Routing Internet Traffic Through a Site-to-Site IPsec VPN

It is possible to use IPsec to send Internet traffic from Site A such that it would appear to be coming from Site B. This may be needed if a vendor requires that connections originate from a specific address at Site B.


In this article we have two sites:

  1. Site A is a branch office, LAN subnet
  2. Site B is the main office through which all Internet traffic is routed,

Set up the IPsec tunnel Phase 1

Site A Configuration

In the VPN menu select IPsec. It opens on the Tunnels tab. Click the + button to create a new Phase 1 setup. (Make sure Enable IPsec is checked and saved.)


Enter these values:

Field Value Notes
Internet Protocol IPv4  
Interface WAN Unless using a separate OPT interface
Description Site B The site’s locality or another suitable description
Authentication method Mutual PSK  
Negotiation mode aggressive  
My identifier My IP address  
Peer identifier Peer IP address  
Pre-Shared Key A long key. This can be generated using external utilities but be careful to copy it without extra spaces.
Policy Generation Default  
Proposal Checking Default  
Encryption algorithm AES 256bits Read this comparison of encryption algorithms.
Hash algorithm SHA256 Read this comparison of hash algorithms.
DH key group 2 (1024 bit) Read this explanation of Perfect forward secrecy.
Lifetime 28800  
NAT Traversal Disable Turn this off unless it is definitely needed.
Dead Peer Detection Enable: 10 seconds, 5 retries Leave this on unless the other side does not properly support DPD.

Note that the Phase 1 entry is now shown on the IPsec page. Click Save and in the next screen click Apply Changes.


Site B Configuration

Do the same as in Site A but in the Remote Gateway field enter Site A’s public IP address or FQDN and in the Description field enter ‘Site A’.

Set up the IPsec tunnel Phase 2

Site A Configuration

Click fa-plus under the Phase 1 entry. It will show an overview of all available Phase 2 entries. Since we haven’t made any yet none are shown.


Click fa-plus to create a new Phase 2.


Enter these values:

Field Value Notes
Mode Tunnel IPv4  
Local Network Type: LAN subnet. NAT/BINAT type: None.  
Remote Network This tells pfSense to route everything over this interface.
Description Site B  
Protocol ESP  
Encryption algorithm AES 256 bits  
Hash algorithm SHA256  
PFS key group 2 (1024 bit)  
Lifetime 3600  
Automatically ping host Enter a hostname or IP address to keep the tunnel alive. In my experience this is not necessary.

Click Save and on the next page click Apply Changes.

Site B Configuration

Remote Network, Type: Network Local Network, Address: Remote Network, Address: Site A’s LAN subnet Use the same Phase 2 proposal and Advanced options as in Site A.


Click Save and then Apply Changes.

Allow IPsec traffic through the firewall

The tunnel should now be operational however no traffic is allowed through it until a firewall rule is added to pass it. The rule must be added to the routers at both sites.

From the Firewall menu, choose Rules. Go to the IPsec tab and click fa-plus.


Set the Protocol to any and in the Description field type Allow everything through IPsec tunnel. Click Save and on the next page click Apply changes. Do this on both routers.


At this point the tunnel should be up and it should be possible to ping from one side to the other and back. Computers in Site A haven’t got an Internet connection however. This is because we still need to configure NAT for the IPsec tunnel.

Configure outbound NAT

In the default setup outbound NAT is configured automatically. We need to set it to Manual in order to add Site A’s subnet. This configuration step is not required on the router at site A.

Site B Configuration

From the Firewall menu, choose NAT and click the Outbound tab. Note that Mode is set to Automatic outbound NAT rule generation. Select Manual Outbound NAT rule generation and click Save. On the next page, click Apply changes.

Click fa-plus to open the New Mapping page.


As the Source Type, select Network. In the Source Address field type Site A’s subnet:

In the Description field, type NAT for IPsec tunnel Site A.


Click Save and on the next page, click Apply changes. The new entry should now be shown in the outbound NAT overview.


At this point Site B will have a working Internet connection through the IPsec tunnel out Site B’s Internet provider. Any Internet traffic from Site A will look as if it were coming from Site B (see the diagram at the beginning of this article).

By Vorkbaard, 2013-07-27 - gmail{a}vorkbaard[.]nl, with additional edits.