Setting up site-to-site on pfSense

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.


pfSense IPSEC tunnel creation

1. Go to VPN -> IPsec

2. Select +Add P1

  • Key Exchange Version: IKEv2
  • Internet Protocol: IPv4
  • Interface: <Your pfSense WAN Interface>
  • Remote Gateway: the IP of your NordLayer dedicated server
  • Authentication Method: Mutual PSK
  • Negotiation Mode: Main
  • My Identifier: My IP Address
  • Peer Identifier: Peer IP Address
  • Pre-Shared key: generate a key (we will also need this value on our end)

3. Encryption Algorithm

  • Algorithm: AES
  • Key Length: 256 bits
  • HASH: SHA256
  • DH Group: 14
  • Lifetime (Seconds): 28800

4. Advanced Options

  • Disable rekey: Unchecked
  • Margintime (Seconds): Empty
  • Responder Only: Unchecked
  • NAT Traversal: Auto
  • Dead Peer Detection: Checked
  • Delay: 10
  • Max failures: 5

5. Select Save



6. Add phase 2: Select +Add p2

  • Mode: Tunnel IPv4
  • Local Network: Network: Put your local LAN network subnet
  • Remote Network: Network:
  • Phase 2: Proposal
  • Protocol: ESP
  • Encryption Algorithm-AES: 256 bits
  • Hash Algorithms: SHA256
  • PFS Key Group: 14

7. Select Save

Screenshot_2021-05-26_at_15.50.38.png8. Select Apply Changes



pfSense Firewall Rules (Optional)


1. In the Menu Bar go to Firewall -> Rules

2. Under IPSEC add a new rule

  • Action: Pass
  • Quick: Mark v
  • Interface: WAN and IPSEC
  • Source: the IP of your NordLayer dedicated server
  • Destination: Either put any or you can limit to your FW external IP
  • Select Save.




3. Under IPSEC add a new rule:

  • Action: Pass
  • Source: the IP of your NordLayer dedicated server
  • Destination: Either put any or you can limit to your FW external IP
  • Select Save.




4. Select Apply Changes


Bringing the tunnel up

1. In the Menu Bar go to Status:-> IPsec

2. On the tunnel, you created select: Connect VPN


Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top