{"id":12144,"date":"2022-04-14T18:59:05","date_gmt":"2022-04-14T15:59:05","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12144"},"modified":"2024-03-09T11:51:01","modified_gmt":"2024-03-09T08:51:01","slug":"setup-ipsec-site-to-site-vpn-tunnel-on-pfsense","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-ipsec-site-to-site-vpn-tunnel-on-pfsense\/","title":{"rendered":"Setup IPSec Site-to-Site VPN Tunnel on pfSense"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to setup IPSec Site-to-Site VPN Tunnel on pfSense. <em><strong>Internet Protocol Security<\/strong>&nbsp;(IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is commonly used in virtual private networks (VPNs)<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setup IPSec Site-to-Site VPN Tunnel on pfSense<\/h2>\n\n\n\n<p>In order to demonstrate how to setup a secured site to site IPSec VPN tunnel, we will be using two <a href=\"https:\/\/www.pfsense.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">pfSense<\/a>, a free and open source firewall and router, running on two different LANs.<\/p>\n\n\n\n<p>See our representation below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>    \n    \n  +------------------------+       IPSec VPN Tunnel      +------------------------+\n  |    [  pfSense gw  ]    | [ Side A ]   |   [ Side B ] |    [  pfSense gw  ]    |\n  +      65.108.95.120     +--------------+--------------+      135.181.192.121   +\n  |       172.16.0.1 [VPN] |                             |      192.168.10.1 [VPN]|\n  +------------------------+                             +------------------------+\n               |                                                       |      \n               +                                                       +\n               |                                                       |\n+-------------------------------+                        +------------------------------------+\n|    [  Side A Local LAN  ]     |                        |    [  Side B Local LAN  ]          |\n+        172.16.0.0\/24          +                        +        192.168.10.0\/24             +\n|                               |                        |                                    |\n| [ 172.16.0.10] [ 172.16.0.20] |                        |   [ 192.16.10.20] [ 192.168.10.50] |\n+-------------------------------+                        +------------------------------------+ \n<\/code><\/pre>\n\n\n\n<p>The pfSense firewalls\/routers acts as the IPSec peers. The peers perform VPN negotiations aimed at encrypting and securing the communications between the local area networks.<\/p>\n\n\n\n<p>The VPN negotations happen over two phases;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phase 1<\/strong>: <em>The main purpose of Phase 1 is to set up a secure encrypted channel through which the two peers can negotiate Phase 2. When Phase 1 finishes successfully, the peers quickly move on to Phase 2 negotiations. If Phase 1 fails, the devices cannot begin Phase 2.<\/em><\/li>\n\n\n\n<li><strong>Phase 2<\/strong>: <em>The purpose of Phase 2 negotiations is for the two peers to agree on a set of parameters that define what traffic can go through the VPN, and how to encrypt and authenticate the traffic. This agreement is called a Security Association.<\/em><\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/www.watchguard.com\/help\/docs\/help-center\/en-US\/Content\/en-US\/Fireware\/mvpn\/general\/ipsec_vpn_negotiations_c.html\" target=\"_blank\" rel=\"noreferrer noopener\">WireGuard VPN technologies has explained this extensively<\/a>.<\/p>\n\n\n\n<p>While setting up IPSec VPN, it is very paramount to ensure that the configurations on both the peers match exactly. otherwise the VPN negotiations will fail.<\/p>\n\n\n\n<p>Below are our configurations for this setup.