In this lab, we connect the HQ and branch networks with a site-to-site IPsec VPN, then configure mobile IPsec to offer a remote access option for mobile clients.

Lab topology references:

• HQ WAN IP: 192.0.2.2
• Branch WAN IP: 203.0.113.10
• HQ network: 172.17.0.0/16
• Branch network: 172.18.0.0/16

On fw1-HQ, browse to VPN > IPsec. Click +Add P1 to add a new Phase 1 configuration.

At the resulting Edit Phase 1 screen:

• Remote Gateway: Branch WAN IP (203.0.113.10)
• Interface: WAN
• Description: (your choice)

Scroll down to the Phase 1 proposal configuration.

Generating Pre-Shared Key:

• Click the yellow button to generate your pre-shared key automatically
• Make note of it — it will be needed to configure the other end of the VPN

Advanced Options:

• Leave NAT Traversal to Auto
• The underlying strongSwan service will determine if NAT-T is required and automatically enable it if so

Leave the other settings at their defaults, then click Save.

Back at the IPsec Tunnels tab, click the + under the newly-created Phase 1 to expose the Phase 2 configuration, then click +Add P2.

For local and remote networks, use the /16 network summarizing all available IP subnets for each location:

• Local Network: Type: Network, 172.17.0.0/16
• Remote Network: Type: Network, 172.18.0.0/16

Choose specific parameters for each area rather than having multiple options enabled. This is always best for site-to-site VPNs.

Setting	Recommendation
Encryption	AES-256 (single option)
Hash	SHA256 (single option)
PFS	On (match group)

Having multiple options enabled could lead to a less secure, slower algorithm like 3DES being chosen over a faster, more secure option like AES-256.

Enter an IP address within the remote subnet to keep the VPN alive:

• Use fw1-branch LAN IP (e.g., 172.18.1.1)
• IPsec is "dial-on-demand" — it doesn't try to connect unless traffic is trying to traverse the VPN
• The IP doesn't have to reply; it's the initiation of the request that triggers the VPN to come up

Then click Save, and at the main IPsec Tunnels screen click Apply Changes.

Traffic coming in via IPsec is filtered by the firewall rules on the IPsec tab. By default, this contains no rules, so all VPN traffic will be blocked.

Browse to Firewall > Rules, IPsec tab. Click Add and configure:

Field	Value
Action	Pass
Interface	IPsec
Protocol	any
Source	172.18.0.0/16
Destination	any
Description	allow branch network in via IPsec

Click Save, and Apply Changes.

Notes:

• The outer portion of the VPN requires UDP port 500 and ESP protocol on WAN — these rules are handled automatically
• Traffic is allowed out from HQ to branch by the default LAN rule
• The HQ DMZ subnet will not be able to initiate connections to the remote branch network because of the DMZ rule rejecting private network destinations

Browse to https://172.18.1.1 to reach fw1-branch.

Add a new Phase 1 entry for the HQ VPN:

• Remote Gateway: fw1-HQ's WAN IP — 192.0.2.2
• Match all other parameters exactly with fw1-HQ

All Phase 1 proposal settings must match exactly to fw1-HQ. After matching up everything, click Save.

Add a new Phase 2 entry under the Phase 1 just added. Everything is identical to HQ's Phase 2, except flip local and remote networks:

• Local Network: 172.18.0.0/16
• Remote Network: 172.17.0.0/16

Leave Automatically ping host blank on this side (the other end will keep the tunnel active).

Then click Save, and Apply Changes.

Browse to Firewall > Rules, IPsec tab, and add an allow-all rule:

Field	Value
Action	Pass
Interface	IPsec
Protocol	any
Source	Network, 172.17.0.0/16
Destination	any
Description	allow HQ in via VPN

Save and Apply Changes.

Browse to Status > IPsec on the branch firewall. If the status shows "Disconnected", click the Connect VPN button.

Once something attempts to bring up the VPN, it should change status to ESTABLISHED.

