--- title: pfSense description: Integrate pfSense with Zero Trust networking. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ IPsec ](https://developers.cloudflare.com/search/?tags=IPsec) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/third-party/pfsense.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # pfSense **Last reviewed:** almost 2 years ago This tutorial includes the steps required to configure IPsec tunnels to connect a pfSense firewall to Cloudflare WAN (formerly Magic WAN). ## Software tested | Manufacturer | Firmware revision | | ------------ | ----------------- | | pfSense | 24.03 | ## Prerequisites This tutorial requires the following information: * Anycast IP addresses (Cloudflare provides these) * External IP addresses * Internal IP address ranges * Inside tunnel `/31` ranges ## Example scenario This tutorial uses the following IP addresses. These examples replace legally routable IP addresses with IPv4 Address Blocks Reserved for Documentation ([RFC 5737 ↗](https://datatracker.ietf.org/doc/html/rfc5737)) addresses within the `203.0.113.0/24` subnet. | Tunnel name | PF\_TUNNEL\_01 | PF\_TUNNEL\_02 | | --------------------------------------- | ------------------------------- | ------------------------------- | | Interface address | 10.252.2.26/31 | 10.252.2.28/31 | | Customer endpoint | 203.0.113.254 | 203.0.113.254 | | Cloudflare endpoint | | | | pfSense IPsec Phase 2 Local IP | 10.252.2.27 | 10.252.2.29 | | pfSense IPsec Phase 2 Remote IP | 10.252.2.26 | 10.252.2.28 | | Cloudflare WAN static routes - Prefix | 10.1.100.0/24 | 10.1.100.0/24 | | Cloudflare WAN static routes - Next hop | PF\_TUNNEL\_01 | PF\_TUNNEL\_02 | ## 1\. Configure Cloudflare WAN IPsec tunnels Use the Cloudflare dashboard or API to [configure two IPsec tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/how-to/configure-tunnel-endpoints/#add-tunnels). This guide uses the settings mentioned below for the IPsec tunnels throughout the remainder. ### Add IPsec tunnels 1. Follow the [Add tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/how-to/configure-tunnel-endpoints/#add-tunnels) instructions to create the required IPsec tunnels with the following options: * **Tunnel name**: `PF_TUNNEL_01` * **Interface address**: `10.252.2.26/31` * **Customer endpoint**: `203.0.113.254` * **Cloudflare endpoint**: Enter one of the anycast IP addresses assigned to your account, available in [Leased IPs ↗](https://dash.cloudflare.com/?to=/:account/ip-addresses/address-space). * **Health check rate**: _Medium_ * **Health check type**: _Request_ * **Health check direction**: _Bidirectional_ * **Turn on replay protection**: Enable 2. Select **Add pre-shared key later** \> **Add tunnels**. 3. Repeat the process to create a second IPsec tunnel with the following options: * **Tunnel name**: `PF_TUNNEL_02` * **Interface address**: `10.252.2.28/31` * **Customer endpoint**: `203.0.113.254` * **Cloudflare endpoint**: Enter the second anycast IP address assigned to your account. * **Health check rate**: _Medium_ * **Health check type**: _Request_ * **Health check direction**: _Bidirectional_ * **Turn on replay protection**: Enable 4. Select **Add pre-shared key later** \> **Add tunnels**. Note If site-to-site traffic is a requirement, enable replay protection. Refer to [Add tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/how-to/configure-tunnel-endpoints/#add-tunnels) \> IPsec tunnel to learn how to enable this feature. ### Generate pre-shared keys When creating IPsec tunnels with the option **Add pre-shared key later**, the Cloudflare dashboard will show a warning indicator. 1. Select **Edit** to edit the properties of each IPsec tunnel. 2. Select **Generate a new pre-shared key** \> **Update and generate pre-shared key**. 3. Copy the pre-shared key value for each IPsec tunnel, and save these values. Then, select **Done**. Note Take note of the pre-shared keys to use later in pfSense. ### IPsec identifier - User ID After creating IPsec tunnels, the Cloudflare dashboard will list them under **Tunnels**. To retrieve the IPsec tunnel's user ID: 1. Go to the **Connectors** page. [ Go to **Connectors** ](https://dash.cloudflare.com/?to=/:account/magic-networks/connections) 1. In the **IPsec/GRE tunnels** tab, select the IPsec tunnel. 