This recipe demonstrated how to set up a client-server IPsec connection on the server side, but we deliberately left out how to set up the IPsec client. This we will do in the next recipe, Connecting to the IPsec VPN service.

IPsec mobile client configuration has several options that we did not cover in this recipe. Here are some of the more useful options:

• Provide virtual IPv6 addresses to clients: pfSense supports IPv6; thus, we can assign virtual IPv6 addresses if we enable this option.
• Provide a list of accessible networks to clients: If enabled, remote clients will receive a list of accessible local networks.
• Provide a list of split DNS domain names to clients: If enabled, you may specify different DNS zones for IPsec users. If a client connects through an IPsec tunnel, they will be accessing internal resources as if they are on the internal network, and therefore they may have to use different IP addresses than they would if they were trying to access them externally.
• WINS Servers: If this option is enabled, you can specify WINS servers for name resolution.
• Phase2 PFS Group: If this option is enabled, you can configure a Perfect Forward Security group for clients that will override PFS settings in phase 2.

There are two additional tabs on the IPsec settings page:

• Pre-Shared Keys: This page contains a table with all IPsec pre-shared keys, including ones corresponding to users created in the User Manager. You can also add pre-shared keys from this tab.
• Advanced Settings: The first section of the Advanced Settings tab is devoted to logging controls, which allows you to control the log verbosity for a number of different elements related to the IPsec Daemon. The second section is devoted to various parameters that you most likely will not need to change, but they are configurable here nonetheless.