If the VPN does not come up:

• Closely review all settings in Phase 1 and Phase 2 on both sides
• Check for typos in IP addresses
• Verify the pre-shared key was pasted correctly
• Ensure no inadvertently mismatched settings

On HQ-client, test connectivity:

training@hq-client:~$ ping -c 3 172.18.1.1
training@hq-client:~$ ping -c 3 172.18.1.100

On branch-client, ping back:

training@branch-client:~$ ping -c 3 172.17.1.1
training@branch-client:~$ ping -c 3 172.17.1.100
training@branch-client:~$ ping -c 3 172.17.2.10

You should also be able to browse to web servers in the HQ DMZ network from branch-client.

Next, configure IPsec for mobile clients. This works with any standard IPsec clients, specifically focused towards the Cisco IPsec clients built into Mac OS X and Apple iOS. The Shrew Soft client is used in this lab.

IPsec remote-access users require the "IPsec xauth Dialin" privilege.

On fw1-HQ, browse to System > User Manager, Groups tab. Click +Add:

• Give the group a name (e.g., "Mobile_IPsec") and description
• Save
• Edit the group and under Assigned Privileges, click Add
• Choose only the "VPN - IPsec xauth Dialin" privilege
• Save again

Go to the Users tab, click +Add:

• Username: vpntest
• Password: password
• Group: Mobile_IPsec
• Save

On fw1-HQ, browse to VPN > IPsec, click the Mobile clients tab:

Setting	Value
Enable IPsec Mobile Client Support	Checked
User Authentication	Local Database
Group Authentication	Checked
Authentication Groups	Rights for Mobile IPsec (Mobile_IPsec)
Virtual Address Pool	172.17.5.0/24
Network List	Checked — "Provide a list of accessible networks to clients"
DNS Default Domain	example.com
DNS Servers	172.17.1.1

Leave all other fields at defaults and click Save.

After saving, you will see a prompt to create a Phase 1 definition for mobile clients. Click Create Phase 1.

Parameter	Value
Key Exchange Version	IKEv1
Description	Mobile clients
Authentication Method	Mutual PSK + Xauth
My Identifier	My IP address
Peer Identifier	User distinguished name, vpn@example.com
Pre-Shared Key	Generate new (make note)
Encryption Algorithm	AES 128 bit
Hash Algorithm	SHA1
DH Group	2
Lifetime	86400
NAT Traversal	Force

Leave all else at defaults, and click Save.

Back at the IPsec Tunnels screen, expand the mobile Phase 1 and click +Add P2:

Parameter	Value
Mode	Tunnel IPv4
Local Network	Type: Network, 0.0.0.0/0
Encryption	AES 128
Hash	SHA1
PFS	off
Lifetime	28800

Note: The Phase 2 "Local Network" determines what networks are sent to the client. 0.0.0.0/0 sends all traffic across the VPN. To send only internal traffic, use 172.17.0.0/16 or 172.16.0.0/12.

Then click Save, and Apply Changes. The server-side IPsec configuration is now complete.

Browse to Firewall > Rules, IPsec tab. Add a new rule:

Field	Value
Action	Pass
Interface	IPsec
Protocol	Any
Source	Network 172.17.5.0/24
Destination	any
Description	allow in mobile client IPsec

Then Save and Apply Changes.

On remote-host, launch Shrew Soft VPN Access Manager. Click Add to create a new configuration.

• Fill in the WAN IP of fw1-HQ: 192.0.2.2
• Leave all else at defaults

• Authentication Method: Mutual PSK + XAuth
• Local Identity: User Fully Qualified Domain Name — vpn@example.com

• Choose Identification type: IP address

• Enter or paste the PSK generated during Phase 1 creation

• Change DH Exchange to group 2
• Leave all else at defaults

• Set Lifetime to 28800 seconds
• Leave everything else at defaults

Then click Save. You can rename the connection (e.g., "HQ VPN").

Select the connection and click Connect. Fill in:

• Username: vpntest
• Password: password

Then click Connect. If you see "tunnel enabled" as the last line in the status, it's connected successfully.

Try to ping across to HQ-client (172.17.1.100) and server1 (172.17.2.10).

This concludes the IPsec lab.

• Section 5: IPsec VPN Concepts (review)

• Document: FUND001-LIVE-Lab5-IPsec.pdf
• Course: pfSense Plus Fundamentals and Practical Application
• Copyright: © 2021 Rubicon Communications, LLC (Netgate)
• Extracted: 2026-04-23 via pdftotext