In this recipe, we left out any explanation of a number of options available for configuring IPsec connections in pfSense. Here are some of the more useful options:

• Phase 1 configuration:
  • Key Exchange: We can choose between IKEv1 (V1), IKEv2 (V2), or Auto. If Auto is chosen, IPsec will use IKEv2 when initiating a connection, but will use either IKEv1 or IKEv2 when accepting a connection.
  • Internet Protocol: pfSense currently supports both IPv4 and IPv6 for IPsec.
  • Interface: Usually, the endpoint of our tunnel is the WAN interface, but we can set this parameter to any interface we choose.
  • Remote Gateway: This is the IP address of the remote firewall, and is usually the same as the WAN IP address of that firewall.
  • Authentication Method: We can choose between Mutual PSK (authentication using a pre-shared key) and Mutual RSA (authentication using certificates). If you choose Mutual PSK, you will have to enter a pre-shared key during phase 1 configuration. If you choose Mutual RSA, you will have to enter a certificate and a Certificate Authority (CA).
  • Negotiation Mode: If you selected Auto for Key Exchange, you will be able to choose what level of authentication security is used when the VPN tunnel is down and has to be rebuilt. Main forces the peer to re-authenticate, while Aggressive will rebuild the tunnel quickly, without forcing re-authentication.
  • My identifier/Peer identifier: These parameters determine how each side identifies itself to the other side of the connection. Usually you can leave both set to IP address, but there are several other options, such as Distinguished name (which you will then have to enter in an adjacent text field).
  • Encryption Algorithm: Here you can select the encryption method. If you require strong encryption, you should probably use AES or Blowfish.
  • DH Group: DH stands for Diffie-Hellman; this parameter allows you to choose the Diffie-Hellman group that is used to generate session keys.
  • Disable Rekey: If this option is enabled, IPsec will not renegotiate a connection that is about to expire.
  • Responder Only: If this option is enabled, IPsec will only be able to accept connections, not initiate them.
  • Dead Peer Detection (DPD): If this option is enabled, IPsec will try to detect if the other end of the connection is having problems, and try to rebuild the tunnel if necessary.
• Phase 2 configuration:
  • Mode: You can choose between Tunnel mode and Transport mode. Tunnel mode will encrypt the entire IP packet and add a new IP header, while Transport mode will encrypt the payload but not the IP header. If you choose Tunnel mode you have a choice between IPv4 and IPv6; this setting should match whatever you set for internet protocol in the phase 1 configuration.
  • Local Network: This setting allows you to choose what local network is accessible from the other end of the tunnel (you usually want this set to LAN subnet).
  • NAT/BINAT translation: If NAT/BINAT translation is required on the network specified in Local Network, you can specify the translation here.
  • Protocol: This is the protocol for key exchange. The de facto standard is Encapsulating Security Payload (ESP), which provides for both encryption and authentication of IPsec data, but you can also select Authentication Header (AH), which provides for authentication only. If you select ESP, you must also select one or more encryption algorithms.
  • Encryption Algorithm: The algorithm for tunnel encryption; the default is AES. You can choose more than one algorithm.
  • Hash Algorithms: Algorithms used when calculating hashes. You may choose more than one algorithm.
  • PFS Key Group: If this option is selected, IPsec will perform a PFS (Perfect Forward Security) key exchange when establishing a tunnel.
  • Automatically ping host: Here, you can specify an IP address at the remote end of the connection that IPsec will ping. If IPsec gets responses to the pings, it will keep the tunnel up; otherwise, it will disconnect.