IPSec VPNs with pfsense

I've been trying forever to get a mobile IPSec connection up between my OS X laptop and pfsense.   Finally, thanks to this outstanding blog post, it works.  I'm especially excited that it works with the default OS X and Android VPN clients.

My pfsense config closely mirrors the one specified by Mike Murray


Phase 1

Key Exchange version: Auto
Internet Protocol: V4
Interface: <my ISP>

Authentication Method: Mutual PSK + Xauth
Negotiation Mode: Aggressive
My identifier: My IP Address
Peer identifier Distinguished Name: <my vpn name>
Pre-Shared Key: <my key>

Encryption Algorithm: AES 256
Hash Algorithm: SHA1
DH Group: 2
Lifetime (Seconds): 28800

Disable rekey: unchecked
Responder Only: checked
NAT Traversal: Forced
Dead Peer Detection: checked
Delay: 10
Max failures: 5

Phase 2

Mode Tunnel: IPv4
Local Network Network:
NAT/BINAT translation: None

Protocol: ESP
Encryption Algorithms: AES Auto
Hash Algorithms: SHA1
PFS key: group off
Lifetime: 3600

Mobile Cilents

IKE Extensions: checked
User Authentication: Local Database
Group Authentication: system

Virtual Address Pool: checked. / 27

Virtual IPv6 Address Pool: unchecked
Network List: unchecked
Save Xauth Password checked
DNS Default Domain: checked  khubla.local

Split DNS unchecked
DNS Servers checked

WINS Servers: unchecked
Phase2 PFS Group: unchecked
Login Banner unchecked


Add VPN and choose VPN Type "Cisco IPSEC".  Use the Group Name specified in Phase 1 "Peer identifier Distinguished Name"


Add VPN and choose "IPSec VPN with pre-shared keys and XAuth authentication".     Use the IPSEC Identifier specified in Phase 1 "Peer identifier Distinguished Name"

2 Responses to "IPSec VPNs with pfsense"

  • Marc
    October 18, 2017 - 6:15 pm Reply

    Hi there –

    Which version of pfSense are you using? I’ve been wishing they’d add XAuth support to the IPSec config options for ages, and as of version 2.3.4-RELEASE-p1 (amd64) I still don’t see it. Am I missing something obvious?

    Thanks –

    • Marc
      October 19, 2017 - 4:00 pm Reply

      Never mind – apparently it’s only available when acting as the “central” end of the VPN. I’ve been hoping to get pfSense to emulate the client end of an XAuth-enabled connection. (It’s a long story, involving a distant and unresponsive corporate IT department…)

Leave a Reply