Hacom pfSense Deployment Guide pfSense Deployment... · Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial

Hacom pfSense Deployment GuideBao Ha

Copyright © 2008 Hacom

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts.

9 November 2008

Table of ContentsHacom pfSense Deployment Guide...........................................................................................................1

Introduction......................................................................................................................................2Three-Zone Firewall: Setup a DMZ.................................................................................................4Four-Zone Firewall: Wireless Configuration.................................................................................13Four-Zone Firewall: Non-Bridged Wireless Network....................................................................22Captive Portal.................................................................................................................................24Virtual Private Network: Site-toSite IPSec....................................................................................35Appendix A. Templates..................................................................................................................46

1

IntroductionPfSense is a complete, embedded firewall software package that provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). It is based on FreeBSD. The software is available at the URL, http://www.pfsense.com/.

Hacom implements pfSense on our hardware to take advantages of their features, as well as , to provide complete packaged supports for commercial customers: small, medium and enterprises, who desire a one-stop shop.

This document is the continuation of the Hacom pfSense Quick-Start Guide. It documents common deployments of pfSense firewalls.

Documentation

Since pfSense is similar to M0n0wall, the documentation of the M0n0wall systems can be perused at the following URL,

The M0n0 Users Manual (http://m0n0.ch/wall/docbook/)Mn0wall Quick Start Guide (http://m0n0.ch/wall/quickstart/)pfSense FAQ (http://faq.pfsense.com/)pfSense tutorial (http://www.pfsense.com/index.php?id=36)Hacom pfSense Quick-Start Guide (http://www.hacom.net/catalog/pub/pfsense/Hacom%20pfSense%20Quick-Start%20Guide.pdf)

Hacom's pfSense

Hacom offers three groups of commercially packaged pfSense systems with choices of support services: Phoenix , Mercury and Mars . The following comparison table can be used to select appropriate equipments depending on a network environment.

Performance* Phoenix Mercury Mars

Suggested Users 5-25 10-50 10-250

Throughput 90Mbps 200Mbps 400Mbps

Concurrent Connections 80,000 200,000 200,000-400,000

3DES IPSec Throughput 8-10Mbps 20Mbps 25-40Mbps

AES IPSec Throughput 10-40Mbps 80Mbps 40-60Mbps

• Performance depends on network environment and configuration of the firewall.

2

http://www.pfsense.com/

http://www.hacom.net/catalog/index.php?cPath=91_97






http://www.hacom.net/catalog/pub/pfsense/Hacom pfSense Quick-Start Guide.pdf



http://www.pfsense.com/index.php?id=36

http://faq.pfsense.com/

http://m0n0.ch/wall/quickstart/

http://m0n0.ch/wall/quickstart/

http://m0n0.ch/wall/docbook/

http://m0n0.ch/wall/docbook/

Hardware Specification

Phoenix Mercury Mars

Systemboard ES466B CV700A CV700A CV763A CI852A

CPU 333Mhz AMD

Geode GX 500Mhz VIA C7

1Ghz VIA C7 1Ghz

Celeron-M1.6Ghz

Celeron-M

Memory 256MB 512MB 512MB 1GB

Storage 1GB CF (Compact Flash) or 1 GB DOM (Disk-On-Module)**

Ethernet 3x10M/100M 3x10M/10

0M/1G 4x10M/100M/1G

4x10M/100M/1G

** Disk-on-Module is more durable than compact flash due to its built-in wear leveling function.

Templates

Templates are just simple forms filled in with enough information to guide the configuration of pfSense firewall in specific use case. For each of the deployments discussed in this guide, we will put the templates at the end of the use case to illustrate how to fill-in the forms.

These templates are more for Hacom's support to evaluate how much information is required to configure the router for a specific application.

Blank forms are put into the appendixes.

3




Three-Zone Firewall: Setup a DMZDMZ stands for De-Militarized Zone. It is an area of a local internal network that contains Internet servers. It is isolated from LAN to prevent accidental access to the internal network spill-over through Internet accessible servers.

Following is a diagram of a 3-zone firewall: WAN, LAN and OPT1. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. And OPT1 is the DMZ.

