How to Configure IPsec VPN on PfSense Firewall

October 10, 2016 | By in FIREWALL
| 2 Replies More

This article is about securing IP layer using Virtual Private Network (VPN) also known as IPsec (Internet Protocol security) on well-known open source firewall PfSense. Two components of IPsec protocol  are Authentication Header (AH) and Encapsulating Security Payload (ESP) to provide packet integrity, authentication and confidentiality security features. Cryptographic security mechanism are used in IPsec to protect communications over IP layer. IPSec protocol allows to encrypt and authenticate all IP layer traffic between  local and remote location.

PfSense firewall uses an open source tool Strongswan which provides the IPsec VPN  functionality.  Both phases of IPsec (Key sharing and encryption) is implemented by Strongswan tool on Linux/Unix platforms. It  provides the internet key exchange (IKE) or automatic sharing of keys among nodes or gateways of IPsec VPN and then uses the Linux/Unix kernel implementation of  authentication (AH) and encryption ( ESP). Stongswan uses the OpenSSL implementation of cryptographics algorithms ( such as AES128/256, MD5/SHA1 etc) in the first phase (IKE phase) of IPsec VPN. Encapsulated security payload (ESP) of IPsec VPN is available in  Linux / Unix kernels which is uses by Strongswan in the second phase of VPN.


To proceed this article , I assume you have already installed PfSense on VM. In this setup, each VM have two interfaces (WAN & LAN) and also ip addresses configured. Following figures show the assignment of interfaces and ip address for  device-a and device-b VM's.

device-a interface and ip setting

interface settings pfsense1

device-b interface and ip setting

interface settings pfsense2

Strongswan package is already installed on the fresh installation of PfSense and available on web interface under VPN menu. However, installation of Strongswan on Linux platform is also available on previous article.

Configuration of IPsec VPN

By default everything is blocked on WAN interface of PFsense so first of all allow UDP 4500 ((IPsec NAT-T) & 500 (ISAKMP) ports for IPsec VPN. However, we allowed every thing (it is not recommended for production environment) to established IPsec between two VM's.

As shown below, a rule is configured for WAN interface of PfSense  under firewall menu.

firewall rule pfsense

IPsec rule is also configured in firewall to pass traffic through the established VPN.

ipsec firewall rule pfsense

It is also important to make sure that remote device is available for IPsec VPN.  Following snapshot shows that, remote device is up and replying back.

remote ip pfsense

After ensuring gateway to gateway connectivity, next step is to configure VPN (both phase 1 and phase 2) on VM's.  In the first phase, IKE is configured and encryption/authentication algorithm are selected. Second phase of IPsec is setting ESP parameters such as encryption/authentication on both VM.   Setting such as local/remote ip, local/remote networks, encryption/authentication algorithms ) of IPsec VPN on both VM's should be correct to establish tunnel between VM.

PfSense firewall is configured using web interface so following window open after clicking on IPsec sub-menu under VPN.

vpn ipsec pfsense

Check Enable IPsec option to create  tunnel on PfSense. Click on plus button  to add new policy of IPsec tunnel on local side (side-a in this case).  Following snapshots show the setting for IKE phase (1st phase) of IPsec.

Two modes of IKE phase or key exchange version are v1 & v2. However, auto is selected in key exchange version.  WAN interface is selected to establish tunnel and IP address of remote device (side-b in this case) is given in remote gateway field.

Phase 1 setting on side-a

vpn ipsec pfsense phase 1

Phase 1 setting on side-b

vpn ipsec pfsense phase1 settings

The following snapshot shows the selection of authentication mechanism for 1st phase. In this tutorial, mutual PSK or shared secret is selected for mutual authentication of both VM's.  The Main mode is selected because it is more secure than aggressive mode.   The Pre shared key or shared secret for both devices is "test12345" .  The following snapshot also shows the encryption setting for first phase.   Default selection of encryption algorithm is AES256 and SHA1 for hashing algorithm.

vpn ipsec pfsense authentication

The NAT Traversal option is also set auto for clients which are behind the firewalls.  Another feature of IPsec is dead peer detection (DPD) which is also enabled.

vpn ipsec pfsense advanced

Following screenshot shows that above setting of phase 1 saved on device-a.

vpn ipsec pfsense phase2

Click on plus button to add phase 2 policy on PfSense firewall. In the following snapshot, local and remote network are included in the policy.

vpn ipsec pfsense phase2

The selected parameters for phase 2 (ESP proposal) are shown below.

vpn ipsec pfsense phase2 key

The following snapshot shows that VPN policy is successfully created on the PfSense device -a.

vpn ipsec pfsense vpn create

More setting (such as enable/disable log levels) of Strongswan IPsec are given in the Advanced Settings tab.

vpn ipsec pfsense settings

Click on IPsec under Status menu to get more details about the configured VPN.

vpn ipsec pfsense settings advanced

The following screenshot shows the overview of VPN configured on device-a.  As shown below, current status of VPN is disconnectedClick on connect button to start negotiation with remote device.

vpn ipsec pfsense status

Successful negotiation between two devices is shown in following figures.

device-a VPN status


device-b VPN status


Security association database  (SAD) and security policy database (SPD) is shown below.

SAD for device-a

pfsense ipsec sad A

SPD for device-a

pfsense ipsec spd A

Click on the Logs to view IPsec detailed logs for troubleshooting purpose.

pfsense ipsec logs

Status of VPN is also checked using command line utility such as setkey and ipsec status command.

setkey -D output

status pfsense command line setkey

ipsec statusall output

status pfsense command line ipsecstatusall


This article is about the usage of IPsec VPN on PfSense firewall to secure network layer from attackers. Strongswan is  open source implementation of IPsec which is available in mostly open source firewalls. A shared secret based  IPsec VPN is established between two VM's to secure communication.

Tags: ,

Category: FIREWALL

Share This :

Free Linux Ebook to Download

Comments (2)

Trackback URL | Comments RSS Feed

  1. Elizabeth says:

    Thanks for the guide! It’s a great help!
    I have one Question though, I can connect from my network to other network (ipsec network) via ssh to any servers. But when I’m in the other network, and trying to connect back to our network, I can’t access the servers.

    Any help will be appreciated!


    • ahmad shah says:

      Thanks for visiting our site.
      I need more information to assist you.

      Can you check the same issue without IPSec tunnel ? got it . I mean to say if you face the same issue without IPsec vpn then i will guide you .
      Please check and update

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.