IPsec Export Package

The IPsec Export package generates client configurations for mobile IPsec, making it easier to configure remote access clients. This package is available on pfSense® Plus software.

The IPsec Export package contains an IPsec Profile export page for Apple devices and an IPsec Export page for Windows. Both pages work in a similar manner, and give administrators a few extra options to control client behavior.

The package works with most types of mobile IPsec configurations, with some exceptions depending upon settings.

This utility checks configured Mobile Phase 1 and Phase 2 entries and attempts to locate a set of parameters which are compatible with clients. It uses the first match it finds, so order choices in the Phase 1 and Phase 2 list appropriately or manually edit the resulting profile or script as needed.


Apple and Windows do not support certain settings. In these cases, the package will print a notice that it is not possible to export a configuration.

See the Apple Configuration Profile Reference Documentation for details about the contents of profiles and settings they support.

For a full list of parameters compatible with Windows clients, see the Microsoft Documentation for Set-VpnConnectionIPsecConfiguration.

Export Settings

When exporting an IPsec configuration, the following options are available to fine-tune the values put into the generated configuration.

VPN Name

The name of the VPN as seen by the client in their network list. This name is also used when creating the filename of the files exported by the package. It is pre-filled with some basic information, such as the firewall hostname, but it can be customized.

Server Address

Select the server address to be used by the client. This list is generated from the SAN entries on the server certificate.

The hostname used by the client to connect to the server must exist in DNS and it must be present in the server certificate SAN list for the client to properly validate the certificate.

Set to Custom Hostname to fill in a hostname other than one shown in the list.

Custom Hostname

A text field for a custom fully qualified domain name to which the client can connect. As with the Server Address, this must exist in DNS and be in the server certificate SAN list.

VPN Client (Apple)

The user for which the package will generate a configuration. Depending on the Mobile IPsec Phase 1 settings, this could either be a user or a TLS certificate.

When using certificates, the list contains certificates which were signed by the CA selected on the mobile IPsec Phase 1 IPsec Peer Certificate Authority.


This differs from Windows because Windows can prompt for a username, but Apple requires it to be present in the profile.

TLS User Certificate (Windows)

The TLS user certificate to include in the exported configuration, if needed. This field is only visible when the Mobile IPsec Phase 1 settings require a client certificate (e.g. EAP-TLS).

Export a Client Configuration

The process to export a client for an existing Mobile IPsec configuration varies slightly for Apple and Windows.


  • Navigate to VPN > IPsec Export: Apple

  • Configure the settings as described in Export Settings

  • Click View to display the generated configuration profile

  • Review the profile contents and confirm it is acceptable

  • Click Download to download the configuration profile

Apple Client Configuration

Visit the Apple Configurator Site for details about creating and using profiles. The process varies between iOS and macOS.


  • Navigate to VPN > IPsec Export: Windows

  • Configure the settings as described in Export Settings

  • Click View to display the generated PowerShell script

  • Review the script contents and confirm it is acceptable

  • Click Download to download a ZIP archive containing the PowerShell script and the required certificates.

If the Network List option is active on the Mobile Clients tab in IPsec settings, the script will include parameters to setup Split Tunneling on the client as well as commands to configure routes on the VPN for networks configured in the mobile Phase 2 entries.

Windows Client Configuration

On the client system, unzip the configuration archive and run the script. The commands in the PowerShell script will import certificates and setup the VPN on the client workstation.

Running PowerShell scripts on Windows is disabled by default. If scripting is disabled, the commands may be copied and pasted into a PowerShell prompt.

See also

Local policies may override that behavior. See the PowerShell Execution Policies Documentation for details.


Some commands may require Administrator access, such as importing the CA certificate. Run these commands at an Administrator-level PowerShell prompt or use an alternate method.