Following are the assumptions for the DMZ setup:

1. The Firewall has a WAN IP of 208.127.150.33. It also has an extra external IP of 208.127.150.32 to be used for the web server: www.baoha.net.

2. The LAN subnet is 192.168.1.0/24.

3. The OPT1 (DMZ) subnet is 192.168.2.0/24.

4. The web server's DMZ IP is 192.168.2.5.

The goal is to forward any Internet traffic to the web server's public IP of 208.127.150.32 to the server 192.168.2.5 in the DMZ.

The procedure is as follows:

1. Create an OPT1 interface if it does not exist.

2. Configure the OPT1 interface.

3. Add the virtual IP 208.127.150.32 to the pfSense firewall.

4

4. Configure 1:1 NAT.

5. Setup the firewall rule to allow access from DMZ to WAN, but not from DMZ to LAN.

6. Setup the firewall rule

During the initial setup, we may have only setup a 2-zone firewall with only 2 assigned network interfaces. We need to add the third interface using the web administration tools.

1. Go to Interfaces → Assign.

2. Click on the plus + sign on the right hand side to create a new interface OPT1. Click on Save!

5

Now, we need to set up the OPT1 interface.

OPT1 is the interface for the DMZ zone. It subnet would be 192.168.1.0/24, which contains the private IP of the web server www.baoha.net.

For the OPT1 interface, we will:

1. Enable the OPT1 interface.

2. Set it to be static.

3. Set the IP = 192.168.2.1/24

4. Save it!

6

http://www.baoha.net/

The next step is to add a virtual IP. Go to Firewall → Virtual Ips.

1. Click on the plus + sign on the right hand side to create a new interface OPT1.

2. Click on Save!

3. Click on “Apply Changes”!

Now, we are ready to configure the 1:1 NAT.

1. Go to Firewall → NAT.

2. Click on the plus + sign on the right hand side to create a new 1:1 NAT rule.

7

3. Set the Interface to be WAN.

4. Set the external IP to be 208.127.150.32.

5. Set the internal subnet to be 192.168.2.5.

6. Click on Save!

7. Click on “Apply Changes”

Now, we are ready to set up the firewall rule on the DMZ interface denying all traffic to the LAN while still permitting all traffic to the WAN.

1. Click Firewall -> Rules.

2. Click on the plus + sign on the right hand side to create a new firewall rule.

3. Set action to be REJECT

4. Set the interface to be OPT1

8

5. Set source to be ANY

6. Set the destination as “LAN subnet”

7. Click on Save.


9. Next, we set up the firewall rule on the DMZ interface to allow DMZ traffic to go anywhere except LAN. Click Firewall -> Rules.

9

10. Click on the plus + sign on the bottom right hand side to create a new firewall rule.

11. Set action to be ACCEPT

12. Set source to be ANY

13. Set the destination as “NOT LAN subnet”

14. Click on Save.


If we want certain services from LAN, firewall rules have to be setup to allows these to be accessed

10

from the DMZ.

Following is the minimum firewall rules for the DMZ (OPT1) zone.

11

Three-Zone Firewall Template

Hacom pfSense Three-Zone Firewall Setup Template

Interfaces

Interface Static IP Comment

WAN 208.127.150.32/24

LAN 192.168.1.0

OPT1 (DMZ) 192.168.2.1/24

Virtual Ips(Firewall → Virtual IPs)

Virtual IP Address Type Interface Description

208.127.150.32/32 Other WAN

Firewall → NAT → 1:1

Interface External subnet Internal subnet Description

WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net

Firewall → Rules

Action Interface Protocol Source/Port

Destination/Port

Gateway Description

Reject OPT1 Any Any LAN net Reject SMZ traffic to LAN

Pass OPT1 Any OPT1 net !LAN net Permit DMZ to any but LAN

12

Four-Zone Firewall: Wireless ConfigurationThere are three ways to add a wireless network to our networking environment, assuming that the system has the optional wireless adapter.

1. Bridged Wireless Network..

In this configuration, although we still have four zones: WAN, LAN, OPT1 and OPT2, the wireless interface OPT2 is bridged with LAN. The two zones LAN and OPT1 are in effect combined into one zone: LAN for all practical purposes.

