Cisco Compatible IPsec VPN

Since some form of IPsec IKEv1 client is available first party on most devices and the client side setup is relatively simple this makes a useful VPN.

Go to VPN > IPsec and switch to the Mobile Clients tab.

  • Check Enable IPsec Mobile Client Support.
  • Check Virtual Address Pool and enter a subnet that does not overlap with any of the used subnets.
  • Check the DNS Servers option and enter DNS servers to provide to the clients.

Upon saving this tab you will be prompted to Create Phase 1, accept this. In the phase 1 settings:

  • Set Key Exchange version to "IKEv1"
  • Set Authentication method to "Mutual PSK + Xauth"
  • Set Negotiation mode to "aggressive"
  • Set My identifier to "My IP address"
  • Set Peer identfier to "User Distinguished Name" and enter a value in an email format
  • For the Pre-Shared Key use the Generate new Pre-Shared Key button to create a secure key.
  • Set the Encryption Algorithm to "AES", "128 bits", "SHA1", DH Group 2
  • Set Lifetime to 86400
  • Set NAT Traversal to "Force"

After saving this create a Phase 2

  • Set Mode to "Tunnel"
  • Set Local Network to "Network" and "0.0.0.0/0"
  • Set Protocol to "ESP"
  • Set Encryption Algorithms to "AES" and "Auto"
  • Set Hash Algorithms to "SHA1"
  • Set PFS key group to "off"

Once this is saved go to Firewall > Rules, there should be a tab for IPsec. Create a rule to allow all traffic through.