Well I am here to show you a mobile IPSec Road Warrior configuration that actually works, and explain all of the problems I had getting it to work and what I did to fix them. I’ll also explain what some of those pesky options actually do and why changing them might or might not be a good idea.
A Working pfSense Road Warrior IPSec Configuration
Let’s start by running through the configuration one step at a time. (This guide is for pfSense 2.3+.) There are five basic steps. Enable the Mobile configuration, followed by the Phase, and then Phase 2 configuration. Then we need to create and enable users to connect and then configuring the client machines. We’ll discuss each one in detail.
Step 1: Enable the IPSec VPN Mobile Configuration
The first step in getting our pfSense Road Warrior configuration working is to enable Mobile Client Support for IPSec (which enables IKE extensions).
Under VPN –> IPSec click on Mobile Clients.
On the Enable IPSec Mobile Client Support, under IKE extensions check the box that says “Enable IPsec Mobile Client Support”.
On the Extended Authentication box, under User Authentication select “Local Database”. If you had a remote radius server or another pfSense box that had users on it you could configure that here. In our example, we’re only going to use the local database. Leave Group Authentication set to “none”.
On the Client Configuration box, under Virtual Address Pool check the box and enter a subnet. This is the subnet of IP addresses pfSense will give to mobile clients that connect to your VPN.
Note: I had trouble when entering a class C (/24) in this box. For some reason traffic would not route. Changing this to something else (in my case I used a /27) traffic started routing. I think this might be a pfSense bug.
Check the box next to Save Xauth Password. This allows client devices to save the password on their device. If you leave this unchecked you’ll be prompted to enter your password each time you connect, which might be fine if you’re looking for higher security but will certainly be annoying for most.
Continuing on in the same box, check the box next to DNS Default Domain, and enter the domain name for your internal network. In my case I use the domain name .home, so I just entered “home” (not dot in front of it). Yours might be home.com, or a real domain name like TheGeekPub.com.
Next check the box next to DNS Servers and enter the IP address of your DNS server. In my case I want to use the IP address of my pfSense box, because I want to pass internet DNS names to my clients in addition actual domain names on the internet. This will allow client machines connected to my VPN to access my internal servers by name. For example my Plex media server is http://plex.home so you can just enter plex/ in your browser and access my movies when connected to my VPN.
Notice: If you run into trouble with DNS not working for VPN users on pfSense, this is because your DNS resolver or Forwarder interface is set to ALL interfaces. Go to the DNS Resolver or DNS Forwarder configuration (Services –> DNS Forwarder or Services –> DNS Resolver) and make sure that the Interfaces section is set to LAN. DNS should work normally after that.
Step 2: Create the Phase 1 Entry
The next step in our pfSense Road Warrior configuration for IPSec is to create a Phase 1 Entry. You should automatically be prompted to create this after clicking save on the the Mobile Client Configuration.
If for some reason you weren’t prompted, no worries, just go to VPN –> IPSec and click on Tunnels, and click on the Add P1 button.
On the General Information box under Description, enter a name for this VPN. This is purely optional, but makes it easier later on to know what a connection is when looking on the status screens (especially if you have multiple VPNs or clients connected). I just named mine “Home VPN”. Leave everything else default.
Under the Phase 1 Proposal (Authentication), change the Authentication Method to “Mutual PSK + Xauth. Change Negotiation Mode to “Aggressive”. Change Peer Identifier to “Distinguished name” and enter a group name. You’ll need to remember this group name when configuring your clients. Under Pre-Shared Key enter a key. You’ll also need to remember this key when configuring your clients.
Note: If for some reason some of the fields or options do not show up, just scroll to the bottom and click save, then re-open the Phase 1 tunnel again and they should be there this time. This is a known bug in some versions.
Under Phase 1 Proposal (Algorithms) make no changes. The defaults should work fine for all iOS, Android, etc devices.
Under Advanced Options, change NAT Traversal to “Force”. If you don’t change this, clients behind NAT firewalls may have a hard time connecting or not be able to connect at all.
