How to Configure a Site-to-Site IPsec VPN on pfSense?

Objective

To establish a secure IPsec Site-to-Site VPN tunnel between two pfSense firewalls.

Prerequisites

• Non-overlapping LAN subnets.

• Pre-Shared Key (PSK).

• Internet connectivity on both sites.

Client-Side Requirements

• WAN IP address.

• LAN subnet(s) for Phase 2.

• Matching Phase 1 settings (IKE version, PSK, encryption).

• Matching Phase 2 settings (subnets, encryption, PFS).

• Confirm NAT or routing requirements.

Step 1: Configure Phase 1 (IKE)

• Navigate to VPN > IPsec > Add P1.

• Set Key Exchange Version: IKEv2.

• Remote Gateway: Client WAN IP.

• Authentication Method: Mutual PSK.

• Pre-Shared Key: [Client-provided key].

• Encryption: AES-256, SHA256, DH Group 20, Lifetime: 28800 seconds.

• Save and Apply.

Step 2: Configure Phase 2 (ESP)

• Local Network: Site A LAN subnet.

• Remote Network: Site B LAN subnet.

• Encryption: AES-256, SHA256.

• Lifetime: 3600 seconds.

• Save and Apply.

Step 3: Firewall Rules

• Navigate to Firewall > Rules > IPsec.

• Add rules to allow traffic between LAN subnets.

• Action: Pass, Interface: IPsec, Protocol: Any, Source: Local LAN subnet, Destination: Remote LAN subnet.

• Save and Apply.

  

Step 4: Test the Tunnel

• Go to Status > IPsec and verify the tunnel is established.

• Test connectivity: Ping from Site A LAN to Site B LAN.

• Use Diagnostics > Traceroute if needed.

  

Troubleshooting

• Ensure Phase 1 and Phase 2 settings match exactly on both ends.

• Check firewall rules and NAT settings.

• Verify routing and DNS.

Best Practices

• Use strong encryption (AES-256, SHA256).

• Enable Dead Peer Detection.

• Monitor tunnel status regularly.