Establishing a secure connection between geographically dispersed networks is a fundamental requirement for modern businesses. A pfSense IPsec site to site VPN provides a robust and reliable method to connect two locations as if they were on the same local network. This technology ensures that sensitive data travels through public internet channels securely, mitigating the risk of interception or tampering.
Understanding IPsec and Tunnel Mode Operation
IPsec, or Internet Protocol Security, operates in tunnel mode to create the site to site connection. In this configuration, the entire original data packet is encapsulated within a new packet with a new IP header. This process effectively hides the internal network structure and IP addresses of the connected sites from the public internet. The encapsulated packet is then encrypted and authenticated, providing confidentiality, integrity, and authentication for the entire communication path between the pfSense firewalls.
Planning the Network Topology
A successful implementation begins with careful planning of the network topology. You must identify the external IP addresses of both pfSense devices, which are typically public IPs provided by the respective internet service providers. Additionally, you need to define the local subnets at each location that require communication. For example, if one office uses the 192.168.1.0/24 subnet and the other uses 192.168.2.0/24, these ranges must be specified accurately in the configuration to ensure traffic is routed correctly through the tunnel.
Required Network Information
Gathering the correct network information is critical before configuring the VPN. Misconfiguration at this stage leads to connection failures or routing issues. The following table outlines the essential data points required for a typical site to site setup.
Configuring the Phase 1 Proposal
The IKE Phase 1 establishes a secure channel between the two peers. This phase negotiates the security parameters used to protect the Phase 2 negotiations. On the pfSense interface, you should select an encryption algorithm like AES-256-GCM, which offers strong security with good performance. The hash algorithm should match on both sides, with SHA256 being a current standard. Ensure the DH group is set to a sufficient level, such as 14 or 21, to resist brute force attacks.
Configuring the Phase 2 Proposal and Traffic Selectors
Phase 2 defines the specific traffic that will be allowed through the tunnel and the encryption methods for that traffic. You will create a proposal that matches the local and remote subnets defined during the planning phase. It is recommended to use AES-256-GCM for the encryption protocol here as well. The traffic selectors must precisely match the internal subnets of each location. This ensures that only the intended network traffic is encrypted and sent across the VPN tunnel, optimizing performance and security.