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>VPN device host information<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>VPN device version<\/td><td>pfSense 2.6.0<\/td><td>pfSense 2.6.0<\/td><\/tr><tr><td>IP address<\/td><td>65.108.95.120<\/td><td>135.181.192.121<\/td><\/tr><tr><td><\/td><td><\/td><td><\/td><\/tr><tr><td><strong>IKE &#8211; Phase 1 properties<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>Authentication method<\/td><td>PSK (ChangeME)<\/td><td>PSK (ChangeME)<\/td><\/tr><tr><td>Encryption scheme<\/td><td>IKEv2<\/td><td>IKEv2<\/td><\/tr><tr><td>Perfect Forward Secrecy &#8211; IKE<\/td><td>DH Group 20<\/td><td>DH Group 20<\/td><\/tr><tr><td>Encryption algorithm &#8211; IKE<\/td><td>AES256<\/td><td>AES256<\/td><\/tr><tr><td>Hashing algorithm &#8211; IKE<\/td><td>SHA256<\/td><td>SHA256<\/td><\/tr><tr><td>IKE SA lifetime<\/td><td>86400 sec<\/td><td>86400 sec<\/td><\/tr><tr><td><\/td><td><\/td><td>&nbsp;<\/td><\/tr><tr><td><strong>IPSec &#8211; Phase 2 properties<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>Transform (IPSec protocol)<\/td><td>ESP<\/td><td>ESP<\/td><\/tr><tr><td>Perfect Forward Secrecy &#8211; IPSec<\/td><td>DH Group 20<\/td><td>DH Group 20<\/td><\/tr><tr><td>Encryption algorithm &#8211; IPSec<\/td><td>AES256<\/td><td>AES256<\/td><\/tr><tr><td>Hashing algorithm &#8211; IPSec<\/td><td>SHA256<\/td><td>SHA256<\/td><\/tr><tr><td>IPSec SA lifetime<\/td><td>3600 sec<\/td><td>3600 sec<\/td><\/tr><tr><td><\/td><td><\/td><td><\/td><\/tr><tr><td><strong>Encryption hosts<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>Hosts<\/td><td>&nbsp;172.16.0.0\/24<\/td><td>&nbsp;192.168.10.0\/24<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"pfsense-ipsec-side-a\"><a href=\"#pfsense-ipsec-side-a\">Configuring IPSec on pfSense on Side A<\/a><\/h3>\n\n\n\n<p>pfSense comes with IPSec VPN support by default.<\/p>\n\n\n\n<p>Thus, in order to configure IPSec site-to-site VPN tunnel;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Login to pfSense and navigate to VPN &gt; IPSec. Such an interface welcomes you.<\/li>\n<\/ul>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-vpn-ipsec.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1474\" height=\"391\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-vpn-ipsec.png\" alt=\"Setup IPSec Site-to-Site VPN Tunnel on pfSense\" class=\"wp-image-12209\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-vpn-ipsec.png?v=1649576397 1474w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-vpn-ipsec-768x204.png?v=1649576397 768w\" sizes=\"(max-width: 1474px) 100vw, 1474px\" \/><\/figure><\/a><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To begin with, configure IPSec Phase 1 Settings. Hence click <strong>Add P1<\/strong>. <strong>NOTE<\/strong>: All settings must match between the peers.\n<ul class=\"wp-block-list\">\n<li><strong>General information and IKE Endpoint Configuration;<\/strong>\n<ul class=\"wp-block-list\">\n<li>Description: <strong>Side A P1<\/strong><\/li>\n\n\n\n<li>Key Exchange version: <strong>IKEv2<\/strong><\/li>\n\n\n\n<li>IP: <strong>IPV4<\/strong><\/li>\n\n\n\n<li>Interface: <strong>WAN<\/strong><\/li>\n\n\n\n<li>Remote Gateway: <strong>135.181.192.121<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Phase 1 Proposal Authentication:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Authentication Method: <strong>Mutual PSK<\/strong><\/li>\n\n\n\n<li>My Identifier: <strong>My IP address<\/strong><\/li>\n\n\n\n<li>Peer Identifier: <strong>Peer IP address<\/strong><\/li>\n\n\n\n<li>Pre-Shared Key: <strong>YOUR PSK KEY (should match in both peers)<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Encryption Algorithms:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Encryption: <strong>AES256<\/strong><\/li>\n\n\n\n<li>Hash: <strong>SHA256<\/strong><\/li>\n\n\n\n<li>DH Group: <strong>Group 20<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Expiration and Replacement:\n<ul class=\"wp-block-list\">\n<li>Lifetime: <strong>86400<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-1.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1464\" height=\"673\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-1.png\" alt=\"Setup IPSec Site-to-Site VPN Tunnel on pfSense\" class=\"wp-image-12262\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-1.png?v=1649938303 1464w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-1-768x353.png?v=1649938303 768w\" sizes=\"(max-width: 1464px) 100vw, 1464px\" \/><figcaption>Phase 1 General information&#8230;<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-2.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1442\" height=\"795\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-2.png\" alt=\"Setup IPSec Site-to-Site VPN Tunnel on pfSense\" class=\"wp-image-12263\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-2.png?v=1649938342 1442w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-settings-2-768x423.png?v=1649938342 768w\" sizes=\"(max-width: 1442px) 100vw, 1442px\" \/><figcaption>Authentication and Encryption Algorithms and expiration lifetime<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<p>We will leave other configurations with the default values.