2. Four-zone firewall.

In this configuration, the wireless network is just another local network as the local nework in the LAN zone.

3. Captive portal.

This is similar to the above 4-zone networking environment. It forces users to be authenticated before they can access the wireless network.

The DMZ or OPT1 zone can be ignored at this point. In fact, if we don't have a DMZ, the wireless interface becomes OPT1, instead of OPT2. And all configurations are the same.

Following is a diagram of a 4-zone firewall: WAN, LAN, OPT1 and OPT2. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. OPT1 is the DMZ. And OPT2 is our wireless zone.

13

If it has not been done, We need to add the wireless network interface, OPT2 in this case, using the web administration tools.

1. Go to Interfaces → Assign.

2. Click on the plus + sign on the right hand side to create a new interface OPT2.

3. Choose the ath0 network port.

4. Click on Save!

14

Note: Hacom supplies the Atheros-based network adapter with some of the systems. It is detected be FreeBSD as ath0 interface. Some other wireless network adapters may be detected differently.

Bridged Wireless Network

In this configuration, all of the OPT2 zone wireless users are considered as on the same network as LAN wired network users. This configuration has an advantage; allowing all users in OPT2 and LAN to share peripherals, like networked printers, shared drives, ...

To configure a wireless network:

1. Go to Interfaces → OPT2

2. Enable the optional 2 interface; OPT2

3. On the IP Configuration, set it to bridge with LAN

15

4. Set the wireless configuration standard to be 802.11g

5. Set the mode to be Access Point

6. Set the SSID to be “pfSense” or your choice of network name

7. Enable WEP authentication. There are other authentication methods besides WEP; i.e. WPA or

16

802.11x. Depending on the number of users and security-level, they may be a better choice than WEP.

8. Set the 13-character WEP key

9. Set Open Authentication

10. Click on Save!

17

11. Add a firewall rule for OPT2 similar to the LAN zone.

12. Click on Save!


18

19

Four-Zone Firewall Template (Bridged Wireless)

Hacom pfSense Four-Zone Firewall Setup Template

Interfaces


WAN 208.127.150.32/24

LAN 192.168.1.0

OPT1 (DMZ) 192.168.2.1/24

OPT2 (Wireless) Bridged with LAN! Referred to Wireless template for setup info.



208.127.150.32/32 Other WAN



WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net

Firewall → Rules


Destination/Port

Gateway Description



Pass OPT2 Any OPT2 net Any Permit OPT2 to any

20

Wireless Interface Template

Hacom pfSense Wireless Interface Template

Interface OPT2

Standard 802.11g

Mode Access Point

802.11g OFDM Protection Mode Protection mode off

SSID pfsense

Enable WEP Yes

Key 1 123456789abc

Key 2

Key 3

Key 4

Enable WPA

WPA Pre Shared Key (PSK)

WPA Mode

Authentication Open System Authentication

WPA Pairwise

Key Rotation

Master Key Regeneration

Strict Key Regeneration

Enable IEEE802.1X

Hostname (DHCP client configuration)

21

Four-Zone Firewall: Non-Bridged Wireless Network

Setting up a non-bridged wireless network is fairly easy. Just follow the same above procedure except for the first three steps.

1. Go to Interfaces → OPT2. Enable the optional 2 interface: OPT2, if it not!

2. On the IP Configuration, set it to bridge to NONE. And set the IP address to a separate subnet from LAN. For example, we set it to be 192.168.3.1/24.

22

Four-Zone Firewall Template (Non-Bridged Wireless)


Interfaces


WAN 208.127.150.32/24

LAN 192.168.1.0

OPT1 (DMZ) 192.168.2.1/24

OPT2 (Wireless) 192.168.3.1/24 Referred to Wireless template for setup info.



208.127.150.32/32 Other WAN



WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net

Firewall → Rules


Destination/Port

Gateway Description




23

Captive PortalCaptive portal uses a web page to authenticate users before granting their accesses to the Internet. It is commonly used in a wireless environment, also called hotspot management. But, the technique is applicable to wired network environment.

