Posted inconduct

pfSense IPsec Configuration Guide: Setting Up a Site-to-Site VPN with Pre-Shared Keys

No Comments

Establishing a secure and persistent connection between networks is crucial for businesses and organizations with multiple locations. An IPsec (Internet Protocol Security) site-to-site VPN tunnel provides this always-on secure link, effectively bridging two networks as if they were physically connected. This robust solution allows systems at one site to seamlessly access resources at another and vice versa, all while maintaining a secure and encrypted communication channel. This guide will walk you through setting up a site-to-site IPsec VPN tunnel using pfSense and pre-shared keys, ensuring a secure connection between your networks.

Unlike client-based VPNs, a site-to-site VPN operates transparently to devices on the local networks. End-users are unaware of the VPN tunnel, and no special client software is required on their machines. The pfSense firewalls at each site handle all the VPN processing. This makes site-to-site VPNs ideal for connecting entire office networks or for devices that lack VPN client capabilities, such as printers, security cameras, and industrial control systems.

Understanding the Site-to-Site VPN Configuration

The cornerstone of a successful IPsec VPN tunnel lies in the consistent configuration of both endpoints. Both pfSense firewalls involved in the tunnel must have matching settings for authentication, encryption, and key exchange protocols. Before you begin, gather the essential information: the public WAN IP addresses of both pfSense firewalls and the private LAN subnets you intend to connect through the tunnel. While the VPN tunnel’s description can be customized for easy identification, the core connection parameters must be identical on both sides.

For this guide, we will use the following example network settings for two hypothetical sites, Site A (Austin Office) and Site B (London Office):

Site A (Austin Office) Site B (London Office)
Name: Austin Office Name: London Office
WAN IP: 198.51.100.3 WAN IP: 203.0.113.5
LAN Subnet: 10.3.0.0/24 LAN Subnet: 10.5.0.0/24
LAN IP: 10.3.0.1 LAN IP: 10.5.0.1

This setup, illustrated in Figure 1, depicts a common site-to-site IPsec VPN scenario.

Figure 1: Illustrative diagram of a Site-to-Site IPsec VPN connecting Site A and Site B networks.

Now, let’s proceed with configuring each site, starting with Site A.

Configuring Site A (Austin Office) pfSense Firewall

Begin by setting up the IPsec tunnel parameters on the pfSense firewall at Site A. This involves configuring Phase 1 and Phase 2 settings.

Phase 1 Configuration on Site A

Phase 1 establishes the secure channel for negotiating Phase 2 settings and exchanging keys. To configure Phase 1 on Site A:

  1. Navigate to VPN > IPsec in your pfSense web interface.
  2. Click the Add P1 button (usually represented by a + icon).
  3. Fill in the Phase 1 settings as detailed below.
  4. Click Save to apply the Phase 1 configuration.

Refer to the pfSense documentation on Phase 1 settings for a comprehensive understanding of each option.

Let’s configure the general settings and IKE endpoint parameters in the top section, as shown in Figure 2:

  • Description: Provide a descriptive name for the tunnel to easily identify it. For Site A, use “London Office – Site-to-Site VPN”. A clear description is vital for future management.
  • Disabled: Ensure this box is unchecked to enable the VPN tunnel.
  • Key Exchange version: Choose IKEv2 if both pfSense endpoints support it. IKEv2 is generally preferred for its enhanced features and performance. If Site B only supports IKEv1, select IKEv1.
  • Internet Protocol: Select IPv4 in most common scenarios, unless both WAN interfaces are using IPv6.
  • Interface: Typically, this will be your WAN interface. If you have multiple WAN interfaces or are unsure, consult the pfSense Interface Selection guide.
  • Remote Gateway: Enter the WAN IP address of Site B, which is 203.0.113.5 in our example.

Figure 2: pfSense Site A Phase 1 General Information and IKE Endpoint Configuration.

Next, configure the Phase 1 authentication settings. The default settings are generally secure and suitable for most deployments:

  • Authentication Method: Keep the default Mutual PSK (Pre-Shared Key).
  • My Identifier: Retain the default My IP Address.
  • Peer Identifier: Keep the default Peer IP Address.
  • Pre-Shared Key: This is a critical setting. Create a strong pre-shared key. It should be at least 16 characters long and include a mix of uppercase and lowercase letters, numbers, and special symbols. You can manually enter a key or use the Generate new Pre-Shared Key button (often a refresh icon) to create a random, strong key.

Important Security Note: The pre-shared key’s strength is paramount for the security of your IPsec VPN. A weak key can be vulnerable to brute-force attacks.

Remember to securely record or copy this pre-shared key, as you will need to enter the exact same key in the Phase 1 configuration of Site B.

Figure 3: pfSense Site A Phase 1 Authentication Settings using Pre-Shared Key.