<\/p>\n\n\n\n<p>Scroll down and click <strong>Save<\/strong> to save Phase 1 settings.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-side-a.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1471\" height=\"620\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-side-a.png\" alt=\"\" class=\"wp-image-12265\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-side-a.png?v=1649938532 1471w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-1-side-a-768x324.png?v=1649938532 768w\" sizes=\"(max-width: 1471px) 100vw, 1471px\" \/><figcaption>Side A Phase 1 settings<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configure IPSec Phase 2 by clicking <strong>Show Phase 2 Entries<\/strong> > <strong>Add P2<\/strong>.\n<ul class=\"wp-block-list\">\n<li>General information:\n<ul class=\"wp-block-list\">\n<li>Mode: <strong>Tunnel IPv4<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Networks:\n<ul class=\"wp-block-list\">\n<li>Local Network: <strong>172.16.0.0\/24<\/strong>.\n<ul class=\"wp-block-list\">\n<li>Use single IP address if just want to connect specific systems only.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Remote Network: <strong>192.168.10.0\/24<\/strong>.\n<ul class=\"wp-block-list\">\n<li>Similarly, use single IP address if just want to connect specific systems only.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Phase 2 Proposal Settings:\n<ul class=\"wp-block-list\">\n<li>Proposal: <strong>ESP<\/strong><\/li>\n\n\n\n<li>Encryption Algorithms: <strong>AES256<\/strong><\/li>\n\n\n\n<li>Hash Algorithms: <strong>SHA256<\/strong><\/li>\n\n\n\n<li>PFS Key group: <strong>Group 20<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Expiration and Replacement:\n<ul class=\"wp-block-list\">\n<li>Lifetime: <strong>3600s<\/strong><\/li>\n\n\n\n<li>Leave the rest of the default settings.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-1.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1440\" height=\"709\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-1.png\" alt=\"\" class=\"wp-image-12267\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-1.png?v=1649938717 1440w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-1-768x378.png?v=1649938717 768w\" sizes=\"(max-width: 1440px) 100vw, 1440px\" \/><figcaption>Phase 2 general information &amp; Networks<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-2.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1454\" height=\"925\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-2.png\" alt=\"\" class=\"wp-image-12268\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-2.png?v=1649938739 1454w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-phase-2-settings-2-768x489.png?v=1649938739 768w\" sizes=\"(max-width: 1454px) 100vw, 1454px\" \/><figcaption>Phase 2 proposal, algorithms&#8230;<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<p>Scroll down and Click <strong>Save<\/strong> to save the settings.<\/p>\n\n\n\n<p>Then click <strong>Apply Changes<\/strong> to save all the changes.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1454\" height=\"686\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings.png\" alt=\"Setup IPSec Site-to-Site VPN Tunnel on pfSense\" class=\"wp-image-12264\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings.png?v=1649938382 1454w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings-768x362.png?v=1649938382 768w\" sizes=\"(max-width: 1454px) 100vw, 1454px\" \/><figcaption>Side A IPSec VPN Phase 1 and Phase 2 Settings<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring IPSec on pfSense on Side B<\/h3>\n\n\n\n<p>On Side B, configure pfSense just the same way. Ensure the settings are exactly the same;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings-side-b.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1475\" height=\"694\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings-side-b.png\" alt=\"\" class=\"wp-image-12269\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings-side-b.png?v=1649938796 1475w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense_ipsec-settings-side-b-768x361.png?v=1649938796 768w\" sizes=\"(max-width: 1475px) 100vw, 1475px\" \/><figcaption>Side B IPSec VPN Phase 1 and Phase 2 Settings<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Connect IPSec VPN Servers<\/h3>\n\n\n\n<p>Navigate to <strong>Status &gt; IPSec<\/strong>.