Netgate is offering COVID-19 aid for pfSense software users, learn more.
IPsec Site-to-Site VPN Example with Certificate Authentication¶
Using certificate-based authentication for identification of VPN tunnel peers is much stronger than using a simple Pre-Shared Key.
To utilize certificate authentication, first create a PKI structure. This can be performed in the GUI using the Certificate Manager feature. Refer to the Certificate Management section for specifics on creating certificate authorities and certificates.
First, designate one firewalls to hold the CA/Certificate structure. For this document, it will be called Firewall A. The other firewall will be Firewall B.
On Firewall A:
Create a Certificate Authority (CA).
Create a Certificate for Firewall A. Set the Common Name to the hostname of Firewall A, add an Alternative Names entry with a Type of IP Address and the Value set to the IP address of the WAN interface on Firewall A.
Create a Certificate for Firewall B. Set the Common Name to the hostname of Firewall B, add an Alternative Names entry with a Type of IP Address and the Value set to the IP address of the WAN interface on Firewall B.
Export the CA Certificate, and the Firewall B certificate and key
On Firewall B:
Import the CA Certificate and the Firewall B certificate and key
On both firewalls:
Configure the IPsec tunnel as described in IPsec Site-to-Site VPN Example with Pre-Shared Keys, with the following exceptions
Set Authentication method to Mutual Certificate
Select the certificate for this firewall for My Certificate
Select the certificate authority created above for My Certificate Authority
Click Apply Changes