Configuring a VPN Server with pfSense (3e) LAB GUIDE Section 1: Hands-On Demonstration Section 2: Applied Learning Section 3: Challenge and Analysis 71% TI < < Part 1: Enable IP Roaming for Remote VPN Clients * Part 2: Create Explicit Firewall Rules for an IPsec VPN Part 1: Enable IP Roaming for Remote VPN Clients (0/1 completed) You have completed your construction of the IPsec VPN, allowing remote employees to securely connect to the corporate network. Employees have been able to successfully access company resources, and management is pleased now that they can filter traffic on remote company computers. However, some time has passed since the initial deployment, and a trend of complaints about dropped connections has emerged, causing prolonged reconnection periods and requiring some employees to manually reconnect. sem After speaking with remote employees to try identifying a pattern, you discover this is happening whenever the employee switches to a different network or network attachment point, such as from wired to wireless. Further investigation reveals that only employees without their VPN client credentials saved are being forced to manually reconnect. You suspect that their IP is changing when they switch connections, and that when it does, new Security Associations (SA) for the tunnel are created. This would explain why those with their credentials saved experience minimal impact, while those without their credentials saved are forced to authenticate again manually. Recalling that the Mobility and Multihoming protocol (MOBIKE) enables clients to continue using existing Security Associations across IP changes, you decide MOBIKE will solve the issue for the latter and reduce reconnection periods for the former. Using the internet, research how to enable MOBIKE support for your IPsec tunnel in pfSense. Then, using the vWorkstation system, connect to the pfSense WebGUI and implement your changes. Make a screen capture showing the enabled MOBIKE option in the IPsec tunnel configuration. of pfSense.securelabsondemand.com X + C Not secure | 172.30.0.1 of sense System Interfaces Firewall Services VPN Status Diagnostics Help COMMUNITY EDITION WARNING: The 'admin' account password is set to the default value. Change the password in the User Manager. Status Dashboard System Information Name User System BIOS Version CPU Type Kernel PTI MDS Mitigation Uptime Current date/time pfSense.securelabsondemand.com admin@172.30.0.2 (Local Database) VMware Virtual Machine Netgate Device ID: 7b2fbb9e0fc9df78fa01 Vendor: Phoenix Technologies LTD Version: 6.00 Release Date: Wed Dec 12 2018 2.4.5-RELEASE (amd64) built on Tue Mar 24 15:25:50 EDT 2020 FreeBSD 11.3-STABLE The system is on the latest version. Intel(R) Xeon(R) CPU E5-26700 @ 2.60GHz AES-NI CPU Crypto: Yes (inactive) Enabled Inactive 02 Hours 26 Minutes 05 Seconds Fri Jul 8 9:49:01 UTC 2022 Keyboard Interfaces WAN LAN DMZ autoselect autoselect autoselect Snort Alerts Interface/Time Sre/Dst Address System OT 202.20.1.1 172.30.0.1 172.40.0.1 Description 0 + 0 FO e C Configuring a VPN Server with pfSense (3e) LAB GUIDE Section 1: Hands-On Demonstration. Section 2: Applied Learning Section 3: Challenge and Analysis 71% Part 1: Enable IP Roaming for Remote VPN Clients * Part 2: Create Explicit Firewall Rules for an IPsec VPN Part 2: Create Explicit Firewall Rules for an IPsec VPN (0/2 completed) Your VPN is now stable even across IP changes on the client-side, and remote employees are able to work seamlessly across networks without prolonged reconnection periods or interrupted sessions. Management is pleased with the client-side setup; however, they are concerned that the firewall rules that permit IPsec connections are hidden. They have recently implemented a policy that requires all permitted traffic to be based on explicit rules. This would enable the logging of all packets to which specific rules are applied, as well as the implementation of more granular controls in future, such as allowing specific IP ranges, employing policy filtering, and utilizing traffic shaping methods. You know that your IPsec VPN will require three access rules: one for the port used by IPsec NAT-T, one for the port used by IKE, and one more for ESP protocol. Using the Internet, research how to disable the IPsec automatic rule creation in pfSense, and determine which firewall rules you will need to add to permit IPsec VPN connections. Then, connect to the pfSense WebGUI from the vWorkstation, disable IPsec automatic rule creation, and add the required rules to the WAN interface. TI < < (Hint: Find out which rules are added automatically in pfSense for IPsec connections. Then disable them and recreate them yourself. This information can all be found in Netgate's pfSense documentation). Make a screen capture showing the disabled automatic IPsec rule creation option. Make a screen capture showing your firewall rules that permit IPsec traffic. Note: This concludes Section 3 of the lab. 0 of pfSense.securelabsondemand.co X + C Not secure | 172.30.0.1 of sense System Interfaces Firewall Services VPN Status Diagnostics Help COMMUNITY EDITION WARNING: The 'admin' account password is set to the default value. Change the password in the User Manager. Status Dashboard System Information Name User System BIOS Version CPU Type Kernel PTI MDS Mitigation Uptime Current date/time pfSense.securelabsondemand.com admin@172.30.0.2 (Local Database) VMware Virtual Machine Netgate Device ID: 7b2fbb9e0fc9df78fa01 Vendor: Phoenix Technologies LTD Version: 6.00 Release Date: Wed Dec 12 2018 2.4.5-RELEASE (amd64) built on Tue Mar 24 15:25:50 EDT 2020 FreeBSD 11.3-STABLE The system is on the latest version. Intel(R) Xeon(R) CPU E5-26700 @ 2.60GHz AES-NI CPU Crypto: Yes (inactive) Enabled Inactive 02 Hours 29 Minutes 36 Seconds Fri Jul 8 9:52:32 UTC 2022 Keyboard Interfaces WAN LAN DMZ autoselect autoselect autoselect Snort Alerts Interface/Time Sre/Dst Address System OT 202.20.1.1 172.30.0.1 Description 172.40.0.1 FO + 0