pfSense site to site VPN tunnel - The Complete Guide

Many of you asked me to create an easy-to-understand step-by-step tutorial on how to create a pfSense site-to-site VPN tunnel between two pfSense firewalls. I try to make it as simple as possible.

Table of Contents

πŸ‘€ This Tutorial has some related Articles!
πŸ‘‰ The Complete pfSense Fundamentals Bootcamp
πŸ‘‰ Install pfSense from USB - The Complete Guide
πŸ‘‰ Install pfSense on VirtualBox
πŸ‘‰ The Complete pfSense OpenVPN Guide
πŸ‘‰ The Complete pfSense DMZ Guide
πŸ‘‰ Generate SSL Certificates for HTTPS with pfSense
πŸ‘‰ The Complete pfSense Squid Proxy Guide (with ClamAV!)
πŸ‘‰ pfSense Site-to-Site VPN Guide
πŸ‘‰ pfSense Domain Overrides Made Easy
πŸ‘‰ pfSense Strict NAT (PS4,PS5,Xbox,PC) Solution
πŸ‘‰ The Best pfSense Hardware
πŸ‘‰ Traffic Shaping VOIP with pfSense
πŸ‘‰ pfSense OpenVPN on Linux - Setup Guide
πŸ‘‰ pfSense Firewall Rule Aliases Explained
πŸ‘‰ Email Notifications with pfSense
πŸ‘‰ pfSense DNS Server Guide

Create IPSEC Site2Site VPN Between ...
Create IPSEC Site2Site VPN Between WatchGuard and CheckPoint Firewalls

The Scenario: pfSense Site to Site VPN

I try to keep this example scenario as simple as possible, therefore I created an easy-to-understand, self-explaining diagram.

pfSense IPSec site to site
Overview

This should give you a pretty good understanding of what we want to achieve. We simply want to establish a pfSense site-to-site VPN connection between pfSense #1 HQ and pfSense #2 Remote Location. To do this, we need to create IPSec tunnels and firewall rules on both sides. I kept the subnets simple so you don't get confused by too many different IPs. The Gateway in your case would be your WAN IP Address.

Without further ado, let's get right started.

Step 1 - Creating IPSec Phase 1 on pfSense #1 HQ

To create a pfSense site-to-site VPN, you need to log in to your pfSense #1 HQ and navigate to VPN / IPsec and click on + Add P1. Set the address of the Remote Gateway and a Description.

  1. IP of your WAN Interface on your pfSense #2 Remote Location
  2. Enter a Description
pfSense IPSec site to site
General Information

Scroll down to Phase 1 Proposal (Authentication). Now head to any page you like, or this one, to create a Pre-Shared Key.

You can also use the tool pwgen on Linux with the following command to create a key:

pwgen -sy 25
pfSense IPSec site to site
Creating a Pre-Shared Key

Copy this key and paste it into the Pre-Shared Key field.

pfSense IPSec site to site
Pasting the Key

Scroll down to the bottom leaving everything else on Default and click Save. Click Apply Changes after.

Step 2 - Creating IPSec Phase 2 on pfSense #1 HQ

Time to create the second Phase. Click on + Show Phase 2 Entries and click on + Add P2.

pfSense IPSec site to site
Creating Phase 2

Now enter values like in the following example:

  1. On Local network choose Network
  2. Enter the Subnet of your Local Network (192.168.1.0/24 for pfSense #1 HQ)
  3. On Remote Network choose Network
  4. Enter the Subnet of your Remote Network (192.168.2.0/24 for pfSense #2 Remote Location)

Enter a description if you want.

pfSense IPSec site to site
Configuring

Scroll down to Phase 2 Proposal (SA/Key Exchange). Enter values like in the following example:

  1. Change AES Encryption to 256 bits
  2. Change PFS key group to 15 (3072 bit)
  3. Enter the pfSense #2 Remote Location's IP Address to be pinged automatically (this ensures that the tunnel stays active at all times)
  4. Smash that Save button (Sorry, watched too many YouTube videos)
  5. Hit Apply Changes
pfSense IPSec site to site
Configuring Phase 2

Almost done with pfSense #1, now we just need to create a Firewall Rule for the IPsec interface.

Step 3 - Creating a Firewall Rule on pfSense #1 HQ

Navigate to Firewall / Rules / IPsec. Click on Add. Enter values as the following:

  1. Change Protocol to Any
  2. For Source select Network
  3. Enter the Subnet of pfSense #2 Remote Location (192.168.2.0/24)
  4. Enter a Description
  5. Hit Save & Apply Changes
pfSense IPSec site to site
Creating a Firewall Rule

That's it. We are done with pfSense #1 HQ, let's head over to pfSense #2 Remote Location to create our pfSense site-to-site VPN.

