pfSense
This tutorial explains how to set up a policy-based or route-based IPsec VPN with a pfSense device.
(Policy-based only) LAN interface configuration
- From the pfSense WebGUI, select Interfaces > LAN.
- Choose an interface from the Available network ports list.
- Select Add. The General Configuration dialog displays.
Refer to the image below for guidance on which values to use.
| Field | Value |
|---|---|
| Enable | ✔️ Enable interface |
| Description | LAN |
| IPv4 Configuration Type | Static IPv4 |
| IPv6 Configuration Type | Static IPv6 |
| MSS | 1446 |
Phase 1
Policy-based configuration
| Field | Value |
|---|---|
| Description | Name |
| Key Exchange Version | IKE v2 |
| Internet Protocol | IPv4 |
| Interface | WAN |
| Remote Gateway | <Anycast IP provided by Cloudflare> |
| Field | Value |
|---|---|
| Life Time | 28800 |
| Rekey Time | 14400 |
| Reauth Time | 0 |
Route-based configuration
| Field | Value |
|---|---|
| Description | Name |
| Key Exchange Version | IKE v2 |
| Internet Protocol | IPv4 |
| Interface | WAN |
| Remote Gateway | <Anycast IP provided by Cloudflare> |
| Field | Value |
|---|---|
| Life Time | 28800 |
| Rekey Time | 14400 |
| Reauth Time | 0 |
Phase 2
Policy-based configuration
| Field | Value |
|---|---|
| Description | Name |
| Mode | Tunnel IPv4 |
| Local Network | <Local Network to be tunneled> |
| NAT/BINAT translation | None |
| Remote Network | Remote network available via the tunnel |
| Field | Value |
|---|---|
| Protocol | ESP |
| Encryption Algorithm | ✔️ AES128-GCM, 128 bits |
| PFS key group | 14 (2048 bit) |
| Field | Value |
|---|---|
| Life Time | 3600 |
| Rekey Time | 3240 |
| Rand Time | 360 |
| Automatically ping host | Specify an IP address available via the tunnel. Refer to the Description field for more information. |
Route-based configuration
| Field | Value |
|---|---|
| Description | Name |
| Mode | Routed (VTI) |
| Local Network | <Local Tunnel Inside IP> |
| Remote Network | <Remote Tunnel Inside IP> |
| Field | Value |
|---|---|
| Protocol | ESP |
| Encryption Algorithm | ✔️ AES128-GCM, 128 bits |
| PFS key group | 14 (2048 bit) |
| Field | Value |
|---|---|
| Life Time | 3600 |
| Rekey Time | 3240 |
| Rand Time | 360 |
| Automatically ping host | Specify an IP address available via the tunnel. Refer to the Description field for more information. |
(Route-based only) Interface assignment
- From the pfSense WebGUI, select Interfaces > LAN.
- Choose an interface from the Available network ports list.
- Select Add. The General Configuration dialog displays.
Refer to the image below for guidance on which values to use.
| Field | Value |
|---|---|
| Enable | ✔️ Enable interface |
| Description | LAN |
| IPv4 Configuration Type | Static IPv4 |
| IPv6 Configuration Type | Static IPv6 |
| MSS | 1446 |
- From the pfSense WebGUI, select Interfaces > Assignments.
- From Available network ports, select + Add.
- Under Interface, select OPT1.
- Ensure Enable interface is selected.
- For Description, add a description to help you identify the interface.
- For MSS, enter 1446, which should be the same as the LAN interface.
- Select Save to save your changes when you are done.
Routing configuration
- From the pfSense WebGUI, select System, Routing, Static Routes.
- On the Static Routes page, select Add.
- Create static routes for all network that will be routed via the tunnel with Gateway as the IPsec VTI interface.
Firewall configuration
- From the pfSense WebGUI, select Firewall Rules.
- Select LAN.
- Ensure a rule exists that allows traffic from LAN to IPsec.
- Select Save when you are done.
If you need to allow traffic from IPsec to LAN, you will need to create rules that allow this.