How to create a pfSense Mobile (dialup) IPSEC VPN for a remote VPN client.

Hi all,

If you have an existing VPN client and would like to connect to a pfSense firewall this is how to do it.

I am currently connecting to my pfSense firewall which you can deploy with a click of a button on Piggybank Cloud.


This will set up your public IP address and also give you your local LAN subnet. Alternatively you can add a virtual Ethernet adapter and configure your own private IP subnet.

Step1. Enable and configure Mobile Clients

Click on the IPSEC under VPN tab on the top menu.

Click on the mobile Clients Tab – VPN/IPSEC/Mobile Clients

Tick the box next to Enable IPSEC Mobile Client Support.

Set user authentication to local database

Set group authentication to system


Configure your Virtual Address pool – this will be the subnet addresses that are assigned to the VPN clients.

Configure DNS servers

Click Save and apply

Step 2. Configure IPSEC Mobile Clients Phase 1 

Once you finish configuring the Mobile Clients setting you will be presented with a TAB to edit the Phase 1 of Mobile Clients.



Enter the following settings (you can apply your own encryption, hash, DHgroup, lifetime etc.) You need to ensure that both ends of the tunnel configuration (client and pfSense) match in terms of ike VPN settings.

  • Authentication methodMutual PSK + Xauth
  • Negotiation modeaggressive
  • My identifierMy IP address
  • Peer identfierUser Distinguished Name, for example “”
  • Pre-Shared Key: “Your PSK”
  • Encryption AlgorithmAES 128 
  • Hash AlgorithmSHA1
  • DH Key Group2
  • Lifetime86400
  • NAT TraversalForce
  • Click Save

Step 3. Configure IPSEC Mobile Clients Phase 2

The IPSEC settings can be configured to your own specification in terms of encryption, hash, pfs etc. as long as the client and the pfsense firewall IPSEC phase2 settings match.


  • Click  inside the Mobile Phase 1 to expand its Phase 2 list.
  • Click (add P2) to add a new Phase 2
  • Enter the following settings:
    • ModeTunnel
    • Local Network: Phase 2 network address to be access by the VPN client (in this case the LAN subnet)
    • ProtocolESP
    • Encryption AlgorithmsAES 128 only
    • Hash AlgorithmsSHA1 only
    • PFS key groupoff
    • Lifetime28800
  • Add additional phase 2 (created separately)
  • Click Save
  • Click Apply Changes


Step 4. Configure a user on the local database

System > User Manager

Configure your users by entering a username and password and allocating them to groups.

Please make sure you authorise users for VPN – IPsec xauth Dialin permission as per below otherwise your users will fail authentication.


Step 5. Create a rule to allow traffic 

Under Firewall tab click rules and create a rule to allow IPSEC traffic under the IPSEC tab.


Step 6. Configure your VPN Client

You can download a copy of the VPN client and a base config from Piggybank Cloud’s Demo account.

Navigate to the following url

Check out the following guide to give you a tour of the platform and to get you familiar with the layout if you need help finding the client.

Get the full tour of Piggybank Cloud’s Client Portal and Virtual Datacentre.


Click View VPN Details

Click Download VPN Config and Download VPN Client

This will give you the Demo accounts VPN’s details which you can change the following once the config is imported


Install the VPN Client

Import the downloaded config into the VPN Client by clicking file and then import.


Change the remote Host name of IP address (pfSense in this case)


Change the Identification type – change this to User Fully Qualified Domain Name and add your UFQDN string that you have configured on the pfSense.


Change the PSK (Pre Shared Key) to match what you have configured on your pfSense.


Change the phase 1 settings to match what you have configured on the pfsense


Change the phase 2 settings to match what you have configured on the pfSense


Save your configuration

Step 6. Connect and test your VPN 

Highlight your VPN and click connect., enter you password and you should see the tunnel enabled.


You can click on network to make sure that it is established.


You should now be able to connect to your firewall on the LAN gateway address or test by pinging a device connect on the pfSenses LAN interface.

Thank you for reading and be sure to check out our growing number of guides.

Please feel free to leave your feedback below.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s