How to create IPsec tunnel in pfsense

November 4, 2021November 4, 2021

IPsec is one of the protocols for establishing secure site to site tunnels and here we show how to create IPsec tunnel in pfsense.

We use latest pfsense community edition. to download it you can head over to download pfsense.

Here is our environment:

2 pfsense on VMware

Public IP range: 192.168.143.0/24

Private IP ranges: 172.24.9.0/24 and 172.24.7.0/24

Topology:

our ipsec topology

1. Configure IPsec on pfsense 1

1.1 IPsec phase 1

In phase 1 we configure authentication and encryption modes and algorithms.

to create IPsec tunnel on left side pfsense, we navigate to “VPN > IPsec” and and click on Add P1:

left side pfsense phase 1 configuration part 1

Now we click on “Generate new Pre-Shared” Key to generate a new one. we use this key when we configure Phase 1 on right side pfsense:

left side pfsense phase 1 configuration part 2

Now we configure encryption algorithm. the high values mean the more security but it uses more CPU resource.

left side pfsense phase 1 configuration part 3

left side pfsense phase 1 configuration part 4

And we leave the rest of configurations intact:

left side pfsense phase 1 configuration part 5

1.2 IPsec phase 2

In phase 2 we configure IP address for two sides of tunnel. also we set “Mode” to “Routed (VTI)”, because it creates an interface that we can define custom routes based on it:

left side pfsense phase 2 configuration part

left side pfsense phase 2 configuration part 2

left side pfsense phase 2 configuration part 3

1.3 Enable VTI interface

Now we navigate to “Interfaces > Assignments” and add the new interface related to IPsec:

left side pfsense interface assignment

Then we navigate to “Interfaces > OPT1” and enable it

enabling left side pfsense ipsec interface

1.4 Routing

Now we navigate to “System > Routing” and add required routes

left side pfsense routing configuration

1.5 Firewall

The final step in configuration is to add required firewall rule to allow traffic in IPsec tunnel

left side pfsense firewall configuration

2. Configure IPsec on pfsense 2

2.1 IPsec phase 1

to create IPsec tunnel on right side pfsense, we navigate to “VPN > IPsec” and and click on Add P1:

right side pfsense ipsec phase 1 part 1

Now we put Pre-Shared Key that we created in step 1.1:

right side pfsense ipsec phase 1 part 2

the rest of configurations MUST be the same as left side pfsense:

right side pfsense ipsec phase 1 part 3

right side pfsense ipsec phase 1 part 4

right side pfsense ipsec phase 1 part 5

2.2 IPsec phase 2

Now we navigate to “VPN > IPsec” to configure phase 2 of created phase 1

right side pfsense ipsec phase 2 part 1

right side pfsense ipsec phase 2 part 2

right side pfsense ipsec phase 2 part 3

2.3 Enable VTI interface

Now we navigate to “Interfaces > Assignments” and add the new interface related to IPsec:

right side pfsense interface assignment

Then we navigate to Interfaces > OPT3 and enable it:

enabling right side pfsense ipsec interface

2.4 Routing

Now we navigate to “System > Routing” and add required routes:

right side pfsense routing definition

2.5 Firewall

The final step in configuration is to add required firewall rule to allow traffic in IPsec tunnel:

right side pfsense firewall configuration

3. Check connectivity

Now on pfsense 1 we can use “Diagnostics > Ping” to ping 172.24.7.0/24 and on pfsense 2 ping to 172.24.9.0/24:

ipsec tunnel connectivity check