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1466\" height=\"443\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec.png\" alt=\"\" class=\"wp-image-12270\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec.png?v=1649947451 1466w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-768x232.png?v=1649947451 768w\" sizes=\"(max-width: 1466px) 100vw, 1466px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Click <strong>Connect P1 and P2s<\/strong> to establish the tunnel and allow the local sites LAN to communicate.<\/p>\n\n\n\n<p>The status once the tunnel is established;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1455\" height=\"605\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status.png\" alt=\"\" class=\"wp-image-12271\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status.png?v=1649947489 1455w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status-768x319.png?v=1649947489 768w\" sizes=\"(max-width: 1455px) 100vw, 1455px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Similarly, check on Side B, the status should be same;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status-side-b.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1447\" height=\"599\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status-side-b.png\" alt=\"\" class=\"wp-image-12272\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status-side-b.png?v=1649947532 1447w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-start-ipsec-status-side-b-768x318.png?v=1649947532 768w\" sizes=\"(max-width: 1447px) 100vw, 1447px\" \/><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Updating the Firewall Rules<\/h3>\n\n\n\n<p>You need to ensure that correct firewall rules are in place in order to get the connections working.<\/p>\n\n\n\n<p>My example Firewall rules on both Side A and Side B to allow SSH connections only. You can add other services\/ports as you so wish.<\/p>\n\n\n\n<p>IPSec Firewall Rules on Side A:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1474\" height=\"477\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a.png\" alt=\"\" class=\"wp-image-12273\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a.png?v=1649950861 1474w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-768x249.png?v=1649950861 768w\" sizes=\"(max-width: 1474px) 100vw, 1474px\" \/><figcaption class=\"wp-element-caption\">IPSec Firewall Rules on Side A<\/figcaption><\/figure>\n\n\n\n<p>IPSec Firewall Rules on Side B:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1464\" height=\"484\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-b.png\" alt=\"\" class=\"wp-image-12274\" style=\"width:1068px;height:353px\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-b.png?v=1649950889 1464w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-b-768x254.png?v=1649950889 768w\" sizes=\"(max-width: 1464px) 100vw, 1464px\" \/><figcaption class=\"wp-element-caption\">IPSec Firewall Rules on Side B<\/figcaption><\/figure>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/local-nets-firewall-rules-side-a.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1478\" height=\"527\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/local-nets-firewall-rules-side-a.png\" alt=\"\" class=\"wp-image-12275\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/local-nets-firewall-rules-side-a.png?v=1649951327 1478w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/local-nets-firewall-rules-side-a-768x274.png?v=1649951327 768w\" sizes=\"(max-width: 1478px) 100vw, 1478px\" \/><\/figure><\/a><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1450\" height=\"526\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/local-nets-firewall-rules-side-b.png\" alt=\"\" class=\"wp-image-12276\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/local-nets-firewall-rules-side-b.png?v=1649951345 1450w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/local-nets-firewall-rules-side-b-768x279.png?v=1649951345 768w\" sizes=\"(max-width: 1450px) 100vw, 1450px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Test the Site-to-Site connections<\/h3>\n\n\n\n<p>Now that the tunnel has been established and firewall rules in place, you can try to check whether the connection has been established between the local sites that are set to communicate via the IPSec VPN tunnel.