Justinaquino: Imported from Netgate pfSense training PDF via bot

2026-04-23T07:07:11Z

Imported from Netgate pfSense training PDF via bot

New page

__NOTOC__

<div style="background-color: #e7f3fe; border-left: 6px solid #2196F3; padding: 10px; margin-bottom: 15px;">
<strong>Netgate pfSense Plus Fundamentals — Section 5: VPNs and IPsec</strong><br/>
This page covers VPN concepts, IPsec remote access, site-to-site configurations, and IKE phase negotiations.
</div>

= VPNs and IPsec =

== VPNs — Remote Access ==

Remote access VPNs provide connectivity for mobile or remote users, enabling secure tunneling over untrusted networks.

'''Use cases:'''
* Tunneling for access or performance reasons
* Additional wireless protection

'''Available options:'''
{| class="wikitable"
! Option !! Best For
|-
| IPsec || Built-in clients (OS X, iOS, Android)
|-
| OpenVPN || Ease of client configuration
|-
| WireGuard || Good performance for simple setup
|}

The best option is largely a matter of '''personal preference''' and the specific client ecosystem in use.

== VPNs — Site to Site ==

Site-to-site VPNs provide a permanent connection between networks, commonly used for:
* Multiple company offices or data centers
* Service providers
* Partners

'''Available options:'''
{| class="wikitable"
! Option !! Best For
|-
| IPsec || Widely interoperable
|-
| OpenVPN || Client behind NAT
|-
| WireGuard || Client behind NAT, modern crypto
|}

Again, the best option depends on personal preference and a weighing of strengths and weaknesses. If a client is behind NAT, OpenVPN or WireGuard may be preferable. For wide interoperability, IPsec is the standard.

= About IPsec =

IPsec is a widely interoperable VPN protocol that typically offers higher performance than most alternatives.

'''Key characteristics:'''
* Peer-to-peer relationship
* Typically '''policy-based''' (but can be '''VTI / route-based''')
* '''Phase 1''' protects IKE messages between peers
* '''Phase 2''' protects IP traffic between endpoints
* Establishes a '''Security Association (SA)''' between networks
* The SA determines which traffic traverses the tunnel

== IPsec Phase 1 ==

Phase 1 protects IKE messages between peers.

'''Key points:'''
* Peers are typically a single IP address
* Encryption and authentication protocols are required
* Common example: '''AES-256 / SHA256'''
* Provides a secure path for Phase 2 negotiation

{| class="wikitable"
! Parameter !! Typical Value
|-
| Encryption || AES-256
|-
| Authentication || SHA256
|-
| DH Group || 14 (2048-bit) or higher
|}

== IPsec Phase 2 ==

Phase 2 protects IP traffic between endpoints.

'''Key points:'''
* Security Association is formed between networks
* Encryption is optional for Phase 2 traffic — but strongly recommended
* Authentication method is still required

= IPsec — How It Looks =

Conceptually, IPsec creates an encrypted tunnel between two peer gateways:

<pre>
[Network A] --- [Gateway A] ====== encrypted tunnel ====== [Gateway B] --- [Network B]
↑ ↑
Phase 1 (IKE) Phase 1 (IKE)
Phase 2 (ESP/AH) Phase 2 (ESP/AH)
</pre>

= Section 5 Summary =

{| class="wikitable"
! Point !! Detail
|-
| Style || Peer-to-peer VPN
|-
| Routing || Can be policy-based or route-based (VTI)
|-
| Routing table || Not considered if policy-based
|-
| Agreement || As long as both sides agree, the tunnel will come up
|-
| Firewall || Still need a firewall rule to allow tunnel traffic
|-
| Performance || Consider taking advantage of AES-NI for performance
|}

= Next Module =

* [[Training_Lab_5:_IPsec_VPN|Lab 5: IPsec VPN Hands-On]]

= Source Attribution =

* '''Document:''' FUND001-LIVE-SLIDE-SEG5-IPSEC.pdf
* '''Course:''' pfSense Plus Fundamentals and Practical Application
* '''Copyright:''' © 2017 Rubicon Communications, LLC dba Netgate
* '''Extracted:''' 2026-04-23 via pdftotext

Training: IPsec VPN - Revision history

Justinaquino: Imported from Netgate pfSense training PDF via bot