Now, define the Phase 1 encryption settings. These settings determine the algorithms used to secure the Phase 1 negotiation:

  • Encryption Algorithm: Choose AES (Advanced Encryption Standard) with a Key Length of 256 bits for robust encryption.
  • Hash Algorithm: Select SHA256 if both endpoints support it. If not, choose the strongest hash algorithm supported by both firewalls. SHA256 provides a good balance of security and performance.
  • DH Group: The default 14 (2048 bit) is acceptable. Higher DH group values offer increased security but may increase CPU usage.

Figure 4: pfSense Site A Phase 1 Encryption Settings with strong algorithms.

The Expiration and Replacement section governs how often Phase 1 keys are renegotiated.

  • Life Time: The default value of 28800 seconds (8 hours) is typically suitable.

Refer to Troubleshooting Duplicate IPsec SA Entries for recommendations on adjusting lifetime values in specific scenarios.

The remaining lifetime-related settings (Rekey Time, Reauth Time, Rand Time) can be left at their default values as pfSense automatically calculates appropriate values based on the Life Time.

Figure 5: pfSense Site A Phase 1 Lifetime Settings.

Finally, review the Advanced settings:

  • Child SA Close Action: Set this to Restart/Reconnect. This ensures that if Phase 2 connections are interrupted, they will be automatically re-established.
  • Dead Peer Detection: Leave this checked and at the default settings. DPD helps detect and handle situations where a peer becomes unreachable.

Figure 6: pfSense Site A Phase 1 Advanced Settings for connection stability.

Click Save to finalize the Phase 1 configuration for Site A.

Phase 2 Configuration on Site A

Phase 2 defines the security parameters for the actual data transmission across the VPN tunnel. After configuring Phase 1, proceed to set up Phase 2:

  1. Locate the Phase 1 entry you just created in the VPN > IPsec page.
  2. Click the Add P2 button (usually a + icon) associated with that Phase 1 entry, as shown in Figure 7.

Figure 7: Initial Phase 2 list for Site A, ready to add a new entry.

Figure 8: Starting the process of adding a Phase 2 entry to Site A.

Now, configure the Phase 2 settings. These settings, detailed in Figure 9, allow for more customization than Phase 1. For in-depth information on each option, consult the pfSense Phase 2 Settings documentation.

  • Description: Provide a description for this Phase 2 entry, such as “Site B LAN Network”.
  • Mode: Select Tunnel IPv4. This is the standard mode for site-to-site VPNs.
  • Local Network: Choose LAN Subnet. This automatically uses your LAN subnet (10.3.0.0/24 in our example). Alternatively, you could select Network and manually enter “10.3.0.0/24”. Using “LAN Subnet” is best practice as it dynamically adapts if your LAN subnet changes in the future.
  • NAT/BINAT: Set to None. NAT traversal is typically not needed in site-to-site VPNs where both endpoints have public IP addresses.
  • Remote Network: Enter the LAN subnet of Site B, which is 10.5.0.0/24 in this example.

Figure 9: pfSense Site A Phase 2 General Information and Networks configuration.

The next section focuses on Phase 2 encryption settings. While you can configure multiple encryption and hash algorithms, it’s generally recommended to specify a single, strong set of options for clarity and optimal performance.

  • Protocol: Choose ESP (Encapsulating Security Payload) for data encryption.
  • Encryption algorithm: Ideally, select an AEAD (Authenticated Encryption with Associated Data) cipher like AES-GCM if supported by both pfSense endpoints. Choose AES256-GCM with a 128-bit key length for excellent security and performance. If AES-GCM is not supported, use AES 256 or the strongest AES cipher available on both firewalls.
  • Hash algorithm: If you selected AES-GCM for the encryption algorithm, leave the hash algorithm section empty as AES-GCM includes its own authentication. Otherwise, select SHA256 or the strongest SHA algorithm supported by both sites.
  • PFS: Perfect Forward Secrecy (PFS) is optional but highly recommended for enhanced security. It prevents a compromise of past session keys even if a long-term key is compromised in the future. Select 14 (2048 bit) for a good balance.

Figure 10: pfSense Site A Phase 2 Proposal settings defining encryption and security.

The final section for Phase 2 is Expiration and Replacement, controlling key renegotiation frequency:

  • Life Time: Set this to 3600 seconds (1 hour) for this example. Keep the Rekey Time and Rand Time at their default calculated placeholder values.

Figure 11: pfSense Site A Phase 2 Expiration and Replacement Settings.

To activate the Phase 2 settings:

  1. Click Save.
  2. Click Apply Changes on the main IPsec Tunnels page, as shown in Figure 12.

Figure 12: Applying the IPsec settings in pfSense after configuration.

The IPsec tunnel configuration for Site A is now complete.

Firewall Rules for Site A

To allow traffic from Site B’s network to pass through the IPsec tunnel and reach Site A’s network, you need to configure firewall rules on Site A’s pfSense firewall.

  1. Navigate to Firewall > Rules > IPsec tab.
  2. Add new rules to permit traffic originating from Site B’s network.

Refer to the pfSense Firewall documentation for detailed instructions on creating firewall rules and the IPsec firewall rules guide for IPsec-specific considerations.

Firewall rules can be tailored to your specific security needs. You can create rules that allow all protocols and traffic between the networks or more restrictive rules that permit only specific protocols, ports, and hosts.

Important: On the IPsec firewall rules tab, the “Source” always refers to the remote network (Site B in this case), and the “Destination” refers to the local network (Site A). Ensure your source addresses in the firewall rules match Site B’s network (e.g., 10.5.0.0/24) and destination addresses match Site A’s network (e.g., 10.3.0.0/24).

Configuring Site B (London Office) pfSense Firewall

Now, configure the pfSense firewall at Site B. The process mirrors Site A’s configuration, but with a few key differences.

For Site B, you will mostly replicate the settings from Site A, with the following exceptions in Phase 1 and Phase 2:

  • Phase 1 Differences:
    • Description: Use “Austin Office – Site-to-Site VPN” to clearly identify this end of the tunnel.
    • Remote Gateway: Enter the WAN IP address of Site A, which is 198.51.100.3.
    • Life Time: Set it to be slightly longer than Site A’s Phase 1 lifetime, for example, 31680 seconds. This helps prevent potential issues with Security Association (SA) duplication.
    • Child SA Start Action: Set to None (Responder Only). This configures Site B to passively wait for Site A to initiate the tunnel connection.
    • Child SA Close Action: Set to Close Connection and clear SA. This prevents Site B from automatically reconnecting Phase 2, as Site A will manage the connection initiation.

Figure 13: pfSense Site B Phase 1 General Settings, highlighting key differences from Site A.

Figure 14: pfSense Site B Phase 1 Other Settings, showing Responder Only and Close Connection actions.

  • Phase 2 Differences:
    • Description: Use “Austin Office LAN Network”.
    • Remote Network: Enter the LAN subnet of Site A, which is 10.3.0.0/24.
    • Life Time: Set it to be slightly longer than Site A’s Phase 2 lifetime, for example, 5400 seconds.

Figure 15: pfSense Site B Phase 2 General Settings, showing the reversed network configuration.

Figure 16: pfSense Site B Phase 2 Lifetime Settings, with a slightly longer lifetime than Site A.

After configuring Phase 1 and Phase 2 with these adjustments for Site B:

  1. Click Save for both Phase 1 and Phase 2 settings.
  2. Click Apply changes on the IPsec Tunnels screen.

Remember to also create corresponding firewall rules on Site B’s pfSense firewall to allow traffic from Site A’s network to reach Site B’s network. The source in these rules will be Site A’s network (10.3.0.0/24), and the destination will be Site B’s network (10.5.0.0/24).

Verifying the IPsec VPN Tunnel Status

With both Site A and Site B configured, the IPsec site-to-site VPN tunnel should be active. To check the tunnel status:

  1. Navigate to Status > IPsec on either pfSense firewall.

The IPsec status page displays a summary of your configured tunnels and their current status. A status of Established indicates a successful connection.

If the status is not Established, it might be because the tunnel hasn’t been initiated yet. The most common reason for this is simply that no traffic has attempted to pass through the tunnel.

On the IPsec status page, you’ll find a Connect VPN button (often a play icon). Click this button to manually initiate the tunnel connection, as shown in Figure 17.

Figure 17: pfSense Site A IPsec Status page, showing the Connect VPN button.

If the “Connect VPN” button is not visible, try initiating traffic from a device on Site A’s LAN to a device on Site B’s LAN (or vice versa), for example, by pinging a device in the remote subnet. This traffic should trigger the tunnel to establish. Refer to Testing IPsec Connectivity for further troubleshooting methods.

If the tunnel still fails to connect, examine the IPsec logs. Go to Status > System Logs > IPsec tab on both pfSense firewalls. The logs often provide valuable clues about the cause of the connection failure. For more detailed troubleshooting steps, consult the Troubleshooting IPsec VPNs section in the pfSense documentation.

Once the tunnel is successfully connected, the IPsec status page will display a status like Established, as shown in Figure 18.

Figure 18: pfSense Site A IPsec Status page showing an Established and active tunnel.

Congratulations! You have successfully configured a site-to-site IPsec VPN tunnel between two pfSense firewalls using pre-shared keys. Your networks at Site A and Site B are now securely interconnected.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *