IPsec on pfSense® software offers numerous configuration options which influence the performance and security of IPsec connections. For most users performance is the most important factor. When crafting a configuration, carefully select options to ensure optimal efficiency while maintaining strong security and compatibility with equipment on both ends of a tunnel.
For low-to-moderate bandwidth usage deployments the options may not have significant impact on performance. Even so, take care not to use insecure options such as SHA1 or weak pre-shared keys.
pfSense software supports several options which are weak from a security standpoint. These are included for compatibility with third party vendors and equipment which do not support stronger options. The GUI includes warnings against using these options.
The next sections outline how to design an IPsec tunnel and the options available.
- IPsec Tunnel Design
- IPsec Tunnels Tab
- Phase 1 Settings
- Phase 2 Settings
- IPsec Mobile Clients Tab
- IPsec Pre-Shared Keys Tab
- Advanced IPsec Settings