Virtual Address Pool in Pre-Shared Keys tab nicely work with EAP-TLS
-
Re: Virtual Address Pool in Pre-Shared Keys is not used for ipsec
Sorry, if this is already posted elsewhere:
But I was not aware, that the "Pre-Shared Keys" tab in the IPsec section can also be used to define user based Virtual Address Pools, if you set the auth mode in Phase 1 to EAP-TLS (i.e., using user certificates generated with the same CA on pfSense you use for the IPsec server cert). Since the Pre-Shared Key field is not allowed to be empty, you can use it as comment field ("cert auth").
Using "VPN > IPsec > IPsec Export" from the ipsec-profile-wizard package you automatically get offered your TLS certs issued by your CA in the "VPN Client" dropdown. It nicely packages the CA cert, user cert and private key and the IPsec config into one easily installable profile for macOS and iOS (I didn't test the Windows part).
Notable: the "Local ID" field in the IKEv2 config was automatically prefilled on macOS/iOS. That was not the case when using EAP-MSChapv2 for auth. As @heltech points out, it could be filled with the Identifier given in the Pre-Shared Keys entry of the user to make user pools work. Using EAP-TLS does make this step unnecessary.
The only small problem I noticed so far: when installing the apple profile on a client, the CA cert is not trusted for SSL server usage out of the box. This might confront you with an untrusted cert alert e.g., for your pfSense web GUI. Easily correctable though in Keychain (macOS) or General > About > Certificate Trust Settings in iOS.
For me, this is a perfect solution for a user friendly separation of VPN privileges controllable via firewall rules on the IPsec interface.