2. Scroll to **User ID** and copy the string. For example, `ipsec@long_string_of_letters_and_numbers`. Configuring IKE Phase 1 on the pfSense firewall requires the User ID. ## 2\. Create Cloudflare WAN static routes Create a [static route](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/how-to/configure-routes/#create-a-static-route) for each of the two IPsec tunnels configured in the previous section, with the following settings (settings not mentioned here can be left with their default values): ### Tunnel 01 * **Description**: `PF_TUNNEL_01` * **Prefix**: `10.1.100.0/24` * **Tunnel/Next hop**: `PF_TUNNEL_01` ### Tunnel 02 * **Description**: `PF_TUNNEL_02` * **Prefix**: `10.1.100.0/24` * **Tunnel/Next hop**: `PF_TUNNEL_02` ## 3\. Configure the pfSense firewall Install pfSense and boot up. Then, assign and set LAN and WAN interfaces, as well as IP addresses. For example: * **LAN**: `203.0.113.254` * **WAN**: `` ### Configure IPsec Phase 1 Add a new IPsec tunnel [Phase 1 entry ↗](https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html), with the following settings: * **General Information** * **Description**: `CF1_IPsec_P1` * **IKE Endpoint Configuration** * **Key exchange version**: _IKE\_v2_ * **Internet Protocol**: _IPv4_ * **Interface**: _WAN_ * **Remote gateway**: Enter the Cloudflare Anycast IP address. * **Phase 1 Proposal (Authentication)** * **Authentication method**: _Mutual PSK_ * **My identifier**: _User Fully qualified domain name_ \> `ipsec@long_string_of_letters_and_numbers` (Find this identifier in the Cloudflare IPsec tunnel configuration > **User ID**) * **Peer identifier**: _Peer IP Address_ (Cloudflare Anycast IP) * **Pre-Shared Key (PSK)**: Enter the pre-shared key from the Cloudflare IPsec tunnel. * **Phase 1 proposal (Encryption algorithm)** * **Encryption algorithm**: _AES 256 bits_ * **Key length**: _256 bits_ * **Hash algorithm**: _SHA256_ * **DH key group**: _20_ * **Lifetime**: `86400` ### Configure IPsec Phase 2 Add a new IPsec tunnel [Phase 2 entry ↗](https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p2.html), with the following settings. Create two separate Phase 2 entries (one for tunnel 1 and one for tunnel 2), adjusting the IP addresses for local and remote networks accordingly: * **General Information** * **Description**: `CF1_IPsec_P2` * **Mode**: _Routed (VTI)_ (Virtual Tunnel Interface) * **Networks** * **Local Network**: _Address_ \> Higher IP address in the `/31` assigned in Cloudflare tunnel. For example, `10.252.2.27` for tunnel 1 and `10.252.2.29` for tunnel 2. * **Remote Network**: _Address_ \> Lower IP address in the `/31` for Cloudflare side. For example, `10.252.2.26` for tunnel 1, and `10.252.2.28` for tunnel 2. * **Phase 2 Proposal (SA/Key Exchange)** * **Protocol**: _ESP_ (Encapsulating Security Payload) * **Encryption algorithm**: _AES 256 bits_ * **Hash algorithm**: _SHA256_ * **DH key group**: _20_ * **Lifetime**: `28800` Apply the changes. Navigate to **Status** \> **IPsec** to verify that both Phase 1 and Phase 2 are connected. ![pfSense IPsec overview](https://developers.cloudflare.com/_astro/ipsec-overview.B7tL0kto_ZxRvza.webp) ### Interface assignments In **Interfaces** \> **Assignments** \> **Add**, create a new interface to assign to the first IPsec tunnel, with the following settings: * **General configuration** * **Description**: `CF1_IPsec_1` * **MSS**: `1446` * **Interface Assignments** * **WAN**: Add the WAN interface. For example, `vnet1`. * **LAN**: Add the LAN interface. For example, `vnet0`. * Add the **CF\_IPsec\_1** interface from Phase 1 above. Select **Save** to apply the changes. ![Assign a new interface to the first IPsec tunnel](https://developers.cloudflare.com/_astro/interfaces.COkbEEZi_5wRFO.webp) ![Configuring interface assignments](https://developers.cloudflare.com/_astro/interface-assignments.CblqhRKO_Z2dDz1p.webp) ### Gateway In **System** \> **Routing** \> **Gateways** there should already be a gateway. For this example, it is named `CF1_IPSEC_1_VTIV4`. ![There should already be a gateway configured in the interface](https://developers.cloudflare.com/_astro/gateways.BWYSJrzk_Eidcl.webp) ### Firewall Rules IPsec 1. In **Firewall Rules** \> **IPsec interface**, allow any type of traffic. ![Allow all traffic for IPsec](https://developers.cloudflare.com/_astro/firewall-ipsec.CgXaJWLX_2i6XvS.webp) 1. Navigate to **Status** \> **Gateways**. `CF1_IPSEC_1_VTIV4` should now be online. ![The gateway should now be online](https://developers.cloudflare.com/_astro/status-gateways.CAqgLr_K_Z1yxqp4.webp) ### Firewall Rules LAN 1. In **Firewall** \> **Rules** \> **LAN**, allow any type of traffic. 2. Expand the **Advanced** section. 3. Change the Gateway to `CF1_IPSEC_1_VTIV4`. ![Change the gateway in the firewall rules for LAN traffic](https://developers.cloudflare.com/_astro/firewall-lan.DduZnf_o_Z2e3GTA.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/networks/","name":"Networks"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/networks/connectors/","name":"Connectors"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/","name":"Configuration"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/","name":"Manual configuration"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/third-party/","name":"Third-party integration"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/manually/third-party/pfsense/","name":"pfSense"}}]} ```