Mobile Clients - To IPSec or Not to IPSec, that is the question?


  • I'm getting ready to install an HA pair of Netgate/pfSense 8860 boxes for some hosting that I do for some customers. This will be replacing a PIX, with IPSec mobile clients (and a couple site to site tunnels). Obviously with the changes in OS's over the years, I've had to make some alternate provisions for some of the mobile clients that are trying to connect to the network, most notably with Macs, but now with Windows 10 as well. All these users have to have their own logins and have to be restricted to certain parts of the network depending on their login (group).

    I've been experimenting with a Windows 7 box and a APU4 (running 2.2.6) and after several days, I'm still not able to make an IKEv2 connection despite all the documentation here and thru the manuals, etc., which is very disheartening…with over 18 years of networking experience on many different manufacturer platforms, I've never had any VPN setup that has been this difficult to get going.

    So I ask, is IPSec really the way to go for mobile clients (keep in mind, I'm only looking for Windows Vista thru 10 & newer Mac OS here, no iOS, Android, etc)?  Should I be looking at OpenVPN instead?

    Any input is greatly appreciated...

  • Rebel Alliance Developer Netgate

    If you are OK with running the OpenVPN client as Admin (or picking up some Viscosity licenses at $9/user), OpenVPN is definitely a great option that is known to work across most platforms.

    IKEv2 can be a little tricky to get going but isn't usually that hard. It's not an option for Vista though, and 7 can be quite tricky due to how it handles the certs, but 8.1/10 and Mac OS 10.11 run IKEv2 very well.


  • I have deployed at several locations the IPsec VPN using the Microsoft integrated with VPN using the Microsoft integrated with IKEv2.  So far it's his man pretty much flawless!  I especially like it over open VPN because open VPN does not allow VPN authentication prior to login to PC.  Also open VPN on Mac has been very hit or miss  but IKEv2 on Mac also flawless!


  • Most of the issues I experienced were related to improperly configuring the certificates.  You need to make sure that the firewall name matches the DNS name used in the certificate.  Also that you properly add the DNS name and the IP address during certificate creation .  The other gotcha I was making sure that the fully qualified certificate was added to the proper certificate store on the computer.  If you have followed everything else then it should work perfectly .  The only other piece is in the  The only other piece is in the Ike configuration of the VPN client.


  • @kapara:

    Most of the issues I experienced were related to improperly configuring the certificates.  You need to make sure that the firewall name matches the DNS name used in the certificate.  Also that you properly add the DNS name and the IP address during certificate creation .  The other gotcha I was making sure that the fully qualified certificate was added to the proper certificate store on the computer.  If you have followed everything else then it should work perfectly .  The only other piece is in the  The only other piece is in the Ike configuration of the VPN client.

    From what I was seeing in the logs, I'm thinking this was most of my problem was as well, but I could not find a step-by-step guide on "this is how you want to create your certificates and this is how you want to install them" - I had to grab bits and pieces of info that I could find to try to make it work and well, I don't think it did.  Do you recommend any guides or instructions that you found were helpful?

    As for the OpenVPN, I really need a solution that I know is going to be reliable across multiple OS's, for a time to come.  I can't have the same thing happen where all of a sudden Apple decides to release an OS update and I'm getting phone calls because a customer's VPN client quit working.  This is the only thing that is making me leery of going this route…


  • Post what you have done and I can try and help isolate where you made a mistake.  More detail the better.  Screenshots and all.  Just mask or blur ip etc.  to test I use simple passwords.


  • Sorry, been swamped as of late and had to scrap what I had.  I'm going to make another run at it tonight/tomorrow and post my findings…


  • @kapara:

    I have deployed at several locations the IPsec VPN using the Microsoft integrated with VPN using the Microsoft integrated with IKEv2.  So far it's his man pretty much flawless! […] IKEv2 on Mac also flawless!

    Any chance you could post detailed screenshots of how you set that up? I spent wasted 2 whole Saturdays fiddling trying to get it to work on MacOS X 10.11 as well as iPhone without much success. Wife was not happy.  :-\