Step 4 - Creating IPSec Phase 1 on pfSense #2 Remote Location

Now we basically need to repeat those exact steps again just with slightly changed values. I will guide you through every step anyway. Navigate to VPN / IPsec and click on + Add P1. Enter values as in the following:

  1. IP of your WAN Interface on your pfSense #1 HQ
  2. Enter a Description
pfSense IPSec site to site
Configuring Phase 1

Scroll down to Phase 1 Proposal (Authentication). Enter the same Pre-Shared Key like in pfSense #1 HQ that we created in Step 1.

pfSense IPSec site to site
Configuring Phase 1

Scroll to the bottom and hit Save & Apply Changes.

⚠️ If you would like to learn more about pfSense, I highly recommend you check out my pfSense Fundamentals Bootcamp over at Udemy. This is the most up-to-date as well as the highest-rated pfSense course on Udemy.

Step 5 - Creating IPSec Phase 2 on pfSense #2 Remote Location

Once again, click on +Show Phase 2 Entries and click on + Add P2.

pfSense IPSec site to site
Configuring Phase 2

Now enter values like in the following example:

  1. On Local network choose Network
  2. Enter the Subnet of your Local Network (192.168.2.0/24 for pfSense #2 Remote Location)
  3. On Remote Network choose Network
  4. Enter the Subnet of your Remote Network (192.168.1.0/24 for pfSense #1 HQ)

Enter a description if you want.

pfSense IPSec site to site
Configuring Phase 2

Scroll down to Phase 2 Proposal (SA/Key Exchange) and enter the values like below.

  1. Change AES Encryption to 256 bits
  2. Change PFS key group to 15 (3072 bit)
  3. Enter the pfSense #1 HQ's IP Address to be pinged automatically (this ensures that the tunnel stays active at all times)
  4. Hit Save & Apply Changes.
pfSense site to site VPN
Configuring Phase 2

Step 6 - Creating a Firewall Rule on pfSense #2 Remote Location

Navigate to Firewall / Rules / IPsec. Click on Add. Enter values as the following:

  1. Change Protocol to Any
  2. For Source select Network
  3. Enter the Subnet of pfSense #1 HQ (192.168.1.0/24)
  4. Enter a Description
  5. Hit Save & Apply Changes
pfSense site to site VPN
Creating a Firewall Rule

Now, in theory, a tunnel should be established between the two.

Step 7 - Testing the Tunnel

Back on pfSense #1 HQ head to Status / IPsec. You should see, if everything went well, that a connection is established.

pfSense site to site VPN
Validating the Tunnel

You will see a similar picture on pfSense #2 Remote Location. We can do two more things to also validate if the firewall rules are correct: Running a Ping from a Client on each Firewall's Subnet.

First I will try to Ping pfSense #1 HQ from a Client connected to pfSense #2 Remote Location.

pfSense site to site VPN
Running a Ping from pfSense #2 to pfSense #1

And now I run a Ping from a client connected to pfSense #1 HQ to pfSense #2 Remote Location.

pfSense site to site VPN
Ping from pfSense #1 to pfSense #2

Conclusion

And sure enough, you can see that a connection is established. And that's it. That should give a good idea of how to create a pfSense Site to Site Tunnel with pfSense!

πŸ‘€ This Tutorial has some related Articles!
πŸ‘‰ The Complete pfSense Fundamentals Bootcamp
πŸ‘‰ Install pfSense from USB - The Complete Guide
πŸ‘‰ Install pfSense on VirtualBox
πŸ‘‰ The Complete pfSense OpenVPN Guide
πŸ‘‰ The Complete pfSense DMZ Guide
πŸ‘‰ Generate SSL Certificates for HTTPS with pfSense
πŸ‘‰ The Complete pfSense Squid Proxy Guide (with ClamAV!)
πŸ‘‰ pfSense Site-to-Site VPN Guide
πŸ‘‰ pfSense Domain Overrides Made Easy
πŸ‘‰ pfSense Strict NAT (PS4,PS5,Xbox,PC) Solution
πŸ‘‰ The Best pfSense Hardware
πŸ‘‰ Traffic Shaping VOIP with pfSense
πŸ‘‰ pfSense OpenVPN on Linux - Setup Guide
πŸ‘‰ pfSense Firewall Rule Aliases Explained
πŸ‘‰ Email Notifications with pfSense
πŸ‘‰ pfSense DNS Server Guide

6 thoughts on β€œpfSense site to site VPN tunnel - The Complete Guide”

  1. Same situation too :c I only see the gateway but i cant see my PC on the other site, can you resolve this?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap