In large companies, with headquarters and offices located in different geographic locations, it may be beneficial to be able to access one site's resources from another site.
In particular, to centralize user accounts, policies, ... on the Active Directory domain controller located at the company's headquarters.
To do this, simply create a site-to-site VPN tunnel using IPsec with an instance of pfSense on each geographic site.
In this tutorial, we will simulate a company with a head office in Brussels (Belgium) and an office in Paris (France).
Site 1 will therefore be that of Brussels and site 2 will be the Paris office.
Important : for clarity, we have changed the theme used by pfSense on the remote site.
Thus, the pfSense pages with a white background correspond to site 1 in Brussels and the pages with a black background correspond to site 2 in Paris.
To begin with, if in your case, pfSense has a private IP address (eg: 192.168.1.x, 10.0.0.x, ...), you will need to modify the configuration of its WAN interface.
To do this, go to "Interfaces -> WAN" and uncheck the "Block private networks and loopback addresses" box located at the bottom of the page.
Then, click: Save.
Then, at the top of the page, click "Apply Changes".
Otherwise, once you have created your VPN tunnels, you will notice that the IPsec tunnel status will remain "Connecting".
Additionally, in the log (accessible via the "Status -> System Logs -> Firewall" menu), you will see that network traffic coming from private networks on the pfSense WAN network is blocked.
By the way, the source corresponds to "[WAN IP address of the pfSense machine trying to connect via IPsec]:[port 500 used by IKE]" and the destination corresponds to "[WAN IP address of the current pfSense machine which is blocking access via IPsec]:[port 500 used by IKE]".
Plain Text
WAN / Block private networks from WAN block 192.168/16 (12004) / 192.168.1.11:500 / 192.168.1.12:500 / UDP
When you want to create an IPsec tunnel between 2 sites, you must configure 2 phases:
Warning : the version of IKE used, the authentication method, the secret pre-shared key, the encryption algorithms used, ... must be the same on the source and destination sites.
Otherwise, the IPsec tunnel will not be established.
To start, on the pfSense machine at site 1 (Brussels), go to: VPN -> IPsec.
Note: to learn more about IPsec, see the "IPsec Terminology | pfSense Documentation" page.
Then, on the "VPN / IPsec / Tunnels" page that appears, click on: Add P1.
On the "Edit Phase 1" page that appears, configure these settings:
Next, you can configure the authentication method and the algorithm to use for encryption:
Note that pfSense allows you to add several encryption algorithms to ensure better compatibility for establishing the IPsec tunnel. When establishing the P1 tunnel, the best encryption algorithm supported on both sides will be used automatically.
Important : for security reasons, it is best to define a single encryption algorithm to avoid allowing algorithms that would be less secure and could be used by hackers to attempt to connect to your network via IPsec via vulnerabilities that would be discovered later.
In the "Expiration and Replacement" section, you can configure several parameters:
Leave the default value "28800" specified for the "Life Time" option.
Note: generally, you will not need to modify them since pfSense automatically calculates them so that the values used by default are those recommended in your case.
Finally, you will find an "Advanced Options" section where the 2 most interesting options are the first 2 proposed.
On site 1 (Brussels), configure only the first 2 parameters:
Then, click Save.
Source : Phase 1 Settings | pfSense Documentation.
Click "Apply Changes".
Your IPsec P1 tunnel has been created.
Firewall 6/25/2025
Firewall 7/30/2025
Firewall 7/25/2025
Firewall 7/2/2025
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment