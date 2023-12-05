pfSense

This tutorial explains how to set up a policy-based or route-based IPsec VPN with a pfSense device.

​​ (Policy-based only) LAN interface configuration

From the pfSense WebGUI, select Interfaces > LAN. Choose an interface from the Available network ports list. Select Add. The General Configuration dialog displays.

Note You may need to adjust the MSS on the LAN interface. With the selected IPsec encryption ciphers, 1406 is the idle MSS as pfSense will subtract 40 from the value you specify.

Refer to the image below for guidance on which values to use.

Field Value Enable ✔️ Enable interface Description LAN IPv4 Configuration Type Static IPv4 IPv6 Configuration Type Static IPv6 MSS 1446

​​ Phase 1

Policy-based configuration Field Value Description Name Key Exchange Version IKE v2 Internet Protocol IPv4 Interface WAN Remote Gateway <Anycast IP provided by Cloudflare> Field Value Life Time 28800 Rekey Time 14400 Reauth Time 0

Route-based configuration Field Value Description Name Key Exchange Version IKE v2 Internet Protocol IPv4 Interface WAN Remote Gateway <Anycast IP provided by Cloudflare> Field Value Life Time 28800 Rekey Time 14400 Reauth Time 0

​​ Phase 2

Policy-based configuration Field Value Description Name Mode Tunnel IPv4 Local Network <Local Network to be tunneled> NAT/BINAT translation None Remote Network Remote network available via the tunnel Field Value Protocol ESP Encryption Algorithm ✔️ AES128-GCM, 128 bits PFS key group 14 (2048 bit) Field Value Life Time 3600 Rekey Time 3240 Rand Time 360 Automatically ping host Specify an IP address available via the tunnel. Refer to the Description field for more information.

Route-based configuration Field Value Description Name Mode Routed (VTI) Local Network <Local Tunnel Inside IP> Remote Network <Remote Tunnel Inside IP> Field Value Protocol ESP Encryption Algorithm ✔️ AES128-GCM, 128 bits PFS key group 14 (2048 bit) Field Value Life Time 3600 Rekey Time 3240 Rand Time 360 Automatically ping host Specify an IP address available via the tunnel. Refer to the Description field for more information.

​​ (Route-based only) Interface assignment

From the pfSense WebGUI, select Interfaces > LAN. Choose an interface from the Available network ports list. Select Add. The General Configuration dialog displays.

Note: You may need to adjust the MSS on the LAN interface. With the selected IPsec encryption ciphers, 1406 is the idle MSS as pfSense will subtract 40 from the value you specify.

Refer to the image below for guidance on which values to use.

Field Value Enable ✔️ Enable interface Description LAN IPv4 Configuration Type Static IPv4 IPv6 Configuration Type Static IPv6 MSS 1446

From the pfSense WebGUI, select Interfaces > Assignments.

From Available network ports, select + Add.

Under Interface, select OPT1.

Ensure Enable interface is selected. For Description, add a description to help you identify the interface. For MSS, enter 1446, which should be the same as the LAN interface. Select Save to save your changes when you are done.

​​ Routing configuration

From the pfSense WebGUI, select System, Routing, Static Routes. On the Static Routes page, select Add. Create static routes for all network that will be routed via the tunnel with Gateway as the IPsec VTI interface.

​​ Firewall configuration

From the pfSense WebGUI, select Firewall Rules. Select LAN. Ensure a rule exists that allows traffic from LAN to IPsec. Select Save when you are done.

If you need to allow traffic from IPsec to LAN, you will need to create rules that allow this.