PFsense Road Warrior IPsec VPN with ShrewSoft VPN Client updated for PFsense 2.1-Release


 Establish an IPsec VPN from any client system using a Road-Warrior type setup (no defined endpoint for the client).


Pfsense system running 2.1-release

ShrewSoft IPsec VPN client (We used 2.2.2-release for Windows7 64 bit).

A basic understanding of networking and troubleshooting.

For Extra Help:

 I am active on the PFsense forums and do my best to help anyone that PM's me. My username is "eureka". Please see the following post:,32467.0.html

 vpn-> ipsec

enable “IPsec Mobile client support”


Extended Authentication (Xauth)

Select “User Authentication: Local Database”


Client configuration (mode-cfg)

Enable “Virtual Address Pool”

    create a pool of addresses that you would like your users to be allocated when they connect.  In this example I will be using


Enable “Network List”


(OPTIONAL) Enable “DNS Servers” if you have internal DNS servers for your network. Otherwise your name resolution for local domains/servers will not work.

Enable “Phase2 PFS Group”. In our example we use Group 2 (1024 bit).


Just for fun. Enable “Login Banner”

“Welcome! Your VPN IS WORKING!”


Save and apply changes.

*Note: This will tell you that “Support for IPsec Mobile clients is enabled but a Phase1 definition was not found.

Please click Create to define one.”


Click on “Create Phase1” to generate a new phase 1 for mobile clients.


Phase1 General Information:

Internet Protocol: IPv4

Interface: WAN

Description: Phase1 for Road Warrior clients.


Phase1 proposal (Authentication):

Authentication method: “Mutual PSK + Xauth”

Negotiation mode: aggressive

My identifier: “My IP address”

Peer Identifier: “Distinguished name”: “”

Pre-Shared Key: “test121212”

Policy Generation: “Unique”

Proposal Checking: “Strict”

Encryption algorithm: “3DES”

Hash algorithm: “SHA256”

DH Group: “2(1024 bit)”

Lifetime: “28800”


Advanced Options:

NAT Traversal: “Force”

Dead Peer Detection: “Enabled”


Save and Apply changes.

Create a Phase 2 entry for the mobile client Phase 1.

Go to VPN -> IPsec -> Expand the new Phase 1 box you just created. It should not have and existing Phase 2. Click on the “+” box next to “P2 Auth Methods”


Mode: “Tunnel IPv4”

Local Network: “LAN Subnet”

Description: “Phase 2 for Road Warrior Clients”


Phase 2 proposal (SA / Key Exchange):

Protocol: “ESP”

Encryption algorithms: “3DES”

Hash algorithms: “SHA256”

PFS key Group: (should say “set globally in mobile client options”. If not, select group2)

Lifetime: 3600

Leave “Automatically ping host” blank.

Click SAVE then Apply Changes.

Create a user to connect with:

System -> User Manager

click on the “+” near the bottom right.

Username: “testUser12”

Password: “UserTest12”

Full Name” A test user”

IPsec Pre-Shared Key: “UserTest12”

Click on the “+” for Effective Privileges.

   Select “User - VPN - IPsec xauth Dialin”

   Click Save.

All other options “default”

Click Save


We can now move on to the config for ShrewSoft VPN client on a user’s machine. In this example I am using the latest Stable ShrewSoft VPN ( 2.2.2-release ) on a Windows 7 64 bit system that is fully patched.


On the client machine, Launch the “VPN Access Manager”.

Click on the yellow “Add” button to create a new policy.

On the “General Tab”.

  Host Name or IP address: “” Port: 500

  Auto Configuration: “ike config pull”

  -- Local Host --

  Adapter Mode: “Use a virtual adapter and assigned address”

  Check the “Obtain Automatically” box.

  MTU: 1380

On the “Client Tab”.

 -- Firewall Options --

 NAT Traversal: “force-rfc”

 NAT Traversal Port: 4500

 Keep-alive packet rate: “15” secs

 IKE Fragmentation: “Enable”

 Maximum packet size: “540” Bytes

  -- Other Options --

 Enable Dead Peer Detection (yes)

 Enable ISAKMP Failure Notifications (yes)

 Enable Client Login Banner (yes)

On the “Name Resolution Tab”.

  Check “Enable DNS”

  Check “Obtain Automatically”


On the “Authentication Tab”.

  Authentication Method: “Mutual PSK + XAuth“

  Local Identity Tab

    Identification Type: “Fully Qualified Domain Name”

    FQDN String: “”


  Remote Identity Tab

    Identification Type: “IP address”

    Address String: “” (your remote site IP address)



Credentials Tab

    Pre Shared Key: “test121212

On the “Phase 1 Tab”.

  Exchange Type: “aggressive”

  DH Exchange: “group 2”

  Cipher Algorithm: “3des”

  Hash Algorithm: “sha2-256”

  Key Life Time limit: “28800”

  Key Life Data limit: “0”

On the “Phase 2 Tab”.

  Transform Algorithm: “esp-3des”

   HMAC Algorithm: “sha2-256”

   PFS Exchange: “group 2”

   Compress Algorithm: “disabled”

   Key Life Time limit: “3600”

   Key Life Data limit: “0”


On the “Policy Tab”.

   Policy Generation Level: “auto”

   Check “ Obtain Topology Automatically or Tunnel All”


Click Save to save all of the changes