Table of Contents
PFSense - VPN - IPSec - Site to Site Setup
pfSense to pfSense - IPsec - site to site Setup.
Setup an IPSec VPN between 2 instances of pfSense using both a static (work) and dynamic IP address (home office).
NOTE: A static IP is NOT a requirement.
Requirements
- Dynamic or Static IP address.
- A domain name or a free dynamic DNS provider.
- CPU with AES-NI (if your uplink is 20Mbps or faster).
Assumptions
You already have a working pfSense configuration at both locations.
Both locations must NOT have the same internal LAN address - meaning both can’t be running 192.168.1.x addresses, one can run 192.168.1.x while the other can run 192.168.2.x.
Final note - the VPN configuration on both firewalls will be exactly the same, save for parts that require IP addresses or hostnames.
Configuration
Click on VPN → IPsec, and on the bottom right, click on the green + Add P1 button at the bottom of the screen.
Phase 1
General Info
- Key exchange version: IKEv2
- Internet Protocol: IPv4 (IPv6/Dual stack will work if you’re running IPv6 at both sites)
- Interface: WAN (or whatever you named the interface with the public IP address)
- Remote Gateway: this is where you need either your own domain, or a free Dynamic DNS provider - or manually entering the IP addresses works, users with dynamic IP addresses the “work” location will have to update your IP address manually every time it changes.
- Remote Gateway (home): work.sharewiz.net
- Remote Gateway (work): home.sharewiz.net
- Description: A description
Phase 1 Proposal (Authentication):
- Authentication Method: Mutual PSK
- My Identifier: Distinguished name:
- Home: home.sharewiz.net
- Work: work.sharewiz.net
- Peer identifier: Distinguished name
- Home: work.sharewiz.net
- Work: home.sharewiz.net
- Pre-Shared Key: On one firewall, click generate key, then copy & paste that key to the other firewall
Phase 1 Proposal (Encryption Algorithm)
- Encryption Algorithm:
- Algorithm: AES128-GCM
- Key Length: 128 bits
- Hash: SHA256
- DH Group: 14 (2048)
- Lifetime (Seconds): 28800
Advanced Options
Leave everything defaulted in this section, and click Save. When finished, it should look like this:
Phase 2
From the above screen, click on Show Phase 2 Entries (0) and expand out the menu, then click on the green + Add P2 button that appears.
General Information
- Mode: Tunnel IPv4
- Local Network: LAN subnet
- NAT/BINAT translation: None
- Remote Network: Network
- Address (Work): 192.168.10.0/24
- Address (Home): 192.168.1.0/24
- Description:
- Home: Work LAN
- Work: Home LAN
Phase 2 Proposal (SA/Key Exchange)
- Protocol: ESP
- Encryption Algorithms: AES128-GCM @ 128 bits
- Hash Algorithms: AES-XCBC (or SHA256 if your CPU doesn’t have AES-NI)
- PFS key group: 14 (2048)
- Lifetime: 3600
Advanced Configuration
- Automatically ping host: set this IP address to a server you run 24/7, this will keep the VPN up 24/7
After you hit Save, this is what your Phase 2 will look like:
Firewall Rules
After you hit Apply Changes on both firewalls, your IPsec VPN should connect right away.
You may find that you can’t ping anything across the VPN though - you’ll need to click on Firewall → Rules → Add to create a hole in the firewall to allow traffic to pass.
Insecure allow all traffic rule
WARNING: This rule will allow ALL traffic to traverse the firewalls (remember you have to make the same rule for both sides).
This is NOT a secure setting! If your home network gets compromised, your home network can be a jumping off point for bots/hackers/viruses to invade the network on the other side of the VPN.
You have been warned.
Edit Firewall Rule
- Protocol: Any
And that’s it, unless you want to add a description.
End result looks like this: