How to connect two pfSense routers via IPSec

Challenge Summary: I work from two different physical locations. Both locations have traditional retail Internet service providers (ISPs). What makes traveling between two locations tricky is access to local network items such as shared drives, sensor devices, servers, etc. What I really want is one big network and not have two unique networks.

Solution: My networks at each location are both routed using pfSense (community edition). I bond both pfSense instances together via an IPSec tunnel and both networks are accessible via the two pfSense gateways/routers.

Caveats: I am a software engineer by trade, I know just enough networking to be dangerous and all of my education is based on working through problems I encountered in normal course of other projects.

First, before we begin, everything I learned to set this up I learned from reading the docs over at Netgate. The write-up to do this on Netgate is really good. It can be used as a reference for sure. This article is self-fulfilling provides me a fast paint-by-number way to rebuild my setup if I ever need to.

Both of my physical locations have small /24 networks.

Location Alpha 10.0.0.0/24
Location Bravo 10.1.0.0/24

Both of them the router sits at the dot one.

pfSense Location @ Alpha 10.0.0.1/24
pfSense Location @ Bravo 10.1.0.1/24

Dyanmic DNS and the FQDN

Do yourself a huge favor and setup fully qualified domain names (FQDN) for each of your locations. I do this via Route53 in AWS but there are a lot of 3rd party solutions that work great. Do no proceed until you have FQDNs for each location. I’ll refer to these as “FQDN for Location A” and “FQDN for Location B”

Twice?

You need to do these steps essentially twice, one on each pfSense instance. One at Location A and one at Location B. In each case I’ll show a screen shot and a table that shows what values I used to link the routers and create the tunnel.

Step 1 - the P1s

First, click on VPN → IPSec on each Next, on each, click on Add P1

General Information

General Information Location A Location B
Disabled unchecked unchecked
Key Exchange version IKEv2 IKEv2
Internet Protocol IPv4 IPv4
Interface WAN WAN
Remote Gateway (red) FQDN of Location B FQDN of Location A
Description (yellow) IPSec Location A to Location B IPSec Location B to Location A

Phase 1 Proposal (Authentication)

Phase 1 Proposal (Authentication) Location A Location B
Authentication Method Mutual PSK Mutual PSK
My identifier My IP address My IP address
Peer identifier Peer IP address Peer IP address
Pre-Shared Key Tap “Generate new Pre-Shared Key a few times, select one and save it Copy the key from the other router
Phase 1 Proposal (Encryption Algorithm) Location A Location B
Encryption Algorithm AES, 256 bits, SHA256, 14(2048 bit) AES, 256 bits, SHA256, 14(2048 bit)
Lifetime (Seconds) 28800 28800

Advanced Options

Leave all of the options as the default

Hit Save and create the P1 on each of the devices

Adding a Phase Two to each Phase One

Return back to the list of Phase One(s) and expand the P2. Hit Add.

General Information

General Information Location A Location B
Disabled unchecked unchecked
Mode Tunnel IPv4 Tunnel IPv4
Local Network LAN subnet LAN subnet
NAT/BINAT translation None None
Remote Network (red) The network of the opposite network - so network for Location B Network of Location A
Description (yellow) IPSec Location A to Location B IPSec Location B to Location A

Phase 2 Proposal (SA/Key Exchange)

Phase 2 Proposal (SA/Key Exchange) Location A Location B
Protocol ESP ESP
Encryption Algorithms AES256-GCM (128 bits) AES256-GCM (128 bits)
Hash Algorithms empty empty
PFS key group you can really choose any; just make sure they align, netgate suggests none here just mirror the other location

Phase 2 Proposal (SA/Key Exchange)

Here you will want to put an address on the remote LAN to ping to “keep alive” the tunnel, I am lame and I put the address of the pfsense box on the remote network to use for the ICMP packet. Thus, I put 10.0.0.1 and 10.1.0.1 in the respective opposite routers.

Next, apply the settings

Next, travel to Status → VPN from there you’ll see the ability to “Connect” and test out the link.

When you click Connect it should connect and then you should be able to ping assets from both networks from both locations. There are a lot of advanced topics such as static routes but since you are most likely using the pfSense router as a gateway at both sites the routing should happen automagically. In my experience the speed is incredible and I am using to residential connections and it works amazingly well. I suspect mileage may vary here but good luck!

[ networking pfsense ]