Routing Internet Traffic Through a Site-to-Site IPsec Tunnel

It is possible to use IPsec on a pfSense® router to send Internet traffic from Site A such that it would appear to be coming from Site B. This may be needed if a vendor requires that connections originate from a specific address at Site B.


In this article we have two sites:

  1. Site A is a branch office, LAN subnet

  2. Site B is the main office through which all Internet traffic is routed,

Set up the IPsec tunnel Phase 1

Site A Configuration

In the VPN menu select IPsec. It opens on the Tunnels tab. Click the + button to create a new Phase 1 setup. (Make sure Enable IPsec is checked and saved.)


Enter these values:




Internet Protocol




Unless using a separate OPT interface


Site B

The site’s locality or another suitable description

Authentication method

Mutual PSK

Negotiation mode


My identifier

My IP address

Peer identifier

Peer IP address

Pre-Shared Key

A long key.

This can be generated using external utilities but be careful to copy it without extra spaces.

Policy Generation


Proposal Checking


Encryption algorithm

AES 256bits

Read this comparison of encryption algorithms.

Hash algorithm


Read this comparison of hash algorithms.

DH key group

2 (1024 bit)

Read this explanation of Perfect forward secrecy.



NAT Traversal


Turn this off unless it is definitely needed.

Dead Peer Detection

Enable: 10 seconds, 5 retries

Leave this on unless the other side does not properly support DPD.


Note that the Phase 1 entry is now shown on the IPsec page. Click Save and in the next screen click Apply Changes.


Site B Configuration

Do the same as in Site A but in the Remote Gateway field enter Site A’s public IP address or FQDN and in the Description field enter ‘Site A’.

Set up the IPsec tunnel Phase 2

Site A Configuration

Click fa-plus under the Phase 1 entry. It will show an overview of all available Phase 2 entries. Since we haven’t made any yet none are shown.


Click fa-plus to create a new Phase 2.


Enter these values:





Tunnel IPv4

Local Network

Type: LAN subnet. NAT/BINAT type: None.

Remote Network

This tells pfSense to route everything over this interface.


Site B



Encryption algorithm

AES 256 bits

Hash algorithm


PFS key group

2 (1024 bit)



Automatically ping host

Enter a hostname or IP address to keep the tunnel alive.

In my experience this is not necessary.


Click Save and on the next page click Apply Changes.

Site B Configuration

Remote Network, Type: Network Local Network, Address: Remote Network, Address: Site A’s LAN subnet Use the same Phase 2 proposal and Advanced options as in Site A.


Click Save and then Apply Changes.

Allow IPsec traffic through the firewall

The tunnel should now be operational however no traffic is allowed through it until a firewall rule is added to pass it. The rule must be added to the routers at both sites.

From the Firewall menu, choose Rules. Go to the IPsec tab and click fa-plus.


Set the Protocol to any and in the Description field type Allow everything through IPsec tunnel. Click Save and on the next page click Apply changes. Do this on both routers.


At this point the tunnel should be up and it should be possible to ping from one side to the other and back. Computers in Site A haven’t got an Internet connection however. This is because we still need to configure NAT for the IPsec tunnel.

Configure outbound NAT

In the default setup outbound NAT is configured automatically. We need to set it to Manual in order to add Site A’s subnet. This configuration step is not required on the router at site A.

Site B Configuration

From the Firewall menu, choose NAT and click the Outbound tab. Note that Mode is set to Automatic outbound NAT rule generation. Select Manual Outbound NAT rule generation and click Save. On the next page, click Apply changes.

Click fa-plus to open the New Mapping page.


As the Source Type, select Network. In the Source Address field type Site A’s subnet:

In the Description field, type NAT for IPsec tunnel Site A.


Click Save and on the next page, click Apply changes. The new entry should now be shown in the outbound NAT overview.


At this point Site B will have a working Internet connection through the IPsec tunnel out Site B’s Internet provider. Any Internet traffic from Site A will look as if it were coming from Site B (see the diagram at the beginning of this article).

By Vorkbaard, 2013-07-27 - gmail{a}vorkbaard[.]nl, with additional edits.