Netgate Blog

Significant IPsec Improvements now in 1.3!

We are pleased to welcome Matthew Grooms as our newest pfSense committer. As the developer of the Shrew Soft VPN client and an ipsec-tools developer, he brings a vast knowledge of IPsec to our development team.

Matthew recently committed some great IPsec improvements to 1.3. He provided the following, outlining these changes.

Completed Work

  1. Split IPsec configuration into phase1 and phase2
  2. Allow for multiple phase2 configurations for a single phase1 - this means you no longer have to create parallel tunnels for routing multiple subnets between two sites.
  3. Enable a broader range of ID types to be specified
  4. Improve options for variable length key cyphers ( Blowfish & AES )
  5. Proper handling of address vs subnet negotiations in phase2
  6. Introduce Hybrid, Xauth and modecfg support for remote access
  7. Update Mobile access to allow for more secure policy generation
  8. Update Mobile access configuration to define modecfg-attributes
  9. Introduce initial support for user authentication
  10. NAT-Traversal (NAT-T)

Remaining To Complete

  1. Improve user management interface for mobile clients
  2. Introduce RADIUS and LDAP support for extended auth
  3. Improve IPsec SPD/SAD management to not purge active SAs on reload
  4. Improve certificate management for IPsec configurations
  5. Look into support for dyndns -> dyndns IPsec peers

More information

For those not exceptionally familiar with IPsec, the above lists may not tell you much of anything. More information on usage and what all this means will come in the future.

Trying it out

This work is currently available in 1.3 snapshots. We encourage you to provide feedback on the mailing list or 1.3 board on the forum if you try it.


Many thanks to Matthew for all his work on this! When completed, this will bring the most capable IPsec implementation of any open source firewall distribution to pfSense - by far. It will also provide a standards-compliant IPsec solution better than most commercial firewalls (what exists in 1.2 is already better than a number of them).