← Back to Guides Homepage

How to Set Up Site-to-Site IPsec VPN (OPNsense & pfSense)

In this guide, you will learn how to configure a robust Site-to-Site IPsec VPN between OPNsense and pfSense firewalls. We will use IKEv2 with AES-GCM encryption to ensure both high security and performance. This setup allows seamless connectivity between two distinct private LANs over the internet.

Network Topology

Before beginning configuration, it is essential to understand the network schema used in this example.

• OPNsense (Left Side): LAN Network 10.1.1.0/24
• pfSense (Right Side): LAN Network 10.2.2.0/24
• Connection: The VPN connects via the WAN IP addresses of both firewalls.

Part 1: OPNsense Configuration

We will start by configuring the OPNsense side of the tunnel.

1. Create Pre-Shared Key

Navigate to VPN > IPsec > Pre-shared Keys and click the + button.

• Local Identifier: Enter the WAN IP of the OPNsense firewall.
• Remote Identifier: Enter the WAN IP of the pfSense firewall.
• Pre-shared Key: Enter a strong password (e.g., ABC123).
• Type: PSK.

2. Configure Phase 1 (Connection)

Navigate to VPN > IPsec > Tunnel Settings and add a new connection.

• Key Exchange: IKEv2
• Proposal (Encryption): AES 256 GCM
• Proposal (Hash): SHA 256
• DH Group: 21
• Authentication: Select "Pre-shared key" for both Local and Remote.
• DPD (Dead Peer Detection): 30 seconds.

3. Configure Phase 2 (Children)

Inside the connection settings, add a "Child" entry to define the networks.

• Mode: Tunnel IPv4
• Policies: Policy based (check box enabled)
• Proposal: AES 256 GCM (Hash is not required for GCM)
• Local Network: 10.1.1.0/24
• Remote Network: 10.2.2.0/24

Ensure you check the Enable IPsec box and click Apply.

4. Firewall Rules

Go to Firewall > Rules > IPsec and add a rule to pass all traffic (Any/Any) for testing. If connecting over the WAN, ensure UDP 500, UDP 4500, and ESP protocols are allowed on the WAN interface.

Part 2: pfSense Configuration

Now we will configure the pfSense side to match the settings we just created.

1. Configure Phase 1

Navigate to VPN > IPsec > Tunnels and click Add P1.

• Key Exchange: IKEv2
• Remote Gateway: Enter the OPNsense WAN IP.
• Authentication: Mutual PSK.
• Pre-Shared Key: Enter the exact same key used on OPNsense (`ABC123`).
• Encryption: AES 256 GCM (256 bits).
• Hash: SHA 256.
• DH Group: 21.

2. Configure Phase 2

Click Show Phase 2 Entries and Add P2.

• Mode: Tunnel IPv4
• Local Network: LAN Subnet
• Remote Network: Network 10.1.1.0/24
• Encryption: AES 256 GCM (128 bits or 256 bits, must match Phase 1 logic/OPNsense proposal).
• PFS Key Group: 21 (Perfect Forward Secrecy).

3. Firewall Rules

Go to Firewall > Rules > IPsec and add a rule to pass traffic. Ensure the protocol is set to Any (or allow ICMP specifically) to enable ping testing.

Part 3: Verification

Once both sides are configured and changes are applied, you should verify the connection.

1. Check Status

On pfSense, go to Status > IPsec. You should see the tunnel status as established.

2. Test Connectivity

Use a client on the OPNsense LAN (e.g., Linux Mint at 10.1.1.x) to ping a client on the pfSense LAN (e.g., Windows 10 at 10.2.2.x). If the ping replies, traffic is successfully routing through the encrypted tunnel.

← Back to Guides Homepage