Following are the assumptions for the Captive Portal setup:

1. The Firewall has a WAN IP of 208.127.150.33.

2. The OPT1 (DMZ) subnet is 192.168.2.0/24.

3. The LAN subnet is 192.168.1.0/24.

4. The captive portal is on the OPT2 zone. It has its own subnet: 192.168.3.0/24.

The goal is to authenticate all wireless users before allowing them to access to the Internet as well as local LAN resources.


24

1. Create an OPT2 interface and configure it if it does not exist.

2. Configure the DHCP server.

3. Configure the Captive Portal.

4. Setup the firewall rule for OPT2, if there is none!

Wireless Non-Bridged Network

Configuration of the non-bridged wireless network is similar the previous section: Four-Zone Firewall: Wireless Network. Note: Make sure to disable all wireless authentication: NO Wep/WPA/802.11x!

25

Setting up the DHCP Server

The DHCP server is used to hand out the IP addresses for the computers connecting to the Captive Portal. Use the following procedure if the DHCP server has not been set up.

1. Go to Services → DHCP server

2. Enable the DHCP server on the OPT2 interface

3. Set the IP range to be from 192.168.3.101 to 192.168.3.150

4. Click on Save!

26

Captive Portal Setting

1. Go to Services → Captive portal

2. Enable the Captive Portal

3. Set the Interface to OPT2

4. Set idle timeout to 10 minutes, hard timeout to 120 minutes.

5. Set authentication to “Local user manager”. It is recommended to use a Radius server for authentication. Scroll down to see the option.

6. Don't forget to upload the Portal page contents and the Authentication error page contents. Scroll further down to see the option.

7. Go to Services → Captive portal → Allowed IP addresses to allow the following Ips:

● 208.127.150.34: Hacom.net logo!This is an example of displaying images from an outside Internet server.

● 192.168.2.5: Our web server www.baoha.net in the DMZ zone.

27

http://www.baoha.net/

8. Click on the plus + sign on the right hand side to create a new allowed IP address.

9. Click on Save!


28

11. Go to Services → Captive portal → Users to add authorized users:

12. Click on Save!


29

Captive Portal Templates

The setup of a captive portal is similar to the four-zone non-bridge wireless configuration. We will need the following three templates with filled-in information:

1. DHCP server service

2. Wireless configuration ( No authentication)

3. Four-zone firewall

4. Captive portal

Hacom pfSense DHCP Services Template

DHCP RelayServices → DHCP Relay

Enable DHCP

Append circuit ID and agent ID to requests

Destination server

DHCP ServerServices → DHCP server

Interface OPT2

Deny unknown clients

Range (from-to) 192.168.3.101 192.168.3.150

WINS servers

DNS servers

Gateway

Default lease time

Maximum lease time

Failover peer IP

Static ARP

Dynamic DNS

NTP servers

Enable Networkk booting

30


Interface OPT2

Standard 802.11g

Mode Access Point

802.11g OFDM Protection Mode Protection mode off

SSID pfsense

Enable WEP

Key 1

Key 2

Key 3

Key 4

Enable WPA


WPA Mode

Authentication Open System Authentication

WPA Pairwise

Key Rotation



Enable IEEE802.1X


31


Interfaces


WAN 208.127.150.32/24

LAN 192.168.1.0

OPT1 (DMZ) 192.168.2.1/24

OPT2 (Wireless) 192.168.3.1/24 Referred to Wireless template for setup info.



208.127.150.32/32 Other WAN



WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net

Firewall → Rules


Destination/Port

Gateway Description




32

Hacom pfSense Captive PortalServices → Captive portal → Captive portal

Enable Captive Portal Yes

Interface OPT2

Maximum concurrent connections

Idle timeout 10

Hard timeout 120

Logout popup window

Redirection URL

Concurrent user logins

MAC filtering

Authentication No authentication Local user manager RADIUS authentication

Yes

Radius Server IP address Port Shared Secret

Accounting send RADIUS accounting packets

Accounting port

Accounting updates no accounting updates

stop/start accounting interim update

Radius MAC authentication Reauthenticate users/minute

Shared secret

RADIUS options (Type)

HTTPS login

HTTPS server name

HTTPS certificate

HTTPS private key

Portal page contents

Authentication error page

33

http://208.127.150.33/services_captiveportal_users.php

Hacom pfSense Captive Portal's Allowed IP AddressServices → Captive portal → allowed IP address

Direction To

IP address 192.168.2.5

Description Www.baoha.net


Direction To

IP address 208.127.150.34

Description Hacom.net logo

Hacom pfSense Captive Portal's User ManagementServices → Captive portal →Users

Username baoha

Password *****

Full Name

Expiration Date

34

Virtual Private Network: Site-toSite IPSecInternet Security Protocol (IPSec) is a used to established a secured communication between one site to another remote site through the Internet. In this deployment case, we will be establishing an IPSec link between two pfSense firewalls.

