Setting up an IPsec VPN on pfSense 2.1 for mobile OS X and iOS clients

I recently had to configure the open-source firewall pfSense to allow VPN access for mobile clients, particularly those using OS X on Macs and iOS on iPhones and iPads.

I haven’t found too many examples out there from people who have set this up successfully, so I thought it might be helpful to share this information for others who are trying to set up a similar VPN configuration.

N.B. This works for pfSense 2.1. In pfSense 2.2 they completely changed the IPSec backend, so things are a little different at the frontend.

pfSense configuration

In System -> User Manager set up a suitable user as needed, and under Effective Privileges add User – VPN – IPsec xauth Dialin for that user.

Then go to VPN -> IPsec and set up the mobile IPsec client configuration as follows.

VPN: IPsec

Tunnels: Phase 1 (Mobile Client)

General information

  • Disabled off
  • Internet Protocol IPv4
  • Interface WAN
  • Description Remote access VPN [modify as needed]

Phase 1 proposal (Authentication)

  • Authentication method Mutual PSK + Xauth
  • Negotiation mode aggressive
  • My identifier My IP address
  • Peer identifier Distinguished name MyIdentifier [modify as needed]
  • Pre-Shared Key MyPresharedKey [modify as needed]
  • Policy Generation Default
  • Proposal Checking Default
  • Encryption algorithm 3DES
  • Hash algorithm SHA1
  • DH key group 2 (1024 bit)
  • Lifetime 28800

Advanced Options

  • NAT Traversal Force
  • Dead Peer Detection on 10 seconds 5 retries

Tunnels: Phase 2 (Mobile Client)

  • Disabled off
  • Mode Tunnel IPv4
  • Local Network LAN subnet (NAT/BINAT None)
  • Description [empty]

Phase 2 proposal (SA/Key Exchange)

  • Protocol ESP
  • Encryption algorithms AES auto, Blowfish auto, 3DES, CAST128
  • Hash algorithms MD5, SHA1
  • PFS key group off
  • Lifetime 3600

Advanced Options

  • Automatically ping host [empty]

Mobile clients

  • IKE Extensions on

Extended Authentication (Xauth)

  • User Authentication LocalDatabase
  • Group Authentication none

Client Configuration (mode-cfg)

  • Virtual Address Pool on Network: 192.168.100.0 / 24 [modify as needed]
  • Network List off
  • Save Xauth Password off
  • DNS Default Domain on local.foo.com [modify as needed]
  • Split DNS off
  • DNS Servers on Server #1: 192.168.1.200 [modify as needed]
  • WINS Servers off
  • Phase2 PFS Group off
  • Login Banner on Warning: don't be naughty! [modify as needed]

Pre-Shared Keys

  • Identifier MyIdentifier [modify as needed, should match Peer identifier above]
  • Pre-Shared Key MyPresharedKey [modify as needed, should match Pre-Shared Key above]

Firewall: Rules

In Firewall -> Rules, go to the IPsec tab and make sure there’s a rule to allow all IPv4 traffic from anywhere to anywhere.

OS X configuration

In System Preferences -> Network, add a new interface of type VPN, VPN Type Cisco IPSec, and Service Name of your choice.

Server Address is the public IP of your firewall. Account Name is the pfSense user you set up earlier.

In Authentication Settings, Shared Secret is the pre-shared key you created on pfSense earlier, and Group Name is the identifier you created on pfSense earlier.

iOS configuration

In Settings -> VPN, add a new VPN configuration of type IPSec.

Description is up to you. Server is the public IP of your firewall. Account is the pfSense user you set up earlier. Group Name is the identifier you created on pfSense earlier. Secret is the pre-shared key you created on pfSense earlier.

  • Omar Oka

    thanks it is work , dont forget open netwrok in firewall

    • Thanks Omar, have added a line to make sure that the necessary firewall rule is there.

  • Mrks

    Thanks for the detailed instructions, but with which version of pfsense did you try this? On 2.2.3 some of the options are not available or others need to be set (e.g. remote network address in tunnels phase 2)

    • This is for pfSense 2.1. They completely changed the IPSec backend in 2.2, annoyingly. I’ve added a note to make this clearer.

  • Steven Kan

    This is weird; I configured one of my pfsense routers (2.2.4) per these instructions, and then connected my OS X client (10.10.1) successfully and got the Welcome banner. Then I connected my iPhone (9.1) successfully, without changing anything on the pfsense side. Now I can no longer connect from OS X, with the failure “The negotiation with the VPN server failed.”.

    I know that it’s making initial contact with the server, because I see the connection attempt in the pfsense IPSec logs,

    I didn’t change anything on the router between the first time I connected successfully from OS X and the subsequent failures. The only difference is that I connected from my iOS client in between. The iOS client still works.

    • Steven Kan

      I figured it out 🙂

      I was trying to connect both of my clients (iOS and OS X) from a hotel room WiFi, behind a NATed public IP. So the pfsense routers were only allowing one of my clients to connect.

      Once I turned off WiFi on my iPhone (so that it was going out through the cellular network, on a completely different public IP), then both worked fine.

      I was able to connect my Mac to both my home and my office simultaneously.

      iOS apparently supports only one tunnel at a time. Even selecting the other VPN configuration automatically disconnects the current one.

      • Glad it’s all working and you got it sorted, and thanks for sharing your findings.

  • swherry

    Matt – would appreciate know what changes you made to make pfsense 2.3.2 work with Mac remote dial in. Between the changes in pfsense and Apple’s El Cap / Sierra changes I am struggling to get a bullet proof configuration. Even my Meraki VPN is flakey after El Cap.

    • New versions of OS X are working fine with 2.1 and 2.2 for me, but I haven’t tried getting OS X working with 2.3 yet.

  • pdwalker

    Group Name is the identifier you created on pfSense earlier

    Sorry, that’s not clear to me. Can you tell me which identifier you mean? Do you mean the “MyIdentifier” under the phase 1 proposal?