14.6. Mobile User VPN with IPsec?

This tutorial tries to explain how to setup mobile user IPsec VPN with m0n0wall and Windows clients that use SafeNet SoftRemoteLT, a popular IPsec VPN client. You need m0n0wall pb25 or later for mobile user VPN.

14.6.1. m0n0wall setup

  1. Log into your m0n0wall and go to the IPsec: Mobile clients page.

  2. Configure the settings as shown in the following picture:

    You must use aggressive mode, as only IP addresses can be used as identifiers in main mode.

  3. Click "Save", then go to the IPsec: Pre-shared keys page.

  4. Add a new key for each mobile user (use different keys, and at least 8 characters!). Use the e-mail address of the corresponding user as the identifier.

  5. Go to the IPsec: Tunnels page, check "Enable IPsec" and click "Save".

14.6.2. Client setup

This example assumes version 10 of SafeNet SoftRemoteLT.

  1. Install SafeNet SoftRemoteLT, if not already installed, and reboot.

  2. Right-click on the SoftRemote icon next to the clock and select "Security Policy Editor".

  3. Choose Edit -> Add -> Connection.

  4. Configure the connection properties as follows:

    Insert your LAN subnet + mask and enter the external IP address (or hostname) of your m0n0wall instead of "12.34.56.78".

  5. Select "Security Policy" and use the following settings:

  6. Select "My Identity" and use the following settings:

    Enter the user's e-mail address, then click the button "Pre-Shared Key" and enter the pre-shared key. The e-mail address (and pre-shared key) must correspond with an entry on the IPsec: Pre-shared keys page on m0n0wall.

  7. Select "Authentication (Phase 1) -> Proposal 1" and use the following settings:

  8. Select "Key Exchange (Phase 1) -> Proposal 1" and use the following settings:

    If you have a crypto accelerator card in your m0n0wall, you may want to use Triple DES instead of AES-256 as the encryption algorithm (some crypto accelerators do not support AES).

  9. Choose File -> Save.

  10. If you have a crypto accelerator card in your m0n0wall, you may want to use Triple DES instead of AES-256 as the encryption algorithm (some crypto accelerators do not support AES).

  11. Choose File -> Save.

  12. Make sure that the Internet connection is established. Try to ping a host on your LAN (e.g. your m0n0wall's LAN IP address). The first few pings will time out as it takes a few seconds for the IPsec tunnel to be established. Use SoftRemote's log viewer and connection monitor to tell you what's going on (right-click on the SoftRemote icon next to the clock to open them).