Following are the assumptions for the site-to-site IPSec setup:

1. The pfSense firewall has a WAN IP of 208.127.150.33. It has a local network with a subnet of 192.168.254.0/24.

2. The other pfSense firewall has a WAN IP of 208.127.150.32. It has a local network with a subnet of 192.168.1.0/24.

3. Following are the IPSec link specifications:

● Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple pre-shared key simplifying the setup so we can evaluate the IPSec functionality.

● Encryption algorithm: aes265

● Hash algorithm: sha1

The goal is to establish an IPSec virtual private network (VPN); linking two remote networks of 192.168.1.0/24 and 192.168.254.0/24 together through the Internet.


1. Setup IPSec tunnels on both pfSense firewalls.

2. Setup the Firewall rules on both pfSense firewalls.

3. Check the IPSec status..

Setup IPSec tunnels on pfSense

Following is the procedure to set up IPSec on the pfSense firewall with a local LAN address of of 192.168.254.0/24.

1. Go to VPN → IPSec

2. Put a check mark on Enable IPSEC. Click on the Save button!

35

3. Click on the plus + sign on the bottom right hand side to create a new IPSec tunnel.

4. Set the Interface to WAN.

5. Set the local subnet to type of “LAN subnet”

6. Set the Remote subnet to 192.168.1.0/24.

7. Set the remote gateway to 208.127.150.32.

8. Scroll down and set to the negotiation mode to “main”.

9. Set My identifier to be “My IP address” and “208.127.150.33”.

10. Set Encryption algorithm to be “Rijndael 256” (AES256).

11. Set Hash algorithm to be SHA1

12. Set DH key group to be 2 (or 1024 bit).

13. Set Lifetime to be 28800.

14. Set Authentication method to be Pre-shared key.

15. Set Pre-shared Key to be “BaoHa”

36

16. Scroll down further and set Protocol to be ESP.

17. Set encryption algorithm to be “Rijndael 256”.

18. Set Hash algorithm to be SHA1

19. Set PFS key group to be “2” or 1024 bit.

20. Set Lifetime to be 86400.

21. Click on “Save”!

22. Click on “Apply Change”

37

Following is a screenshot of VPN:IPSec screen once setup is done.

38

The IPSec tunnel setup on the second pfSense is similar. Following is the screenshot of VPN:IPSec of the second server.

Setup the Firewall rules on both pfSense firewalls.

The firewall has also be setup to allow IPSec traffic. Goto Firewall → Rules → IPSec and set it up to be like the following.

39

Check the IPSec Status

1. Go to Status → IPSec

2. If it says “No IPSec security associations”, it means that the tunnel has not been established. Just ping from one end to another end.

3. When the tunnel is established, following is what the screenshot of Status → IpSec → Overview should look like.

4. Following is the screenshot of Status → IpSec → SAD

40

5. Following is the screenshot of Status → IPSec → SPD

6. Check the system logs of IPSec if there are still problems establishing the VPN tunnel!

IPSec tunnel to a Debian Server

To connect to a Debian server through IPSec is just as easy.

Assuming that the Debian server is running racoon with following:

1. The pfSense firewall has a WAN IP of 208.127.150.33. It has a local network with a subnet of 192.168.254.0/24.

2. The Debian server has a WAN IP of 208.127.150.31. It has a local network with a subnet of 192.168.1.0/24.

3. Following are the IPSec link specifications:

● Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple pre-shared key simplifying the setup so we can evaluate the IPSec functionality.

● Encryption algorithm: aes265

● Hash algorithm: sha1

41

The only change is the Debian's external IP address.