<\/p>\n\n\n\n<p>In my setup, i have two remote systems running on 172.16.0.10 on Side A and 192.168.10.20 on Side B;<\/p>\n\n\n\n<p><strong>One thing you need to confirm is that both local networks have the correct routing to their counterpart remote networks;<\/strong><\/p>\n\n\n\n<p>On Side A, server 172.16.0.10, this is my routing table info;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip a show dev tun0<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500\n    link\/none \n    inet 172.16.0.10\/24 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::6732:c5da:20a8:f0c2\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Route information;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip r show dev tun0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>172.16.0.0\/24 proto kernel scope link src 172.16.0.10 \n192.168.10.0\/24 via 172.16.0.1<\/code><\/pre>\n\n\n\n<p>All traffic to 192.168.10.0\/24 are routed via the IPSec VPN Server, 172.16.0.1.<\/p>\n\n\n\n<p>Side B server, 192.168.10.20;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip a show dev tun0<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet 192.168.10.20\/24 brd 192.168.10.255 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::931b:4dea:6e0e:bed8\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>Routing information;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip r show dev tun0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>172.16.0.0\/24 via 192.168.10.1 \n192.168.10.0\/24 proto kernel scope link src 192.168.10.20<\/code><\/pre>\n\n\n\n<p>Traffic to 172.16.0.0\/24 is routed via the Side B IPSec VPN server, 192.168.10.1.<\/p>\n\n\n\n<p>Test connections, in this example setup, only SSH connections and PING requests were allowed on the firewall;<\/p>\n\n\n\n<p>On Side A, test connection to Side B;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>telnet 192.168.10.20 22<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.10.20...\nConnected to 192.168.10.20.\nEscape character is '^]'.\nSSH-2.0-OpenSSH_8.2p1 Ubuntu-4\n^]\ntelnet&gt;<\/code><\/pre>\n\n\n\n<p>On Side B, test connection to Side A;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>telnet 172.16.0.10 22<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 172.16.0.10...\nConnected to 172.16.0.10.\nEscape character is '^]'.\nSSH-2.0-OpenSSH_8.4p1 Debian-5\n^]\ntelnet&gt;<\/code><\/pre>\n\n\n\n<p>And that is it on how to configure IPSec Site-to-Site VPN Tunnel on pfSense.<\/p>\n\n\n\n<p>Read more on <a href=\"https:\/\/docs.netgate.com\/pfsense\/en\/latest\/recipes\/ipsec-s2s-psk.html\" target=\"_blank\" rel=\"noreferrer noopener\">documentation page<\/a>.<\/p>\n\n\n\n<p>Other tutorials;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-vpn-server-with-libreswan-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup IPSec VPN Server with Libreswan on CentOS<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-vpn-using-strongswan-on-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup IPSEC VPN using StrongSwan on Debian 10<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to setup IPSec Site-to-Site VPN Tunnel on pfSense. Internet Protocol Security&nbsp;(IPsec) is a secure network protocol suite that<\/p>\n","protected":false},"author":3,"featured_media":12283,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,44,1454,34,321],"tags":[4900,1287,4899,4898,4901],"class_list":["post-12144","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-firewall","category-pfsense","category-security","category-vpn","tag-ipsec-firewall-rules","tag-ipsec-vpn","tag-pfsense-site-to-site-ipsec","tag-setup-ipsec-site-to-site-vpn-tunnel-on-pfsense","tag-site-to-site-vpn-with-ipsec","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12144"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12144"}],"version-history":[{"count":19,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12144\/revisions"}],"predecessor-version":[{"id":20465,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12144\/revisions\/20465"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12283"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}