Contents x
    Setting up site-to-site on pfSense
    • 1 Minute to read
      Contents

      Setting up site-to-site on pfSense

      • 1 Minute to read
        Article Summary

        Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

        pfSense IPSEC tunnel creation

        1. Go to VPN -> IPsec

        2. Select +Add P1

        • Key Exchange Version: IKEv2
        • Internet Protocol: IPv4
        • Interface: Your pfSense WAN Interface
        • Remote Gateway: the IP of your NordLayer dedicated server
        • Authentication Method: Mutual PSK
        • Negotiation Mode: Main
        • My Identifier: My IP Address
        • Peer Identifier: Peer IP Address
        • Pre-Shared key: generate a key (we will also need this value on our end)
        1. Encryption Algorithm
        • Algorithm: AES
        • Key Length: 256 bits
        • HASH: SHA256
        • DH Group: 14
        • Lifetime (Seconds): 3600
        1. Advanced Options
        • Disable rekey: Unchecked
        • Margintime (Seconds): Empty
        • Responder Only: Unchecked
        • NAT Traversal: Auto
        • Dead Peer Detection: Checked
        • Delay: 10
        • Max failures: 5
        1. Select Save

        Screenshot 2021-05-26 at 15.50.24.png

        Screenshot 2021-05-26 at 15.50.31.png

        1. Add phase 2: Select +Add p2
        • Mode: Tunnel IPv4
        • Local Network: Network: Put your local LAN network subnet
        • Remote Network: Network: 10.6.0.0/20
        • Phase 2: Proposal
        • Protocol: ESP
        • Encryption Algorithm-AES: 256 bits
        • Hash Algorithms: SHA256
        • PFS Key Group: 14
        • Lifetime (Seconds): 28800
        1. Select Save

        Screenshot 2021-05-26 at 15.50.38.png

        1. Select Apply Changes

        Screenshot 2021-05-26 at 15.50.44.png

        Screenshot 2021-05-26 at 15.50.50.png

        pfSense Firewall Rules (Optional)

        Screenshot 2021-05-26 at 15.50.57.png

        1. In the Menu Bar go to Firewall -> Rules

        2. Under IPSEC add a new rule

        • Action: Pass
        • Quick: Mark v
        • Interface: WAN and IPSEC
        • Source: the IP of your NordLayer dedicated server
        • Destination: Either put any or you can limit to your FW external IP
        • Select Save.

        Screenshot 2021-05-26 at 15.51.04.png

        Screenshot 2021-05-26 at 15.51.09.png

        Screenshot 2021-05-26 at 15.51.16.png

        1. Under IPSEC add a new rule:
        • Action: Pass
        • Source: the IP of your NordLayer dedicated server
        • Destination: Either put any or you can limit to your FW external IP
        • Select Save.

        Screenshot 2021-05-26 at 15.51.22.png

        Screenshot 2021-05-26 at 15.51.27.png

        Screenshot 2021-05-26 at 15.51.32.png

        1. Select Apply Changes

        Bringing the tunnel up

        1. In the Menu Bar go to Status:-> IPsec

        2. On the tunnel, you created select: Connect VPN

        Screenshot 2021-05-26 at 15.51.37.png

        Ending note:

        In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

        • Pre-shared key - you can generate it or we can provide it
        • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
        • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
        • Remote subnet and mask (the subnet is used in your local network)

        Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

        Was this article helpful?
        What's Next