Jump to content

Training: IPsec VPN

From MediawikiCIT
Revision as of 07:07, 23 April 2026 by Justinaquino (talk | contribs) (Imported from Netgate pfSense training PDF via bot)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Netgate pfSense Plus Fundamentals — Section 5: VPNs and IPsec
This page covers VPN concepts, IPsec remote access, site-to-site configurations, and IKE phase negotiations.

VPNs and IPsec

VPNs — Remote Access

Remote access VPNs provide connectivity for mobile or remote users, enabling secure tunneling over untrusted networks.

Use cases:

  • Tunneling for access or performance reasons
  • Additional wireless protection

Available options:

Option Best For
IPsec Built-in clients (OS X, iOS, Android)
OpenVPN Ease of client configuration
WireGuard Good performance for simple setup

The best option is largely a matter of personal preference and the specific client ecosystem in use.

VPNs — Site to Site

Site-to-site VPNs provide a permanent connection between networks, commonly used for:

  • Multiple company offices or data centers
  • Service providers
  • Partners

Available options:

Option Best For
IPsec Widely interoperable
OpenVPN Client behind NAT
WireGuard Client behind NAT, modern crypto

Again, the best option depends on personal preference and a weighing of strengths and weaknesses. If a client is behind NAT, OpenVPN or WireGuard may be preferable. For wide interoperability, IPsec is the standard.

About IPsec

IPsec is a widely interoperable VPN protocol that typically offers higher performance than most alternatives.

Key characteristics:

  • Peer-to-peer relationship
  • Typically policy-based (but can be VTI / route-based)
  • Phase 1 protects IKE messages between peers
  • Phase 2 protects IP traffic between endpoints
  • Establishes a Security Association (SA) between networks
  • The SA determines which traffic traverses the tunnel

IPsec Phase 1

Phase 1 protects IKE messages between peers.

Key points:

  • Peers are typically a single IP address
  • Encryption and authentication protocols are required
  • Common example: AES-256 / SHA256
  • Provides a secure path for Phase 2 negotiation
Parameter Typical Value
Encryption AES-256
Authentication SHA256
DH Group 14 (2048-bit) or higher

IPsec Phase 2

Phase 2 protects IP traffic between endpoints.

Key points:

  • Security Association is formed between networks
  • Encryption is optional for Phase 2 traffic — but strongly recommended
  • Authentication method is still required

IPsec — How It Looks

Conceptually, IPsec creates an encrypted tunnel between two peer gateways: 

[Network A] --- [Gateway A] ====== encrypted tunnel ====== [Gateway B] --- [Network B]
                    ↑                                    ↑
              Phase 1 (IKE)                        Phase 1 (IKE)
              Phase 2 (ESP/AH)                     Phase 2 (ESP/AH)

Section 5 Summary

Point Detail
Style Peer-to-peer VPN
Routing Can be policy-based or route-based (VTI)
Routing table Not considered if policy-based
Agreement As long as both sides agree, the tunnel will come up
Firewall Still need a firewall rule to allow tunnel traffic
Performance Consider taking advantage of AES-NI for performance

Next Module

Source Attribution

  • Document: FUND001-LIVE-SLIDE-SEG5-IPSEC.pdf
  • Course: pfSense Plus Fundamentals and Practical Application
  • Copyright: © 2017 Rubicon Communications, LLC dba Netgate
  • Extracted: 2026-04-23 via pdftotext
Retrieved from "https://mediawiki.comfac.net/index.php?title=Training:_IPsec_VPN&oldid=237"