Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

IPsec Site-to-Site VPN Example with Certificate Authentication

Using certificate-based authentication for identification of VPN tunnel peers is much stronger than using a simple Pre-Shared Key.

To utilize certificate authentication, first create a PKI structure. This can be performed in the GUI using the Certificate Manager feature. Refer to the Certificate Management section for specifics on creating certificate authorities and certificates.

First, designate one firewalls to hold the CA/Certificate structure. For this document, it will be called Firewall A. The other firewall will be Firewall B.

On Firewall A:

  • Create a Certificate Authority (CA).

  • Create a Certificate for Firewall A. Set the Common Name to the hostname of Firewall A, add an Alternative Names entry with a Type of IP Address and the Value set to the IP address of the WAN interface on Firewall A.

  • Create a Certificate for Firewall B. Set the Common Name to the hostname of Firewall B, add an Alternative Names entry with a Type of IP Address and the Value set to the IP address of the WAN interface on Firewall B.

  • Export the CA Certificate, and the Firewall B certificate and key

On Firewall B:

  • Import the CA Certificate and the Firewall B certificate and key

On both firewalls:

  • Configure the IPsec tunnel as described in IPsec Site-to-Site VPN Example with Pre-Shared Keys, with the following exceptions

    • Set Authentication method to Mutual Certificate

    • Select the certificate for this firewall for My Certificate

    • Select the certificate authority created above for My Certificate Authority

  • Click Save

  • Click Apply Changes