This page covers pfSense 1.2.3, for 2.x, see Mobile IPsec on 2.0
Getting a "Road Warrior"/mobile IPsec client up and running can be a little tricky, but the important part is to make sure the settings match up in both server and client. You can adjust the values in this howto to your liking, as long as you make identical changes on pfSense and the client software.
In the WebGUI, go to:
VPN > IPsec, Tunnels
VPN > IPsec, Mobile Clients
Fill in the settings as follows:
Negotiation Mode : Aggressive Server Identifier : My IP Address Encryption Algorithm : 3DES Hash Algorithm : SHA1 DH Key Group : 2 Lifetime : 86400 Authentication Method : Pre-Shared Key
Protocol : ESP Encryption Algorithms : 3DES, Blowfish, CAST128, Rijndael (AES) Hash Algorithms : SHA1, MD5 PFS Key Group : Off Lifetime : 3600
VPN > IPsec, Pre-shared Keys
Identifier : E-mail address, such as email@example.com Pre-shared Key : Random password (the longer the better)
You may want to visit the Status > Services page to ensure that the IPsec/Racoon service is running.
For a mobile IPsec client, I use the Shrew Soft VPN Client. Others may work with similar settings, but I have used this configuration on several client workstations with success.
Install the Shrew Soft client and configure a new connection as follows:
Shrew Soft Client Config:
Host: <pfSense Box WAN IP> Port: 500 Auto: Disabled Adapter: Use virtual adapter and assigned address Address: (pick some other random range you are not using, like 192.168.111.xx) Netmask: 255.255.255.0
The client address range should be a subnet of IP addresses that is not in use on any current interface. It cannot overlap any existing network that pfSense can reach directly. This is done to keep IP addresses consistent when users are working remotely. It will also make firewall rules easier to maintain. However, you could instead set the Adapter setting to "use an existing adapter and current address" and leave the IP address blank. This will pass through the IP address currently assigned to the system running the client. Be aware, however, that if these road warriors are out in various places (Hotels, Airports, etc) the remote network might have conflicting IP addresses with your own.
Leave at defaults
Name Resolution Tab:
Uncheck Enable WINS Uncheck Enable DNS
Authentication Method: Mutual PSK Local Identity: Type: Key Identifier Key ID: E-mail address Remote Identity: Type: IP Address [X] Use Discovered remote host address Credentials: Pre Shared Key: (PSK on server for this e-mail address)
Exchange Type: aggressive DH Exchange: Group 2 Cipher Algorithm: 3DES Hash Algorithm: SHA1 Key Life Time: 86400
Transform Algorithm: esp-3des HMAC Algorithm: SHA1 PFS: Disabled Compress: disabled Key Life Time: 3600
UNCHECK Obtain Topology Automatically Click Add Type: Include Address: (Network behind pfSense you want to access, e.g. 192.168.1.0) Netmask: 255.255.255.0 (Or the appropriate Netmask for that network)
Using the Shrew Soft client is relatively easy, but if more details are needed, let me know.
There is a section in the IPsec Troubleshooting document about debugging issues with the Shrew Soft client.