pfSense

Last reviewed: 5 months ago

This tutorial includes the steps required to configure IPsec tunnels to connect a pfSense firewall to Cloudflare Magic WAN.

Software tested

Manufacturer	Firmware revision
pfSense	24.03

Prerequisites

For this tutorial, you will need to know the following information:

Your Anycast IP addresses (given to you by Cloudflare)
External IP addresses
Internal IP address ranges
Inside tunnel /31 ranges

Example scenario

The following IP addresses are used throughout this tutorial. Any legally routable IP addresses have been replaced with IPv4 Address Blocks Reserved for Documentation (RFC 5737 ↗) addresses within the 203.0.113.0/24 subnet.

Tunnel name	`PF_TUNNEL_01`	`PF_TUNNEL_02`
Interface address	`10.252.2.26/31`	`10.252.2.28/31`
Customer endpoint	`203.0.113.254`	`203.0.113.254`
Cloudflare endpoint	`<YOUR_ANYCAST_IP_ADDRESS_1>`	`<YOUR_ANYCAST_IP_ADDRESS_2>`
Pfsense IPsec Phase 2 Local IP	`10.252.2.27`	`10.252.2.29`
Pfsense IPsec Phase 2 Remote IP	`10.252.2.26`	`10.252.2.28`
Magic WAN static routes — Prefix	`10.1.100.0/24`	`10.1.100.0/24`
Magic WAN static routes — Next hop	`PF_TUNNEL_01`	`PF_TUNNEL_02`

1. Configure Magic WAN IPsec tunnels

Use the Cloudflare dashboard or API to configure two IPsec tunnels. The settings mentioned below are used for the IPsec tunnels referenced throughout the remainder of this guide.

Add IPsec tunnels

Follow the Add tunnels instructions to create the required IPsec tunnels with the following options:
- Tunnel name: PF_TUNNEL_01
- Interface address: 10.252.2.26/31
- Customer endpoint: 203.0.113.254
- Cloudflare endpoint: Enter the Anycast IP address provided by Cloudflare.
- Health check rate: Medium
- Health check type: Request
- Health check direction: Bidirectional
Select Add pre-shared key later > Add tunnels.
Repeat the process to create a second IPsec tunnel with the following options:
- Tunnel name: PF_TUNNEL_02
- Interface address: 10.252.2.28/31
- Customer endpoint: 203.0.113.254
- Cloudflare endpoint: Enter the Anycast IP address provided by Cloudflare.
- Health check rate: Medium
- Health check type: Request
- Health check direction: Bidirectional
Select Add pre-shared key later > Add tunnels.

Generate pre-shared keys

When you create IPsec tunnels with the option Add pre-shared key later, the Cloudflare dashboard will show you a warning indicator.

Select Edit to edit the properties of each IPsec tunnel you have created.
Select Generate a new pre-shared key > Update and generate pre-shared key.
Copy the pre-shared key value for each of your IPsec tunnels, and save these values somewhere safe. Then, select Done.

IPsec identifier - User ID

After creating your IPsec tunnels, the Cloudflare dashboard will list them under Tunnels. To retrieve your IPsec tunnel’s user ID:

Go to Magic WAN > Configuration.
Select Tunnels.
Select the IPsec tunnel.
Scroll to User ID and copy the string. For example, ipsec@long_string_of_letters_and_numbers.

The User ID will be required when configuring IKE Phase 1 on the pfSense firewall.

2. Create Magic WAN static routes

Create a static route for each of the two IPsec tunnels configured in the previous section, with the following settings (settings not mentioned here can be left with their default values):

Tunnel 01

Description: PF_TUNNEL_01
Prefix: 10.1.100.0/24
Tunnel/Next hop: PF_TUNNEL_01

Tunnel 02

Description: PF_TUNNEL_02
Prefix: 10.1.100.0/24
Tunnel/Next hop: PF_TUNNEL_02

3. Configure the pfSense firewall

Install pfSense and boot up. Then, assign and set LAN and WAN interfaces, as well as IP addresses. For example:

LAN: 203.0.113.254
WAN: <YOUR_WAN_ADDRESS>

Configure IPsec Phase 1

Add a new IPsec tunnel Phase 1 entry ↗, with the following settings:

General Information
- Description: CF1_IPsec_P1
IKE Endpoint Configuration
- Key exchange version: IKE_v2
- Internet Protocol: IPv4
- Interface: WAN
- Remote gateway: Enter your Cloudflare Anycast IP address.
Phase 1 Proposal (Authentication)
- Authentication method: Mutual PSK
- My identifier: User Fully qualified domain name > ipsec@long_string_of_letters_and_numbers
  (You can get this identifier from your Cloudflare IPsec tunnel configuration > User ID)
- Peer identifier: Peer IP Address (your Cloudflare Anycast IP)
- Pre-Shared Key: Enter the PSK you have on your Cloudflare IPsec tunnel.
Phase 1 proposal (Encryption algorithm)
- Encryption algorithm: AES 256 bits
- Key length: 256 bits
- Hash algorithm: SHA256
- DH key group: 14
- Lifetime: 28800

pfSense IPsec phase 1 settings

Configure IPsec Phase 2

Add a new IPsec tunnel Phase 2 entry ↗, with the following settings. You need to create an entry for tunnel 1 and 2, making the appropriate changes for the IP addresses for local and remote network:

General Information
- Description: CF1_IPsec_P2
- Mode: Routed (VTI)
Networks
- Local Network: Address > Upper IP address in the /31 assigned in Cloudflare tunnel. For example, 10.252.2.27 for tunnel 1 and 10.252.2.29 for tunnel 2.
- Remote Network: Address > Lower IP address in the /31 for Cloudflare side. For example, 10.252.2.26 for tunnel 1, and 10.252.2.28 for tunnel 2.
Phase 2 Proposal (SA/Key Exchange)
- Protocol: ESP
- Encryption algorithm: AES 256 bits
- Hash algorithm: SHA256
- DH key group: 14
- Lifetime: 3600

pfSense IPsec phase 2 settings

When you are finished, apply your changes. If you go to Status > IPsec, you should be able to check that both Phase 1 and Phase 2 are connected.

pfSense IPsec overview

Interface assignments

In Interfaces > Assignments > Add, create a new interface to assign to the first IPsec tunnel, with the following settings:

General configuration
- Description: CF1_IPsec_1
- MSS: 1446
Interface Assignments
- WAN: Add your WAN interface. For example, vnet1.
- LAN: Add your LAN interface. For example, vnet0.
- Add your CF_IPsec_1 that you have created above for Phase 1.