My CA created on pfSense through Cert Manager:

Descriptive name: DOVPNClients

Method: Create an internal Certificate Authority
Key length (bits): 2048
Digest Algorithm: sha256
Lifetime (days): 3650
Country Code: GB
State or Province: Clients county
City: Clients city
Organization: Clients name
Organizational Unit: Clients unit
Email Address: no-email@clientsemail.co.uk
Common Name: xx.xxx.xx.xxx (This is the WAN1 IP address of the pfSense)
My certificate:
Method: Create an internal Certificate
Descriptive name: DOVPNClients
Certificate authority: DOVPNClients
Key length: 2048
Digest Algorithm: sha256
Certificate Type: Server Certificate
Lifetime (days): 3650
Country Code, State or Province, City, Organization, Organizational Unit, Email
Address: All copied over from CA
Common Name: xx.xxx.xx.xxx (same IP address as in CA Common Name above)
Alternative Names: IP address - xx.xxx.xx.xxx (same IP address as in CA
Common Name above)
FQDN or Hostname office.clientsdomainname.co.uk
VPN/IPsec/Mobile Clients settings:
IKE Extensions: Enabled
Group Authentication: none
Virtual Address Pool: Ticked 192.168.50.32/24
Network List: ticked Provide a list of accessible networks to clients.
All other boxes unticked
VPN/IPsec/Tunnels:
Phase1: enabled
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN1
Description: VPN Clients
Authentication Method: EAP-MSChapv2
My identifier: Distinguished name xx.xxx.xx.xxx (same IP address as in CA
Common Name above)
Peer identifier: Any
My Certificate: DOVPNClients:
Encryption Algorithm: 3DES
Hash Algorithm: SHA1
DH Group: 2(1024 bit)
Lifetime (Seconds): 28800
Dead Peer Detection: Enabled
Delay: 10
Max failures: 5
All other options, unticked.
Phase 2: Enabled
Mode: Tunnel IPv4
Local Network: LAN Subnet
NAT/BINAT translation: None
Description: VPN Clients
Protocol: ESP
Encryption Algorithms: AES ticked and set to Auto
3DES ticked
Hash Algorithms: SHA1 and SHA256 ticked
PFS key group: of
Lifetime: 3600

VPN/IPSec/Pre-Shared Keys:
Identifier: pieter@myemailaddress.co.uk
Secret type: EAP
Pre-Shared Key: FakePassword123
Firewall/Rules/IPsec:
Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Any
Destination: Any
Export CA:
I then export the CA and copy it over onto the MAC. I import is into the System
within the MAC Keychain Access and set it to Always Trust through File> Get
Info on the certificate.
Setup the VPN Connection on MAC:
Open System Preferences
Click Network
Click + to add a new VPN entry
Select VPN for the Interface
Select IKEv2 for the VPN Type (default)
Set Service Name to a description for the VPN
Enter the hostname of the firewall in DNS as the Server Address: Here I enter the
WAN 1 IP address I used for the Common Name
Enter the hostname of the firewall again in Remote ID -- This must match the
server certificate's Common Name and SAN entry: Here again I enter the WAN 1
IP address I used for the Common Name
Leave Local ID blank
Click Authentication Settings
Select Username
Enter the Username (EAP Key ID for this user) and Password
Check Show VPN status in the menu bar (if desired)
Click Apply
I then click connect and the VPN connection tries to connect for a split second,
but drops straight away. When I look at the system logs on the pfSense under
IPsec, I see 15[ENC] <bypasslan|12> generating IKE_AUTH response 1
[ N(AUTH_FAILED) ]
Please help!