Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Advanced IPsec Settings

The Advanced Settings tab under VPN > IPsec contains options to control, in general, how the IPsec daemon behaves and how traffic is handled with IPsec.

IPsec Logging Controls

These options control which areas of the IPsec daemon generate log messages and their level of detail. For information on viewing the log, see IPsec Logs.

In most cases the optimal settings are the default: IKE SA, IKE Child SA, and Configuration Backend set to Diag, and all others set to Control.

Configure Unique IDs as

Controls how the IPsec daemon treats new connections with an identifier which matches an existing connection. In most cases a new connection is intended to replace an older connection, but certain use cases such as mobile clients may require multiple connections from the same remote identifier.

Yes (Replace)

The new connection is accepted by the IPsec daemon and it replaces the old connection, which is disconnected.

No

The new connection is accepted and the old connection is replaced only if the peer sends an INITIAL_CONTACT notification.

Never

The new connection is always allowed, and INITIAL_CONTACT notifications are ignored.

Keep

The new connection is rejected and the old connection remains active.

IP Compression

Propose support for IPComp compression.

Warning

Though the option is present in the GUI, the underlying operating system does not yet fully support IP compression.

Strict Interface Binding

When set, the IPsec daemon configuration binds only to the interfaces required by the configuration, rather than binding to all interfaces.

This option is more secure but is known to break with interfaces which have dynamic IP addresses. Only enable this option in environments where it has been lab tested and proven to work as intended.

Unencrypted Payloads in IKEv1 Main Mode

Some IPsec implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication. This is similar to Aggressive Mode, and has the same security implications: A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload. The best practice is to keep this option disabled unless the implications are fully understood and compatibility to such devices is required (for example, some SonicWall devices).

MSS Clamping

Enable maximum segment size clamping on TCP flows over IPsec tunnels. This helps overcome problems with path MTU discovery (PMTUD) on IPsec VPN links.

This is useful is large TCP packets have problems traversing the VPN, or if slow/choppy connections across the VPN are observed by users. Ideally it should be set to the same value on both sides of the VPN, but traffic will have MSS clamping applied in both directions.

Enable

When set, the Maximum MSS option is available and its value is used by the firewall configuration.

Maximum MSS

The maximum segment size set in TCP packets flowing across IPsec VPN tunnels. Defaults to 1400. Must be low enough to account for the overhead of IPsec and the MTU of the link, but no so low that unnecessarily small segments are sent as that can be inefficient.

Enable Cisco Extensions

Enables the Unity plugin which provides support for Cisco Extensions such as Split-Include, Split-Exclude, and Split-DNS for IKEv1 XAuth mobile clients. This allows clients which support these extensions to obtain values automatically when connecting to a mobile IPsec VPN.

Strict CRL Checking

When set, the IPsec daemon requires availability of a fresh CRL for peer authentication based on certificate signatures to succeed. Primarily useful when the CRL is obtained dynamically (e.g. OCSP).

Make Before Break

Controls whether IKEv2 Reauthentication uses Make-before-Break or Break-before-Make when an IKE Security Association (SA) expires. Must be supported by both peers.

Only relevant for IKEv2 tunnels using reauthentication, it does not affect IKEv1 tunnels or IKEv2 tunnels set to rekey.

Break-before-Make (Unchecked, Default)

Deletes IKE and Child SAs before reauthenticating and making a new set of SAs. This behavior is standard and well-supported, but disruptive as there is a small gap between the old and new SA set in which IPsec connectivity is unavailable.

Make-before-Break (Checked)

Reauthenticates and makes a new SA set before deleting the old SA set. This eliminates the connectivity disruption, but requires that both endpoints support overlapping IKE and Child SA entries.

Asynchronous Cryptography

Allows cryptographic framework jobs to be dispatched in a multi-threaded manner to increase performance. Jobs are handled in the order they are received so that packets will be reinjected in the correct order.

Warning

This option can increase performance, but may be unstable on certain hardware. When enabling this option, test connectivity during a maintenance window to ensure proper behavior. See Bug #8964 for details.

Auto-exclude LAN Address

Set up an automatic IPsec bypass for traffic to and from the LAN subnet, so it does not get captured by policy-based IPsec.

Additional IPsec Bypass

Configures additional manual IPsec bypass behavior. When set, the GUI exposes the IPsec Bypass Rules control.

IPsec Bypass Rules

Custom rules which allow traffic matching combinations of Source Address and Destination Address pairs to be excluded from IPsec policies.

Source Address

The source address or network to exclude, and its mask.

Destination Address

The corresponding destination address or network to exclude, and its mask.

Note

These values are considered together. A packet must match both the source and destination to bypass IPsec policies.

These rules are useful to exclude traffic between multiple local networks, especially when a policy-based IPsec tunnel is set to use 0.0.0.0/0 as the remote network.