---
title: "Setting up Site-to-Site VPN on pfSense"
slug: "site-to-site-pfsense"
description: "pfSense IPSEC tunnel creation Go to VPN -&gt; IPsec Select +Add P1 Key Exchange Version: IKEv2 Internet Protocol: IPv4 Interface: Remote Gateway."
updated: 2026-05-07T09:04:19Z
published: 2026-05-07T09:04:19Z
canonical: "help.nordlayer.com/site-to-site-pfsense"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nordlayer.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Setting up Site-to-Site VPN on pfSense

**Note**: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

## pfSense IPsec Site-to-Site VPN tunnel configuration

1. Go to VPN -> IPsec
2. Select +Add P1

- **Key Exchange Version**: [IKEv2](https://nordlayer.com/learn/vpn/ikev2/)
- **Internet Protocol**: IPv4
- **Interface**: Your pfSense WAN Interface
- **Remote Gateway**: the IP of your NordLayer server with a dedicated IP
- **Authentication Method**: Mutual PSK
- **Negotiation Mode**: Main
- **My Identifier**: My IP Address
- **Peer Identifier**: Peer IP Address
- **Pre-Shared key**: generate a key (we will also need this value on our end)

1. Encryption Algorithm

- **Algorithm**: AES
- **Key Length**: 256 bits
- **HASH**: SHA256
- **DH Group**: 14
- **Lifetime (Seconds)**: 28800

1. Advanced Options

- **Disable rekey**: Unchecked
- **Margintime (Seconds)**: Empty
- **Responder Only**: Unchecked
- **NAT Traversal**: Auto
- **Dead Peer Detection**: Checked
- **Delay**: 10
- **Max failures**: 5

1. Select **Save**

![Screenshot 2021-05-26 at 15.50.24.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.50.24.png)

![Screenshot 2021-05-26 at 15.50.31.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.50.31.png)

1. Add phase 2: Select +Add p2

- **Mode**: Tunnel IPv4
- **Local Network**: Network: Put your local LAN network subnet
- **Remote** Network: Network: 10.6.0.0/20
- **Phase 2**: Proposal
- **Protocol**: ESP
- **Encryption Algorithm-AES**: 256 bits
- **Hash Algorithms**: SHA256
- **PFS Key Group**: 14
- **Lifetime (Seconds)**: 3600

1. Select Save

![Screenshot 2021-05-26 at 15.50.38.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.50.38.png)

1. Select Apply Changes

![Screenshot 2021-05-26 at 15.50.44.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.50.44.png)

![Screenshot 2021-05-26 at 15.50.50.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.50.50.png)

## pfSense Firewall Rules (Optional)

![Screenshot 2021-05-26 at 15.50.57.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.50.57.png)

1. In the Menu Bar go to Firewall -> Rules
2. Under IPSEC add a new rule

- **Action**: Pass
- **Quick**: Mark v
- **Interface**: WAN and IPSEC
- **Source**: the IP of your NordLayer server with a dedicated IP
- **Destination**: Either put any or you can limit to your FW external IP
- Select **Save**.

![Screenshot 2021-05-26 at 15.51.04.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.51.04.png)

![Screenshot 2021-05-26 at 15.51.09.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.51.09.png)

![Screenshot 2021-05-26 at 15.51.16.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.51.16.png)

1. Under IPSEC add a new rule:

- **Action**: Pass
- **Source**: the IP of your NordLayer server with a dedicated IP
- **Destination**: Either put any or you can limit to your FW external IP
- Select **Save**.

![Screenshot 2021-05-26 at 15.51.22.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.51.22.png)

![Screenshot 2021-05-26 at 15.51.27.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.51.27.png)

![Screenshot 2021-05-26 at 15.51.32.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.51.32.png)

1. Select Apply Changes

## Bringing the tunnel up

1. In the Menu Bar go to Status:-> IPsec
2. On the tunnel, you created select: Connect VPN

![Screenshot 2021-05-26 at 15.51.37.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202021-05-26%20at%2015.51.37.png)

## Ending note:

In order to finalize the site-to-site tunnel, please create a setup in [Sites tab of the NordLayer Control Panel](/v1/docs/site-to-site).

- Pre-shared key - you can generate it or we can provide it
- Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the server with a dedicated IP)
- Remote subnet and mask (the subnet is used in your local network)

**Note**: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our [24/7 customer support team](/docs/how-do-i-contact-nordlayer-customer-support).