This is current for v2.4.1, and is by no means a configuration I’d stand behind as far as being terribly secure for anything you should care about! :) I’ve got a static IP address, so I have a DNS entry that points at my router. If you’ve got a dynamic address, it’d be worth configuring Dynamic DNS to make connecting to your VPN possible.

Here we go… it’s all done in the pfSense webUI of course.

1. Go to System -> User Manager
2. Create a new user (not an admin)
3. Edit the user and go down to Effective Privileges
4. Add “User - VPN: IPsec xauth Dialin”
5. Save the user
6. Go to VPN -> IPsec
7. Click “Add P1” in the bottom right

Phase 1 Configuration

General information

2. Untick “Disabled”
3. Key Exchange Version: IKEv1
4. Internet Protocol: IPv4
5. Interface: WAN
6. Description: Mobile Roadwarrior (or whatever you like)

Phase 1 Proposal (Authentication)

• Authentication Method: Mutual PSK + Xauth
• Negotiation mode: Aggressive
• My identifier: My IP address
• Peer identifier: Distinguished name (RoadWarrior) This will be needed later
• Pre-shared key: (PSK, you create this)

Phase 1 Proposal (Algorithms)

• Encryption Algorithm: AES / 128 Bits
• Hash Algorithm: SHA1
• DH Group 2 (1024 bit)
• Lifetime (seconds): 86400

Advanced option

• Disable rekey: Selected
• Responder only: Disabled
• NAT Traversal: Force
• Dead Peer Detection: enabled
• Delay: 10
• Max failures: 5

Save Phase 1!

Now click Show Phase 2 Entries and click Add P2

Phase 2 Configuration

General Information

• Disabled: unticked
• Mode: Tunnel IPv4
• Local network: LAN subnet
• NAT/BINAT translation: None
• Protocol: ESP
• Encryption Algorithms: AES 128, Blowfish (Auto), 3DES, CAST128
• Hash Algorithms: MD5, SHA1
• PFS key group: off
• Lifetime: 3600 seconds

Mobile device configuration

This is tested on iOS and macOS clients, I don’t have any Windows muck to use. :)

iOS

• Settings -> General -> VPN
• Add VPN Configuration…
• Type: IPsec
• Server: your router’s address (hostname or IP)
• Account: the username you created
• Password: the user’s password
• Use certificate: disabled
• Group Name: RoadWarrior (needs to match the Peer identifier in Phase 1)
• Secret: the Pre-shared Key you set in Phase 1

For macOS, you need to do a similar thing in network settings.

Good luck! :)

References

• https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
• https://www.reddit.com/r/PFSENSE/comments/43iafy/iphone_and_pfsense_vpn_not_a_match_made_in_heaven/
• https://blog.mattbrock.co.uk/setting-up-an-ipsec-vpn-on-pfsense-for-mobile-os-x-and-ios-clients/