Routing internet traffic through a site-to-site IPsec tunnel

From pfSense Documentation
Revision as of 11:18, 9 January 2015 by Jimp (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This article is part of the How-To series.


It is possible to use IPsec to send Internet traffic from Site A such that it would appear to be coming from Site B. This may be needed if a vendor requires connections originate from a specific address at Site B.


In this article we have two sites:

  • Site A is a branch office, LAN subnet
  • Site B is the main office through which all Internet traffic is routed,

Set up the IPsec tunnel Phase 1

In Site A

In the VPN menu select IPsec. It opens on the Tunnels tab. Click the + button to create a new Phase 1 setup. (Make sure Enable IPsec is checked and saved.)


Enter these values:

Internet Protocol IPv4
Interface WAN Unless using a separate OPT interface
Description Site B The site's locality or another suitable description
Authentication method Mutual PSK
Negotiation mode aggressive
My identifier My IP address
Peer identifier Peer IP address
Pre-Shared Key A long key. This can be generated using external utilities but be careful to copy it without extra spaces.
Policy Generation Default
Proposal Checking Default
Encryption algorithm AES 256bits Check this for a discussion of the options.
Hash algorithm SHA256 Check this for a discussion of the options.
DH key group 2 (1024 bit) Read this for an explanation of what this is.
Lifetime 28800
NAT Traversal Disable Turn this off unless it is definitely needed.
Dead Peer Detection Enable: 10 seconds, 5 retries Leave this on unless the other side does not properly support DPD.

Note that the Phase 1 entry is now shown on the IPsec page. Click Save and in the next screen click Apply Changes.


In Site B

Do the same as in Site A but in the Remote Gateway field enter Site A’s public IP address or FQDN and in the Description field enter ‘Site A’.

Set up the IPsec tunnel Phase 2

In Site A

Click "+" under the Phase 1 entry. It will show an overview of all available Phase 2 entries. Since we haven’t made any yet none are shown.


Click "+" to create a new Phase 2.


Enter these values:

Mode Tunnel IPv4
Local Network Type: LAN subnet. NAT/BINAT type: None.
Remote Network This tells pfSense to route everything over this interface.
Description Site B
Protocol ESP
Encryption algorithm AES 256 bits
Hash algorithm SHA256
PFS key group 2 (1024 bit)
Lifetime 3600
Automatically ping host Enter a hostname or IP address to keep the tunnel alive. In my experience this is not necessary.

Click Save and on the next page click Apply Changes.

In Site B

Remote Network, Type: Network Local Network, Address: Remote Network, Address: Site A’s LAN subnet Use the same Phase 2 proposal and Advanced options as in Site A.


Click Save and then Apply Changes.

Allow IPsec traffic through the firewall

The tunnel should now be operational however no traffic is allowed through it until a firewall rule is added to pass it. The rule must be added to the routers at both sites.

From the Firewall menu, choose Rules. Go to the IPsec tab and click "+".


Set the Protocol to any and in the Description field type ‘Allow everything through IPsec tunnel’. Click Save and on the next page click Apply changes. Do this on both routers.


At this point the tunnel should be up and it should be possible to ping from one side to the other and back. Computers in Site A haven’t got an Internet connection however. This is because we still need to configure NAT for the IPsec tunnel.

Configure outbound NAT

In the default setup outbound NAT is configured automatically. We need to set it to Manual in order to add Site A’s subnet.

In Site B

From the Firewall menu, choose NAT and click the Outbound tab. Note that Mode is set to Automatic outbound NAT rule generation. Select Manual Outbound NAT rule generation and click Save. On the next page, click Apply changes.

Click "+" to open the New Mapping page.


As the Source Type, select Network. In the Source, Address field type Site A’s subnet:

In the Description field, type ‘NAT for IPsec tunnel Site A’.


Click Save and on the next page, click Apply changes.

Note that the new entry is shown in the outbound NAT overview.


This is not required on the router at site A.

At this point Site B will have a working Internet connection through the IPsec tunnel out Site B’s Internet provider. Any Internet traffic from Site A will look as if it were coming from Site B (see the diagram at the beginning of this article).

By Vorkbaard, 2013-07-27 - gmail{a}vorkbaard[.]nl, with additional edits.