The previous section involved the configuration of an IPsec tunnel in which authentication is done through either a PSK or certificates. This is acceptable for peer-to-peer connections, and will even work with a client-server connection. However, what if there are multiple mobile clients? Wouldn't it make more sense to configure different settings for each individual user? In such cases, we can use the Mobile Clients tab.

There are three sections on the Mobile Clients configuration page: Enable IPsec Mobile Client Support, Extended Authentication (Xauth), and Client Configuration (mode-cfg). The first (and only) option in the first section is the IKE extensions checkbox; enabling this option enables support for mobile clients. The next section contains two options. The User authentication box is where you choose what database is used for user authentication. There only seems to be one option here: Local Database. This option allows for user authentication via pfSense's user manager. The second option is Group Authentication. Here, you should select system for user manager authentication.

The final section of the page has several options. If Virtual Address Pool is enabled, pfSense will provide virtual IP addresses to clients; using this option requires that you enter a network mask and the corresponding CIDR. The Virtual IPv6 Address Pool option, if enabled, also allows you to provide virtual IP addresses. In this case, however, they will be IPv6 addresses instead of IPv4 addresses.

If the Network List option is enabled, a list of accessible networks will be presented to the mobile clients. If Save Xauth password is enabled, clients will be allowed to save Xauth passwords. This option will only work if the mobile client is using a Cisco VPN client. If DNS Default domain is enabled, pfSense will provide a default domain to clients; you must specify the default domain for this option to work. If Split DNS is enabled, you can provide a list of split DNS domain names to the clients. Thus, you can provide different sets of DNS information, based on the source address of the DNS query. If you enable this option, you must enter the domain names in the edit box below the checkbox. The domain names should be separated by commas.

If DNS servers is enabled, you can provide a list of DNS servers to clients. You must then enter the DNS servers into an edit box below this checkbox. The WINS Servers option is similar, but in this case, you are providing a list of WINS servers to WINS clients. Checking Phase 2 PFS Group allows you to set a Perfect Forward Security group for clients; this setting will override whatever is set during Phase 2 configuration. If Login Banner is enabled, you can provide a login banner to clients (enter it in the corresponding edit box). When you are done, click on the Save button, and then the Apply Changes button.