Connecting pfSense via Policy Based VPN

*When supported by your device, Pureport strongly recommends the use of Route Based VPN with BGP for Site VPN Connections. This will make future network growth and changes much easier since Pureport manages the BGP peering for you. To configure pfSense to use a Route Based VPN with BGP, see <<<article URL>>>.


Prerequisites:

  1. A Pureport Policy Based VPN site connection. Pfsense supports a maximum Encryption Key length of 256bits. Please ensure that your Pureport VPN Site Connection is using AES-CBC 128,192 or 256 bits. The following information will be needed from the connection:
    1. IKE Version
    2. Primary Pureport Gateway IP
    3. Secondary Pureport Gateway IP
    4. Primary Pre-shared Key
    5. Secondary Pre-shared Key
    6. The Local Network(s) in CIDR (This is the Customer Side networks in the Pureport Console)
    7. The Remote Network(s) in CIDR (This is the Pureport Side networks in the Pureport Console)
    8. The Encryption, Integrity, and DH Group mechanisms from the Pureport Console. (The Encryption Algorithm and Key Length should be AES-CBC 128,192 or 256 bits due to Pfsense limits)

1. Add pfSense IPSec Phase1

Using the information from the VPN Site Connection you created in the Pureport Console.

Select VPN / IPSec from top navbar, click Add P1 button. 

  • Key Exchange version: Auto (Pfsense will automatically negotiate the type based upon what you chose in the Pureport Console.)
  • Interface: WAN
  • Remote Gateway: Copy the Pureport Gateway IP from the Primary Gateway in the Pureport Console
  • Pre-Shared Key: Copy the Pre-shared Key from the Pureport Primary Gateway in the Pureport Console. Clicking the Show link will display the key, and clicking the Copy icon will automatically copy the key to your clipboard.
  • Encryption / Hash Algorithm:
    • Algorithm / Key Length: Choose the Encryption Algorithm and  you used in the Pureport Console
    • Key Length: This also comes from the Encryption method you chose in the Pureport Console. Pfsense supports a maximum AES Key Length of 256 bits.
    • Hash: This is the Integrity value you selected for your Site VPN Connection.
    • DH Group: Choose the same value you used for your Site VPN Connection.
  • Save the VPN Connection, then click Apply Changes at the top of the Pfsense VPN Console.


3. Add pfSense IPSec Phase2

Select the Show Phase 2 Entries button under the IPsec Tunnel we just created, then select Add P2

You will need to add a Phase 2 entry for each Traffic Selector you created in your VPN Site Connection.

  • Mode: Tunnel IPv4
  • Local Network: The Customer Side network.
  • Remote Network: The Pureport Side network.
  • Encryption / Hash Algorithm: Use the same Encryption and Integrity (Hash) values you used in Phase 1.
  • Select Save at the bottom of the page.
  • Repeat the above steps for each Traffic Selector you created in your Pureport Site VPN Connection.
  • When completed, select Apply Changes at the top of the Pfsense VPN Console.

4. Initiate IPSec Connection

Navigate to Status / IPSec then click Connect next to the connection. The status should change to ESTABLISHED. If not, you can navigate to the logs at Status / System Logs / IPSec to see what happened.