How to set up an IPsec VPN on pfSense 2.1 for mobile OS X and iOS clients

I recently had to configure the open-source firewall pfSense to allow VPN access for mobile clients, particularly those using OS X on Macs and iOS on iPhones and iPads.

I haven’t found too many examples out there from people who have set this up successfully, so I thought it might be helpful to share this information for others who are trying to set up a similar VPN configuration.

N.B. This works for pfSense 2.1. In pfSense 2.2 they completely changed the IPSec backend, so things are a little different at the frontend.

pfSense configuration

In System -> User Manager set up a suitable user as needed, and under Effective Privileges add User – VPN – IPsec xauth Dialin for that user.

Then go to VPN -> IPsec and set up the mobile IPsec client configuration as follows.

VPN: IPsec

Tunnels: Phase 1 (Mobile Client)

General information

  • Disabled off
  • Internet Protocol IPv4
  • Interface WAN
  • Description Remote access VPN [modify as needed]

Phase 1 proposal (Authentication)

  • Authentication method Mutual PSK + Xauth
  • Negotiation mode aggressive
  • My identifier My IP address
  • Peer identifier Distinguished name MyIdentifier [modify as needed]
  • Pre-Shared Key MyPresharedKey [modify as needed]
  • Policy Generation Default
  • Proposal Checking Default
  • Encryption algorithm 3DES
  • Hash algorithm SHA1
  • DH key group 2 (1024 bit)
  • Lifetime 28800

Advanced Options

  • NAT Traversal Force
  • Dead Peer Detection on 10 seconds 5 retries

Tunnels: Phase 2 (Mobile Client)

  • Disabled off
  • Mode Tunnel IPv4
  • Local Network LAN subnet (NAT/BINAT None)
  • Description [empty]

Phase 2 proposal (SA/Key Exchange)

  • Protocol ESP
  • Encryption algorithms AES auto, Blowfish auto, 3DES, CAST128
  • Hash algorithms MD5, SHA1
  • PFS key group off
  • Lifetime 3600

Advanced Options

  • Automatically ping host [empty]

Mobile clients

  • IKE Extensions on

Extended Authentication (Xauth)

  • User Authentication LocalDatabase
  • Group Authentication none

Client Configuration (mode-cfg)

  • Virtual Address Pool on Network: 192.168.100.0 / 24 [modify as needed]
  • Network List off
  • Save Xauth Password off
  • DNS Default Domain on local.foo.com [modify as needed]
  • Split DNS off
  • DNS Servers on Server #1: 192.168.1.200 [modify as needed]
  • WINS Servers off
  • Phase2 PFS Group off
  • Login Banner on Warning: don't be naughty! [modify as needed]

Pre-Shared Keys

  • Identifier MyIdentifier [modify as needed, should match Peer identifier above]
  • Pre-Shared Key MyPresharedKey [modify as needed, should match Pre-Shared Key above]

Firewall: Rules

In Firewall -> Rules, go to the IPsec tab and make sure there’s a rule to allow all IPv4 traffic from anywhere to anywhere.

OS X configuration

In System Preferences -> Network, add a new interface of type VPN, VPN Type Cisco IPSec, and Service Name of your choice.

Server Address is the public IP of your firewall. Account Name is the pfSense user you set up earlier.

In Authentication Settings, Shared Secret is the pre-shared key you created on pfSense earlier, and Group Name is the identifier you created on pfSense earlier.

iOS configuration

In Settings -> VPN, add a new VPN configuration of type IPSec.

Description is up to you. Server is the public IP of your firewall. Account is the pfSense user you set up earlier. Group Name is the identifier you created on pfSense earlier. Secret is the pre-shared key you created on pfSense earlier.