Step 3: Configuring the Phase 2 Entry
Step 3 of our pfSsense Road Warrior configuration for IPSec involves creating a Phase 2 Entry. Phase 1 of the configuration defines the tunnels and trades keys. Phase 2 is about building the tunnel for traffic.
Under the General Information box, under Local Network change the the type to “Network” and enter the address as “0.0.0.0/0”. This will tell the local clients to send all traffic to you, even traffic bound for the internet. When clients pull down a webpage or file from the internet it will traverse your VPN.
If you only want clients to access your local network and send all other traffic out their own ISP then you’d just select “LAN Subnet” from the dropdown and leave the address box empty. This might cause issues with DNS, as your clients will poll the VPN DNS first, so make sure you set the DNS appropriate if you do this back in step 1 (such as google DNS 126.96.36.199, rather your own pfSense box).
Continuing on under Phase 2 Proposal (SA/Key Exchange), leave everything here to default. It should work just fine.
Under Advanced configuration, also leave this unchanged (empty box).
Step 4: Create a User and give them Permissions
Step 4 of our pfSense Road Warrior configuration for IPSec is to create a user and give them permissions to connect. It is highly recommended that you do not use your pfSense admin account for this connection, as it would be a huge security risk should the account be compromised later on. Do yourself a favorite and create a separate account for VPN access, even if you’re the only one connecting to the VPN.
Go to System –> User Manager and click +Add.
Enter a username under Username, and a password under the Password fields (twice). Don’t change anything under the group settings.
Under Keys, don’t enter anything. We’ve already set our pre-shared key on the tunnel configuration.
Now save the account and then reopen it. You’ll see a new section called Effective Privileges. Click the +Add button.
Under User Privileges, select “User – VPN: IPSec xauth Dialin” and then click Save. That’s it. You’ve created a user that can connect to your VPN tunnel.
Step 5: Configure the Client Computers and Devices
The final step is to configure our client machines to connect to the VPN we just made. I’ll give two examples, iOS and MacOS, but most other clients are just as easy.
Configuring iOS for pfSense Road Warrior IPSec
Go to Settings –> VPN –> Add VPN Configuration. Select Type as IPSec.
Under Description put something like “Connect to Home”.
Under Server, enter the DNS name (fully qualified FQDN) or the WAN IP address of your pfSense box. Then enter the Account username and password. Leave Use Certificate set to off.
Under Group Name enter the Group Name you used in Step 2 above. In addition, enter the Secret that you entered in Step 2 above. That’s all there is to it. Your iOS client should now be able to connect to the VPN. The example given is the iPhone, but the iPad will be exactly the same settings.
Configuring MacOS for pfSense Road Warrior IPSec
Under Settings –> Network press the plus (+) button at the bottom of the list.
Under Interface select “VPN” and then under VPN Type select “Cisco IPSec”.
Under Service Name enter whatever you want to call this VPN connection. I called mine “Connect to Home” and then click Create.
On the next screen under Server Address enter the Fully Qualified DNS name or IP address of your pfSense WAN interface. Then enter the same username and password you created earlier. Then click Authentication Settings.
Select Shared Secret and enter the Secret you chose in Step 2 and then enter the Group Name you also chose in Step 2.
TroubleShooting and Final Thoughts
At this point your pfSense Road Warrior VPN should be working like a champ. If its not there are a few things you might need to check.
Firewall Rules and NAT for pfSense IPSec
If you turned off auto generation of firewall rules, then your going to need to open ports 500 and 4500 inbound to your WAN IP Address. You can check this under System –> Advanced.
In addition, you might need to change your NAT reflection settings, which can be found in the same location. Change the NAT Reflection mode for port forwards to “Pure NAT”.
One last note. Some ISPs block inbound ports to your home network. Most all block ports 25 and 80. But some of the worst offending ISPs will also block port 500 and 4500 specifically to keep you from VPNing to your home network. If your ISP does this you should dump them as they truly do suck.
