Thanks! Glad it helped you!

While true, unless you are a company clearing credit cards - not really an issue. I would suggest ikev2 regardless.

That's a very tricky answer due to what happened in Windows 10. You have to make a few changes to DNS resolution and set the VPN interface to be a higher priority than any other interface otherwise things don't route through it properly. I will try to post a video on this. It's annoying. Also, disable IPV6 if you are not using it, as that takes priority over IPV4, and the VPN will not be used.

I am going to assume you set the Phase2 to use 0.0.0.0/0 which means you now accept everything over the VPN. This means the only way you now can filter is in the Firewall rules for the IPsec interface. To do this, you would have to then have a static IP for the client, and while this is possible it cannot be done via the web GUI and requires a bit of mucking about with he config files by hand. Not something I recommend as that work can be undone when there is a new update of the system. So for now, it's probably not possible with any degree of ease. You might, instead, setup and have that person use OpenVPN and have that service setup to be quite restrictive. Then the IPsec and the OpenVPN would have two different scopes / rulesets. Another way would be if they allowed PfSense to have more than one "Mobile Client" setup, thus allowing you to bind to a second IP Address because you set the DHCP scope on the Mobile Clients panel. But, again - you cannot do this currently. Nor does it have a robust enough UI to allow you to setup static IP addresses. (Normally this would be done by UserID on more enterprise-grade VPNs.)

You are correct, it is more secure than aggressive.

While deprecated to those using SSL certificates and the public view due to some poor coverage of the topic, no it's actually very secure. There is no "insecurity" in SHA-1. Especially in this use. It is nothing like WEP, which is encryption. SHA is a hash... it's how we hide the password. WEP is how we encrypt traffic.WEP has a flaw because I can gain the password for access to an AP by collecting enough traffic and then figuring out the cypher with a flaw in the encryption math. SHA-1 has an impossibility to recover the password from its hashed version; relies on "preimage resistance" which is, as far as we know, still fully infeasible with SHA-1. It is also fully infeasible with SHA-512, SHA-256, or even MD4 or MD5. A Sci-Fi oriented mind may envision computers achieving the power to find preimages for MD4 or MD5 around year 2050; it will take much longer for SHA-1. SSL keys with SHA-1 is slightly different, and even then it is just improbable. Feel free to set yourself to SHA-256 or higher if you want...

NetAssassin I'm not gonna argue dude. They HAVE been deprecating SHA1. READ. www.infoworld.com/article/3064654/security/tick-tock-time-is-running-out-to-move-from-sha-1-to-sha-2.html I'm not going to waste time commenting when I've done my homework, and have spent YEARS working with web site encryption.

I would basically agree that if stronger algorithms are supported, one should use them. Therefore for P1 I only allow SHA256. However for P2, it seems that SHA1 has to be allowed as well in order to get the VPN running, at least with my Android phone.

The IPs you see in the video are on the VM I am running, they have no true outcome on the setup other than shouldn't overlap. I don't cover this in the video because I assume your firewall is setup with non-overlapping subnets. Normally, most people are going to have this setup with some RFC1918 range on the LAN, and a true IP on the WAN using NAT/PAT. You could, if you have multiple static IPs, confirm a CARP or some other alias IP on the external interface and then use that as the VPN endpoint. It doesn't matter really, other than you need to use that IP or the FQDN that resolves to it in the client so it can connect to the VPN service.

Sure. The use of 0.0.0.0/0 forces ALL traffic into the tunnel. The point of the video is to make a tunnel that takes even Internet bound traffic from the client and sends it through the VPN tunnel and out the PfSense Firewall vs. the firewall and network where you have the client (laptop for example.) This is done for privacy and security. You can bypass any proxy that the local site has, and you avoid any monitoring they are doing on where you may have visited, what you did, they cannot collect passwords etc. If you left it as "LAN Subnet" then only traffic for the LAN would go across the tunnel. So let's assume the lan is 10.10.10.0/24. Only traffic for a machine in that range would then go across the tunnel, all Internet traffic would go over the network where your client is located (let's assume it is a hotel because you are traveling.) So now the hotel could see what you did on the Internet, but you would also have access to your remote network. This is called a "split tunnel." I designed the video, as I explain in the beginning, to not be split - and therefore it is a privacy or secure tunnel.

Another reason is that the VPN Tunnel when it isn't split provides added security for your LAN. Someone on the network you are using, again assume a hotel or coffee shop, cannot leverage an exploit and use your connection there to route across your VPN into your secure network. For example, you left internet sharing on in your MacBook, and they simply use your laptop now as a router between the coffee shop and your secure private LAN back at your office or house. ;)

Thank you so much for your reply, I 100% understand why 0.0.0.0 is used. Sub'd.

I think we corresponded via email. If not, let me know and I will share what I wrote to that person. :)

Yea i've got your replay Thanks

See 12:38 in the video for what you missed. ;)

Alos, verify you created a firewall rule to allow the traffic from the IPsec network.

Click the enable button on the P1 tunnel

I have it working* on Win10, using EAP-MSCHAPV2. see doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 Also works on android with strongSWAN app (you can import certs on the app, so no need to password your phone. To be fair, I do not have data connectivity, can only ping, probably some setting I missed.

+Dennis Meijer You try create rule on wan (allow udp 500, 4500 and separate rule allow ESP protocol), in your "lan" interface allow source ipsec network to your network lan ( create alias to allow services in this case) and verify automatic outbound rules...

+Dennis Meijer, I thought I had the same problem, but in 2.3 once you setup the Ipsec you have push the "play" button. After that the IPsec interface will show up in the firewall.

Actually, there is. I think Fabian Lazarte is correct, you have to hit the "play" button to turn-on the IPSec now and then the rules tab will appear as the virtual interface (IPSec) is then active. I may remake the video for the new version.

Yes, I misunderstood his question :D

Where is this "play" button on 2.3? I didn't see it anywhere during the IPsec configuration. Thanks