Finally, there is the Advanced Settings tab. There are two sections on this page. The first section is IPsec Logging Controls. This section allows you to control different levels of logging for different components of IPsec. Each component has its own drop-down box; you can set the level of logging in the drop-down box. Levels range from Silent (no logging at all) to Highest (display all logs), with several options in between.

The second section of the page is labeled Advanced IPsec Settings. Configure Unique IDs controls whether a participant's IKE ID should be kept unique. If the IP Compression checkbox is enabled, IPComp compression of content will take place. The Strict interface binding option allows you to enable strongSwan's interface_use option, to bind only to specific interfaces. The Unencrypted payloads in IKEv1 option, if enabled, allows IPsec to send unencrypted ID and HASH playloads in IKEv1 main mode.

If Enable Maximum MSS is checked, MSS clamping is enabled, which is useful if you are having trouble sending large packets over the tunnel. If you check Enable Cisco Extensions, the Cisco Unity plugin will be enabled, providing support for Cisco extensions.

The Strict CRL Checking option will require the availability of a fresh Certificate Revocation List (CRL) for peer authentication, if enabled. If Make before Break is enabled, pfSense will create new SaS before deleting the old ones during the re-authentication process.

The Auto-exclude LAN address option, if enabled, causes traffic from the LAN subnet to the LAN IP address to be excluded from IPsec, addressing cases where the remote subnet overlaps with the local subnet. When you are done making changes, click on the Save button, and then click on Apply Changes.