IPsec Tunnel Design

Before configuring an IPsec tunnel, a few general decisions must be made about how the tunnel will operate.

IPsec Modes

pfSense software supports several primary modes of IPsec operation:

Policy-based IPsec

This mode uses policies to match specific combinations of traffic which are grabbed by the kernel and pushed through an IPsec tunnel. It also uses special “trap” policies to detect when traffic intends to use IPsec so that it can bring the tunnel up automatically. Only traffic specifically matching phase 2 child SA entries can use IPsec, and all traffic matching those entries will be taken over by IPsec.

This mode is the most common and is supported by nearly all third party IPsec implementations.

Route-based IPsec (VTI)

Routed IPsec uses a special Virtual Tunnel Interface (VTI) for each IPsec tunnel. The VTI interface is assigned and used like other interfaces. Phase 2 entries define addresses for the tunnel interface itself rather than policies which direct traffic to IPsec. Arbitrary traffic may cross VTI IPsec tunnels as traffic follows the system routing table. Static routes or dynamic routing daemons can control which traffic crosses a tunnel.

Support for routed IPsec varies by vendor.

By default traffic for VTI tunnels is filtered on the IPsec tab and cannot use per-interface rules, NAT, or reply-to. This can be changed in Advanced IPsec Settings using the IPsec Filter Mode option. Read the consequences of that option carefully before changing the behavior..

Mobile IPsec

Similar to policy-based mode, but for remote access/mobile clients.

Transport Mode

This mode encrypts all traffic from the external IP address on this firewall to the external IP address on the far side as defined in the phase 1 settings. Since all traffic sent between the two nodes will be encrypted, other tunneling methods that do not employ encryption, such as a GIF or GRE tunnel, can be safely used by the firewall between the endpoints.

By default traffic for transport mode tunnels may experiece problems with keeping state appropriately among other filtering quirks. This can be improved by using the IPsec Filter Mode option in Advanced IPsec Settings. Read the consequences of that option carefully before changing the behavior.

Interface Selection

In many cases, the Interface option for an IPsec tunnel will be WAN, since the tunnels are connecting to remote sites. However, there are plenty of exceptions, the most common of which are outlined in the remainder of this section.

High Availability Environments

IPsec works well with high availability, with some caveats. See IPsec in High Availability Environments for details.

IP Alias VIP

If multiple IP addresses are available on an interface using IP Alias type VIPs, they will also be available in this list. To use one of those IP addresses for the VPN instead, select it here.

Multi-WAN Environments

IPsec supports multiple WANs in multiple configurations. See IPsec in Multi-WAN Environments for details.

Wireless Internal Protection

When configuring IPsec to add encryption to a wireless network as described in Additional protection for a wireless network, choose the OPT interface which corresponds to the wireless card. When using an external wireless access point, pick the interface which is connected to the wireless access point.