1. Go to VPN → IPSec

2. Change the remote gateway to 208.127.150.31.

Following is the configuration of Debian's racoon:

42

Make sure that the file /etc/racoon/psk.txt contains the following pre-shared key:

“208.127.150.33 BaoHa”

Following are the screenshots of the Status → IPSec once the tunnel is established.

43

44

VPN IPSec Template

Hacom pfSense VPN IPSec

Interface WAN

Local subnet Type LAN subnet Address

Remote subnet 192.168.1.0/24

Remote gateway 208.127.150.32

Description

Phase 1 proposal (Authentication)

Negotiation Mode main

My Identifier My IP Address 208.127.150.33

Encryption algorithm Rijndael 256

Hash algorithm SHA1

DH Key Group 2

lifetime 28800

Authentication method Pre-shared key

Pre-shared Key BaoHa

Certificate

Key

Peer Certificate

Phase 2 proposal (SA/Key Exchange)

Protocol ESP

Encryption algorithm Rijndael 256

Hash algorithm SHA1

PFS key group 2

lifetime 86400

Keep alive (automatically ping)

Firewall → Rules → IPSec


Destination/Port

Gateway Description

Pass IPSEC Any Any Any

45

Appendix A. Templates

Appendix A1. Three-Zone Firewall Template

Hacom pfSense Three-Zone Firewall Setup Template

Interfaces


WAN

LAN

OPT1 (DMZ)





Firewall → Rules


Destination/Port

Gateway Description

46

Appendix A2. Wireless Interface Template


Interface

Standard

Mode

802.11g OFDM Protection Mode

SSID

Enable WEP

Key 1

Key 2

Key 3

Key 4

Enable WPA


WPA Mode

Authentication

WPA Pairwise

Key Rotation



Enable IEEE802.1X


47

Appendix A3. Four-Zone Firewall Template


Interfaces


WAN

LAN

OPT1 (DMZ)

OPT2





Firewall → Rules


Destination/Port

Gateway Description

48

Appendix A4. DHCP Service Template

Hacom pfSense DHCP Services Template

DHCP RelayServices → DHCP Relay

Enable DHCP

Append circuit ID and agent ID to requests

Destination server

DHCP ServerServices → DHCP server

Interface

Deny unknown clients

Range (from - to)

WINS servers

DNS servers

Gateway

Default lease time

Maximum lease time

Failover peer IP

Static ARP

Dynamic DNS

NTP servers

Enable Networkk booting

49

Appendix A5. Captive Portal Template

Hacom pfSense Captive PortalServices → Captive portal → Captive portal

Enable Captive Portal

Interface

Maximum concurrent connections

Idle timeout

Hard timeout

Logout popup window

Redirection URL

Concurrent user logins

MAC filtering

Authentication No authentication Local user manager RADIUS authentication

Radius Server IP address Port Shared Secret

Accounting send RADIUS accounting packets

Accounting port

Accounting updates no accounting updates

stop/start accounting interim update

Radius MAC authentication Reauthenticate connected users every minute

Shared secret

RADIUS options (Type)

HTTPS login

HTTPS server name

HTTPS certificate

HTTPS private key

50

http://208.127.150.33/services_captiveportal_users.php

Portal page contents

Authentication error pagecontents

Appendix A6. Captive portal's Allowed IP Address Template


Direction

IP address

Description

Appendix A7. Captive portal's User Management

Hacom pfSense Captive Portal's User ManagementServices → Captive portal →Users

Username

Password

Full Name

Expiration Date

Appendix A8. VPN IPSec Template

Hacom pfSense VPN IPSec

Interface WAN

51

Local subnet Type LAN subnet Address

Remote subnet

Remote gateway

Description

Phase 1 proposal (Authentication)

Negotiation Mode

My Identifier My IP Address

Encryption algorithm

Hash algorithm

DH Key Group

lifetime

Authentication method

Pre-shared Key

Certificate

Key

Peer Certificate

Phase 2 proposal (SA/Key Exchange)

Protocol ESP

Encryption algorithm

Hash algorithm

PFS key group

lifetime

Keep alive (automatically ping)

Firewall → Rules → IPSec


Destination/Port

Gateway Description

52

Documents

Hacom pfSense Deployment Guide pfSense Deployment... · Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial