EdgeRouter - Site-to-Site IPsec VPN to pfSense

2022-12-22 04:42:15 UTC


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a pfSense router.

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Devices used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Setting up a Policy-Based VPN
  3. Related Articles

Frequently Asked Questions (FAQ)

Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?


  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES


  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN

Back to Top


The and networks will be allowed to communicate with each other over the VPN.

GUI: Access the EdgeRouter Web UI.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Description: ipsec
Local IP:
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet:
Remote subnet:

2. Apply the changes.

GUI: Access the pfSense Router Web UI.

1. Add the firewall rules for IPsec.

Firewall > Rules > WAN > Add

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From ISAKMP (500) to ISAKMP (500)
Description: ike

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: ESP
Source: any
Destination: any
Description: esp

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From IPsec NAT-T (4500) to IPsec NAT-T (4500)
Description: nat-t

Firewall > Rules > IPsec > Add

Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Network
Destination: Network

2. Define and save the IKE settings.

VPN > IPsec > Tunnels > + Add P1

Key Exchange Version: IKEv1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway:
Description: ipsec

Authentication Method: Mutual PSK
Negotiation Mode: Main
My Identifier: My IP address
Peer Identifier: Peer IP address
Pre-Shared Key: <secret>

Encryption Algorithm: AES 128 bits
Hash Algorithm: SHA128
DH Group: 14 (2048 bit)
Lifetime (Seconds): 28800

Dead Peer Detection: Uncheck / disabled
NAT Traversal: Auto

3. Define and save the ESP settings.

VPN > IPsec > Tunnels > Show Phase 2 Entries > +Add P2

Mode: Tunnel IPv4
Local Network: Network
NAT/BINAT Translation: None
Remote Network: Network

Protocol: ESP
Encryption Algorithms: AES 128 bits
Hash Algorithms: SHA1
PFS Key Group: 14
Lifetime (Seconds): 3600

Related Articles

Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
16 out of 23 found this helpful