In the previous section, we configured an IPsec tunnel in which authentication is done though either a PSK or certificates. This is acceptable for connecting two routers, but what if there are multiple mobile clients? In such scenarios, it makes sense to configure settings for each individual user, and we can do that via the Mobile Clients tab.

The first option on the Mobile Clients tab is the IKE Extensions checkbox. If checked, IPsec mobile client support will be enabled. The next section is Extended Authentication (Xauth). The User Authentication listbox allows you to choose what database is used for authentication. The only option seems to be Local Database and this will allow for authentication through the pfSense user manager. Next is the Group Authentication drop-down box; select system for user manager authentication.

The last section is Client Configuration (mode-cfg). The first option is the Virtual Address Pool checkbox, which, if checked, provides virtual IP addresses to clients. If checked, you must enter a network mask (and the corresponding CIDR) in the edit box that will appear below the checkbox. The Virtual IPv6 Address Pool option also allows you to provide virtual IP addresses, but they will be IPv6 addresses instead of IPv4 addresses.

The Network List checkbox, if checked, will provide a list of accessible networks to mobile clients. The Save Xauth password option will allow clients to save Xauth passwords if checked, but will only work if the mobile user is using a Cisco VPN client. The DNS Default Domain checkbox will, if checked, cause pfSense to provide a default domain to clients; if checked, you must specify a DNS domain in the edit box that will appear below the checkbox. Split DNS, if checked, will enable you to provide a list of split DNS domain names to the mobile clients; this allows you to provide different sets of DNS information based on the source address of the DNS request. The domain names should be entered in the edit box below the checkbox and should be separated by commas.

The DNS Servers checkbox, if checked, allows you to provide a DNS server list to clients, which you will then have to enter in edit boxes below the checkbox. The WINS Servers checkbox is similar, only you are providing IP addresses to WINS servers. Checking Phase 2 PFS Group allows you to set a PFS group for mobile clients using the Group drop-down box. This will override whatever was set during Phase 2 configuration. Finally, the Login Banner checkbox, if checked, will allow you to provide a login banner to clients, which you can then enter in the edit box below the checkbox. When you are done, click on the Save button and click on the Apply Changes button on the main IPsec page.

The next tab under IPsec is Pre-Shared Keys. This tab allows you to add new keys and edit existing ones. If you click on this tab, you will see a table containing any previously entered keys. To add a new key, click on the Add button below the table on the right side.

The first option on the Pre-Shared Keys configuration page is the Identifier edit box. You can enter an IP address here, a FQDN (fully qualified domain name), or an email address. The next option is the Secret type drop-down box; you can select PSK or Extensible Authentication Protocol (EAP), a protocol commonly used for wireless networks) here. Finally, in the Pre-Shared Key edit box, you can enter a PSK. Note that you can create a PSK that can be used by anyone by entering any in the Identifier field. When you are done, click on the Save button and then click on Apply Changes on the main IPsec page.

The last tab is Advanced Settings, which presents a single page divided into two sections: IPsec Logging Controls and Advanced IPsec Settings. IPsec Logging Controls allows you to set different levels of logging for different components of IPsec (for example, Daemon, SA Manager, Job Processing, and so on). Each component has a corresponding drop-down box, which allows you to set the levels of logging. These are:

• Silent: There will be no logging.
• Audit: Logs audit events, which are generated when a service is accessed.
• Control: Logs access control events. This is the default logging level.
• Diag: Logs all diagnostic messages.
• Raw: Displays the contents of log files as-is without any parsing from the GUI.
• Highest: Displays all logs.

The next section of the page is Advanced IPsec Settings. The first option in this section is the Configure Unique IDs as drop-down box. This value determines whether a participant IKE ID should be kept unique.

The IP Compression checkbox, if checked, will enable IPComp compression of content. The Strict interface binding checkbox will enable strong Swan's interface use option to bind specific interfaces only. The unencrypted payloads in IKEv1 Main mode checkbox allows you to enable unencrypted ID and HASH payloads in IKEv1 Main Mode. Some implementations send the third Main Mode message unencrypted, and if you need to send unencrypted ID and HASH payloads to maintain compatibility with them, you can enable this option, but you should only do so if absolutely necessary.

The Enable Maximum MSS checkbox enables MSS clamping if checked. This is useful if you are having problems with Path MTU Discovery (PMTUD), which can be the case if large packets have problems being transmitted over the IPsec tunnel. Enable Cisco Extensions, if checked, will enable the Cisco Unity plugin, which provides Cisco extension support.

The Strict CRL Checking checkbox will, if checked, require availability of a fresh Certificate Revocation List (CRL) for peer authentication. If the Make before Break checkbox is checked, pfSense will create new SAs during re-authentication before deleting the old SAs. This is the reverse of the default behavior, in which SAs are deleted before new ones are created. This is advantageous in that it can help avoid connectivity gaps, but it must be supported by the peer if it is to work.

Finally, the Auto-exclude LAN address checkbox is designed to address cases in which the remote subnet overlaps with the local subnet. If this box is checked, traffic from the LAN subnet to the LAN IP address will be excluded from IPsec. Click on Save when done and then click on Apply Changes on the main IPsec page.