pfSense to pfSense - IPsec - site to site Setup.

Setup an IPSec VPN between 2 instances of pfSense using both a static (work) and dynamic IP address (home office).

• Dynamic or Static IP address.
• A domain name or a free dynamic DNS provider.
• CPU with AES-NI (if your uplink is 20Mbps or faster).

You already have a working pfSense configuration at both locations.

Both locations must NOT have the same internal LAN address - meaning both can’t be running 192.168.1.x addresses, one can run 192.168.1.x while the other can run 192.168.2.x.

Final note - the VPN configuration on both firewalls will be exactly the same, save for parts that require IP addresses or hostnames.

Click on VPN → IPsec, and on the bottom right, click on the green + Add P1 button at the bottom of the screen.

• Key exchange version: IKEv2
• Internet Protocol: IPv4 (IPv6/Dual stack will work if you’re running IPv6 at both sites)
• Interface: WAN (or whatever you named the interface with the public IP address)
• Remote Gateway: this is where you need either your own domain, or a free Dynamic DNS provider - or manually entering the IP addresses works, users with dynamic IP addresses the “work” location will have to update your IP address manually every time it changes.
  • Remote Gateway (home): work.sharewiz.net
  • Remote Gateway (work): home.sharewiz.net
• Description: A description

• Authentication Method: Mutual PSK
• My Identifier: Distinguished name:
  • Home: home.sharewiz.net
  • Work: work.sharewiz.net
• Peer identifier: Distinguished name
  • Home: work.sharewiz.net
  • Work: home.sharewiz.net
• Pre-Shared Key: On one firewall, click generate key, then copy & paste that key to the other firewall

• Encryption Algorithm:
  • Algorithm: AES128-GCM
  • Key Length: 128 bits
  • Hash: SHA256
  • DH Group: 14 (2048)
• Lifetime (Seconds): 28800

Leave everything defaulted in this section, and click Save. When finished, it should look like this:

From the above screen, click on Show Phase 2 Entries (0) and expand out the menu, then click on the green + Add P2 button that appears.

• Mode: Tunnel IPv4
• Local Network: LAN subnet
• NAT/BINAT translation: None
• Remote Network: Network
  • Address (Work): 192.168.10.0/24
  • Address (Home): 192.168.1.0/24
• Description:
  • Home: Work LAN
  • Work: Home LAN

• Protocol: ESP
• Encryption Algorithms: AES128-GCM @ 128 bits
  • Hash Algorithms: AES-XCBC (or SHA256 if your CPU doesn’t have AES-NI)
  • PFS key group: 14 (2048)
  • Lifetime: 3600

• Automatically ping host: set this IP address to a server you run 24/7, this will keep the VPN up 24/7

After you hit Save, this is what your Phase 2 will look like:

After you hit Apply Changes on both firewalls, your IPsec VPN should connect right away.

You may find that you can’t ping anything across the VPN though - you’ll need to click on Firewall → Rules → Add to create a hole in the firewall to allow traffic to pass.

• Protocol: Any

And that’s it, unless you want to add a description.

End result looks like this: