pfSense IPsec VPN - Tunnels and Remote Access

The IPsec implementation in pfSense is built on strongSwan and supports both IKEv1 and IKEv2 negotiation protocols. IPsec is the de facto standard for building site-to-site tunnels between equipment from different vendors. The protocol operates at the network layer (L3) and provides encryption, authentication, and integrity verification for every packet.

IPsec configuration in pfSense is performed in two stages: Phase 1 (IKE) defines the parameters for establishing a secure channel between peers, and Phase 2 (IPsec SA) specifies the encryption parameters and protected subnets. Correct configuration of both phases on both sides of the tunnel is a mandatory requirement for establishing a connection.

In This Section

• Site-to-Site Tunnel - step-by-step IPsec tunnel configuration between two sites, Phase 1 and Phase 2 parameters, traffic routing
• IKEv2 Mobile Clients - configuring an IKEv2 server for mobile devices and workstations without third-party software installation
• IPsec Troubleshooting - log analysis, common negotiation errors, SA status verification, and resolution methods