On another note, if you are looking for a new pfSense firewall for your home, I highly recommend this unit from Amazon. It is really nice. I and several of my friends have it and it works quite well!
Check out the WANBOX
The Geek Pub now sells the WANBOX! It’s the perfect appliance firewall for running open source or freely available firewall packages such as pfSense, OpenSense, or Untangle!
Buy the WANBOX on Amazon, or learn more about it at The Geek Pub WANBOX page.
Well I’ll be damned. It worked. I’ve tried 10 of these including the one on the pfsense wiki. none of them worked till this one. thanks!
Hi… I’m looking for a config that work with IKEv2, with pfsense 2.3
Apple Configurator user profile with always ON enable.
Any clues where to look… the one on the PFsense forum is not working for me, as the certificate can’t be create with a psw and Apple configurator refuse a certificate if no psw is entered.
Looking for the working IKEv2 config myself. I’ll let you know when I find it!
Also looking for IKEv2. And preferably one which works with iOS 10+ and Windows 10.
Although big thanks for the author, at least now I have one the works with iOS. Might be working with Win10 just don’t know how.
You can use the Shrewsoft VPN client on windows 10. It works perfectly with this tunnel and it is free. https://www.shrew.net/software
OK, thx, but why don’t just use IKEv2 when it’s there, beeing the newest, supported by pfSense and all the platforms? A clean and dry solution it would be. Have tried? No luck? Mission Impossible?
There’s a reason the title of this article is “…config that works.” 🙂 If you can get it to work, I’d be happy to create another tutorial.
Hoooo so no one ever find a working IKEv2 that works!!
Who develop those things and why don’t they do a tutorial !?!
And Apple that ask for a psw on every certificate installed with Configurator, no way to force supervised device to comply with business security, user have to turn it on manually !!
Some tweak when you’re jailbreak can force VPN… But I think you can’t have a supervised device and jailbreak at the same time !!??
i am pfsense user for last 6 years it never worked . still using pptp but i will try your config and see what happens.
Does Shrewsoft VPN client for Windows work for this? Anyone know?
Yes. I use it almost every day.
Do you currently connect using iOS 10.x or Android? I can’t connect with either.
I connect with iOS almost every day.
Thank you. Your guide actually worked unlike the 5 before this.
Hello, very good work !!!
i configure my Pfsense like you. When i have configured my ShrewSoft Client on my computer, the “tunnel” is “enabled” but the “security associations” is “Failed”. So, i can’t connect to my network.
Can you see me how you have configured your ShrewSoft Client on your computer ?
Thanks a lot.
There is no special configuration. Username, password, shared secret.
On the first tab “General”, “Auto Configuration” is on “ike config pull” ?
On the last tab “Policy”, “Policy Generation Level” is on “Auto” or other ?
Set everything back to the default settings.
I found the problem. It’s a parameter on phase in my Shrewsoft Client that wasn’t good (PFS Exchange) …
Your guide is great. Thanks again
I have had this setup running for several months I have two issues though…
1. The internet traffic with my client is NOT running through my home pfsense so I made the change you suggested under step 3 by changing the Local Network setting to “network” and 0.0.00/24 and while I am still able to connect with the client the browsing still does not go through my home pfsense and I can no longer access anything on my LAN, I can’t even ping the LAN IP yet the VPN session is connected. If I change it back to LAN and the second field to blank I can access the devices on my LAN. Any idea why?
A separate issue, but maybe related
When I try to change the DNS resolver from “All” to “LAN” I get an error saying “This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces” so I am not sure how you get that one set… Maybe the first issue is related to not being able to set the second. I dunno otherwise everything is identical with my setup and I am able to access everything by IP address until I change the step 3 and then I can’t ping anything by IP even.
I really would like to have my browsing go through my home pfsense, and being able to use the DNS names instead of IP addresses would be great too.
Just for the record I have a few VLANS and several opt LANs maybe those are complicating this. Anyway, this is a great guide I would love to get those two issues sorted though if you have any suggestions. The second issue really makes me wonder, it’s acting like that setting is not even possible, so I am not sure how you got it.
Follow-up to my question. I figured out problem 1. for the subnet I put 0.0.0.0/24 because that’s what you said to do but your screenshot has 0.0.0.0/0 so I tried that and problem 1 went away. So I am not sure if 0.0.0.0/24 was a typo or what.
I still have a question about the DNS Resolver though why do you think it won’t let me select LAN..
You are indeed correct. I corrected the article! Thanks. As for the DNS issue, it’s not a problem I have seen. I’ll experiment later if I get a chance.
Ok thanks, I will try to tinker with it and come back and update if I get anything.
Still have a problem with the DNS resolver too. Same message.
Ya, I think I am having the same issue. My client can connect just fine, but cannot browse the web. Must be a DNS issue, but not sure exactly where to start diagnosing.
On a side note, my pf sense is also connect to an openvpn service, and I have rules to send certain traffic through the WAN and others through the VPN. But I don’t think this is causing my problem.
Same here except I actually access the internet while connected but nothing on the WAN.
Just add another LAN interface to re-create the issue. It works if you only have one LAN, but not when you have multiple LAN interfaces or VLAN interfaces. I had really high hopes for this one!
Not happening for me.
Under: Firewall -> Rules -> IPsec
Make sure that you have a rule that allows UDP acces to 192.168.1.1 (your firewall) on port 53 (dns)
Damn, I hardly ever leave comments on these kinds of guides, but you really helped me out big time! Thanks Mike!
Have you heard of anyone using a Radius Server to authenticate vs the local Database?
I’m new to PFSense, so I am glad I found this article so early in my endeavors to get it working. I had a similar issue with a Draytek router, but the information is pretty rare, which is why I changed to PFSense. In hindsight, I bet it was just a wrong setting somewhere.
I’m also having issues with my Android devices & Squid Guard, does your expertise include Proxy Servers as well?
I have 2 networks connected with IPsec tunnel, using pfSense on both ends. If I setup this Road Warrier VPN on Network A. Once the PC connects, would it be able to see the devices on Network B cross the tunnel? Currently I’m using IKEv2 EAP-MSChapV2 for the VPN on the PC, and it just doesn’t see the devices from the next hop over the IPsec tunnel.
Yes. I do that very thing. You need to add all of the routes on the IPSEC tunnel config (or in your pfsense route table).
This looks great, I’d like to give this a try. Does this allow multiple VPN connections from the same user from different machines (for example being VPNed in from Win10 and iOS10 at the same time), or is this the same like with OpenVPN where only the last connection works?
Yes. That’s completely configurable.
Ok, great, figured it out. Thanks!
Hi Mike, could you give me an example of the static route to access device across IPsec after the VPN please. Do I need additional firewall rule as well? Thanks
like so many before, just stopping by to pay my regards and offer thanks – like the title says, this config works! I’ve been beating my head against the wall, assuming the IKEv2 profile generated by the built in tool should work; it seems it doesn’t. So I’m grateful to find this and to have a working config. …now to figure out the ‘always on’ part 🙂
Thank you very much, it works perfectly , but i do have a problem with sip registration, two sides can ping each other (Elastix AND Mobile Phone) but the sip account cannot be registered , i have checked the firewall :
IPsec udp 192.168.0.1:12693 -> 172.16.1.15:5060 NO_TRAFFIC:SINGLE
i don’t know where is the problem . could you please advise ?
Is the firewall rule on the IPSEC tunnel or the LAN/WAN interface? Remember, pfSense processes rules on the Ingress of of the port, even if it is virtual. Additionally, since this is UDP data you will need the same rule on the ingress port(s) of the firewall at the other end.
Thanks for your reply i have checked the rules :
IPSEC=> source, destination, protocol are *
there is no rule regarding to VPN on other interfaces
I have configured site to site IPSec vpn with Fortigate (server side static IP) & PFSense. facing strange issue. i can see some times, the tunnel breaks after 166 of seconds establishment & reconnects. this is going up to least one hour. I cannot imagine. I suspect that ISP is doing this. as a resolution, is it possible to change default running ports? in fortigate i can define a custom port but in pfsense i cannot find it.
This WORKS!!!!!! I had to manually add (since i disabled the auto) the outbound NAT rules for port 500, 4500 and the protocol ESP. ShrewSoft works great on my Windows machine, and now my iPhone connects too! Now i just need to sync iTunes over VPN 😀
I also had to uncheck VPN -> IPsec -> Mobile Clients -> “Provide a list of accessible networks to clients”
That seems counter-intuitive. Did you setup manual routes on the other end? The routers/clients have to know what subnets are on each of the tunnel to route traffic.
Thank you very much, I wasn’t able to route all the traffic through VPN, unchecking “Provide a list of accessible networks to clients” made the trick !!!
The config works fine for me (using Windows 10 and iOS 10.x), but I can’t use the same username when connected from both clients. If I connect from my iPhone, the Windows 10 client drops connection. I don’t want to use two usernames. Any thoughts?
Thank you for for the config guide, Mike! Just want to mention that in pfsense Version 2.4.2-RELEASE-p1 (amd64) we found out, that the associated right User “- VPN: IPsec xauth Dialin” doesn’t lead to success. We always get an “authentication failure”. Than we associated “User – VPN: L2TP Dialin” rights too and the Mobile VPN IPSec connection works as expected.
You are a beautiful genius. Thank you so much for this guide!
Is it possible to have multiple Mobile configs on the same IP? On my Cisco ASA I was able to set up different rules and routes based on the Phase 1 group name, but I don’t see a way to do this on pfsense.
thanks for this nice howto…. any client other than shrew?
Just a quick note that passing other traffic outside of the VPN (per step 3 quoted below) does not work for subsequently trying to use Remote Desktop (over the VPN).
“If you only want clients to access your local network and send all other traffic out their own ISP then you’d just select “LAN Subnet” from the dropdown and leave the address box empty. This might cause issues with DNS, as your clients will poll the VPN DNS first, so make sure you set the DNS appropriate if you do this back in step 1 (such as google DNS 188.8.131.52, rather your own pfSense box).”
If there anything additional that is needed (or could be adjusted)? Attempted with a DNS set including: 192.168.1.1, 184.108.40.206, 220.127.116.11 …
I followed the instructions almost to the T but my Android on Pie is not able to establish a connection. This is the last part of the IPsec log before Unsuccessful:
Apr 15 16:55:08 charon 06[IKE] IKE_SA con-mobile state change: CONNECTING => DESTROYING
Apr 15 16:55:08 charon 06[JOB] deleting half open IKE_SA with 192.XX.XX.XX after timeout
Apr 15 16:55:03 charon 06[NET] sending packet: from XX.XX.XX.XX to 192.XX.XX.XX (412 bytes)
Apr 15 16:55:03 charon 06[IKE] sending retransmit 3 of response message ID 0, seq 1
Apr 15 16:54:50 charon 14[NET] sending packet: from XX.XX.XX.XX to 192.XX.XX.XX (412 bytes)
Apr 15 16:54:50 charon 14[IKE] sending retransmit 2 of response message ID 0, seq 1
Apr 15 16:54:42 charon 07[NET] sending packet: from XX.XX.XX.XX to 192.XX.XX.XX (412 bytes)
Apr 15 16:54:42 charon 07[IKE] sending retransmit 1 of response message ID 0, seq 1
Apr 15 16:54:38 charon 07[IKE] queueing INFORMATIONAL_V1 request as tasks still active
Is this a Firewall NAT issue?
If both ends of the VPN tunnel are NATed, that’s probably your issue.
pfsense I set ipsec to AUTO, there is no way I can turn it off. On the android side, how can I even turn that off.
Overall great write up. I had problems connecting to anything local or remote. Eventually figured out this was due to my ipsec firewall rule. the source/dest was *, but the protocol on the rule was TCP/UDP. When the prototcol was changed to *, everything started working.
Thanks so much – still works in 2022 with Pfsense 2.6!