Connecting pfSense via Route-Based Static VPN
This article describes how to connect and configure a pfSense connection.
Note: Purport recommends using Route-Based VPN with BGP for site VPN configurations, since Pureport manages the BGP peering for you. This makes future network growth and changes much easier. See "Connecting pfSense via Route-Based VPN with BGP" for details.
Prerequisites:
Before connecting to pfSense, you must have a Pureport Policy-Based VPN Connection See "Connecting to a Site VPN - Policy-Based" for details.
Note: pfSense supports a maximum Encryption Key length of 256 bits. Ensure that your Pureport VPN Site Connection uses AES-CBC 128,192 or 256 bits.
You must also gather the following information:
- IKE Version
- Primary Pureport Gateway IP
- Secondary Pureport Gateway IP
- Primary Pre-shared Key
- Secondary Pre-shared Key
- The Local Network in CIDR (the Customer VTI IP in CIDR format in the Pureport Console)
- The Remote Network (the Customer VTI IP address in the Pureport Console)
- The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
Note: Due to pfSense limits, the Encryption Algorithm and Key Length must be AES-CBC 128,192 or 256 bits.
Connecting to pfSense
Use the information from the VPN Site Connection you created in the Pureport Console.
![]() | ![]() |
Adding pfSense IPSec Phase1
- From the navbar, select VPN > IPSec.
- Click the Add P1 button.
- Enter the following information in each field on the page:
General Information
- Key Exchange version: choose the IKE version you used to create your Pureport Site Connection. In this case it would be IKEv2.
- Interface: WAN
- Remote Gateway: Copy the Pureport Gateway IP from the Primary Gateway in the Pureport Console
Authentication- Pre-Shared Key: Copy the Pre-shared Key from the Pureport Primary Gateway in the Pureport Console.
Click the Show link to display the key; click the Copy icon to copy the key to your clipboard.
Encryption Algorithm:- Algorithm / Key Length: Choose the Encryption Algorithm used in the Pureport Console
- Key Length: This also comes from the Encryption method you chose in the Pureport Console. pfSense supports a maximum AES Key Length of 256 bits.
- Hash: Select the Integrity value you selected for your Site VPN Connection.
- DH Group: Select the same value you used for your Site VPN Connection.
- Select Save at the bottom of the page, then click Apply Changes at the top of the pfSense VPN Console.
Adding pfSense IPSec Phase2
- Select the Show Phase 2 Entries button under the IPsec Tunnel we just created, then select Add P2.
- Referring back to the Primary Gateway for the Site VPN Connection in the Pureport Console.
You will refer the above fields when creating the Phase 2 tunnel. - Enter the following information in each field on the page:
General Information- Mode: Routed (VTI)
- Local Network: The Customer VTI IP.
- Remote Network: The Pureport VTI IP.
SA/Key Exchange- Encryption / Hash Algorithm: Use the same Encryption and Integrity (Hash) values you used in Phase 1.
- Select Save at the bottom of the page, then click Apply Changes at the top of the pfSense VPN Console.
Initiate IPSec Connection
Navigate to Status > IPSec, then click Connect next to the connection.
The status should be ESTABLISHED. If not, review the logs (Status > System Logs > IPSec) to troubleshoot the connection.
Add/Enable VTI Interface
After configuring IPSec Phase2 to use VTI, you must add and enable the VTI interface.
- Select Interfaces > Assignments from top navbar, then click Add next to the VTI IPSec network port. This adds an interface called OPT1.
- Click Save.
- After adding the new interface, then select it and mark it Enabled. Leave all other settings as default, and select Save.
- Select Apply Changes.
Add pfSense Static Route
- From the pfSense navbar, select System > Routing > Satic Routes.
- Click
Add
to add a static route to each of your remote networks via the VTI interface. - Enter the following information in each field on the page:
- Destination Network: The remote network you wish to route to.
- Gateway: Select the interface you created earlier.
- Click Save.
Repeat for each destination network.
After adding all routes, click Apply Changes.