – IPsec xauth Dialin
System -> User Manager -> Users
Add a new user with the following template.
Username: <this will be this user’s VPN ID>
Password: <use a password generator>
Group memberships: Mobile VPN
IPSec Pre-Shared Key: <this will be the user’s VPN PSK>
Phase 1 Proposal (authentication)
Authentication method: Mutual PSK + Xauth
Negotiation mode: Aggressive
My identifier: Distinguished Name <not used>
Peer identifier: Distinguished Name <not used>
Pre-Shared Key: <not used, random data>
Policy Generation: Unique
Proposal Checking: Strict
Encryption algorithm: AES 128 bits
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 86400
Phase 2 Proposal (SA/Key exchange)
Mode: Tunnel IPv4
Local Network Type: Network
Local Network Address: 0.0.0.0/0
Local Network NAT Type: None
Protocol: ESP
Encryption Algorithms: AES 128 bits (uncheck all others)
Hash Algorithms: SHA1 (uncheck all others)
PFS key group: Off
Lifetime: 28800
Mobile Clients
IKE Extensions: <checked>
Virtual Address Pool: <checked, enter unused VPN network>
Pre-Shared Keys
This should be auto-populated from what we did earlier in the user settings page.
Android KitKat settings
Name: <whatever you want, it’s just a label>
Type: IPSec Xauth PSK
Server Address: <FQDN/IP of your server>
IPSec identifier: <username>
IPSec pre-shared key: <username’s pre-shared key>
Username: <username>
Password: <username’s password>