Can pfSense tunnel as IKEv2 client?



  • I gave it a go now that it has support for VTI but I need to authenticate using username+password and authentication fails. :/

    For My identifier I tried all that would let me enter the username string and entered the password in the Pre-Shared Key box. Is that alright?

    In Peer identifier selected Any.

    This is the end of the logs, newest on top:

    Dec 18 18:29:18 charon 11[IKE] <con2000|21> IKE_SA con2000[21] state change: CONNECTING => DESTROYING
    Dec 18 18:29:18 charon 11[IKE] <con2000|21> no shared key found for 'egrghr_fbhgux' - 'hostname.blahblah.burkerking'
    Dec 18 18:29:18 charon 11[IKE] <con2000|21> authentication of 'egrghr_fbhgux' (myself) with pre-shared key


  • Rebel Alliance Developer Netgate

    No, it cannot use username+password authentication as an IPsec client.



  • Thanks for clearing that up!

    You were specific though, does that mean it could use another method to authenticate then? Like Mutual RSA as IPsec client? 🤞🏼


  • Rebel Alliance Developer Netgate

    It depends on the context. pfSense can act as a "client" for site-to-site style connections using certificate-based auth, but it is not made to support a "mobile" or remote access style client setup where the server side sends configuration data such as the interface address to use.