Cloudflare Docs

Cloudflare Docs

Overview
Prerequisites
Get started
Configuration
Manual configuration
How to
Configure tunnel endpoints
Configure static routes
Check tunnel health in the dashboard
Configure Magic Tunnel health alerts
Enable Magic user roles
Run traceroute
Update tunnel health checks frequency
View network analytics
Third-party integration
Alibaba Cloud VPN Gateway
Amazon AWS Transit Gateway
Aruba EdgeConnect Enterprise
Cisco IOS XE
Cisco SD-WAN
Fortinet
Furukawa Electric FITELnet
Palo Alto Networks NGFW
pfSense
SonicWall
Sophos Firewall
strongSwan
VyOS
Configure with Connector
Configuration
Device information
Troubleshooting
Security filters
Zero Trust integration
Cloudflare Gateway
Cloudflare Tunnel
WARP
Reference
Anti-replay protection
Bandwidth measurement
Device compatibility
GRE and IPsec tunnels
Traffic steering
Tunnel health checks
Legal
Glossary

pfSense

This tutorial explains how to set up a policy-based or route-based IPsec VPN with a pfSense device.

(Policy-based only) LAN interface configuration

From the pfSense WebGUI, select Interfaces > LAN.
Choose an interface from the Available network ports list.
Select Add. The General Configuration dialog displays.

Refer to the image below for guidance on which values to use.

General configuration dialog for interface setup for a policy based configuration

Field	Value
Enable	✔️ Enable interface
Description	LAN
IPv4 Configuration Type	Static IPv4
IPv6 Configuration Type	Static IPv6
MSS	1446

Phase 1

Policy-based configuration

pfSense IPsec phase 1 setting values for a policy based configuration

Field	Value
Description	Name
Key Exchange Version	IKE v2
Internet Protocol	IPv4
Interface	WAN
Remote Gateway	<Anycast IP provided by Cloudflare>

pfSense IPsec phase 1 expiration and replacement values for a policy based configuration

Field	Value
Life Time	28800
Rekey Time	14400
Reauth Time	0

Route-based configuration

pfSense IPsec phase 1 setting values for a route based configuration

Field	Value
Description	Name
Key Exchange Version	IKE v2
Internet Protocol	IPv4
Interface	WAN
Remote Gateway	<Anycast IP provided by Cloudflare>

pfSense IPsec phase 1 expiration and replacement values for a route based configuration

Field	Value
Life Time	28800
Rekey Time	14400
Reauth Time	0

Phase 2

Policy-based configuration

pfSense IPsec phase 2 general information values

Field	Value
Description	Name
Mode	Tunnel IPv4
Local Network	<Local Network to be tunneled>
NAT/BINAT translation	None
Remote Network	Remote network available via the tunnel

pfSense IPsec phase 2 key exchange values

Field	Value
Protocol	ESP
Encryption Algorithm	✔️ AES128-GCM, 128 bits
PFS key group	14 (2048 bit)

pfSense IPsec phase 2 key exchange values

Field	Value
Life Time	3600
Rekey Time	3240
Rand Time	360
Automatically ping host	Specify an IP address available via the tunnel. Refer to the Description field for more information.

Route-based configuration

pfSense IPsec phase 2 general information for a route based configuration

pfSense IPsec phase 2 network settings for a route based configuration

Field	Value
Description	Name
Mode	Routed (VTI)
Local Network	<Local Tunnel Inside IP>
Remote Network	<Remote Tunnel Inside IP>

pfSense IPsec phase 2 key exchange values for a route based configuration

Field	Value
Protocol	ESP
Encryption Algorithm	✔️ AES128-GCM, 128 bits
PFS key group	14 (2048 bit)

pfSense IPsec phase 2 key exchange values

Field	Value
Life Time	3600
Rekey Time	3240
Rand Time	360
Automatically ping host	Specify an IP address available via the tunnel. Refer to the Description field for more information.

(Route-based only) Interface assignment

From the pfSense WebGUI, select Interfaces > LAN.
Choose an interface from the Available network ports list.
Select Add. The General Configuration dialog displays.

Refer to the image below for guidance on which values to use.

General configuration dialog for interface setup for a policy based configuration

Field	Value
Enable	✔️ Enable interface
Description	LAN
IPv4 Configuration Type	Static IPv4
IPv6 Configuration Type	Static IPv6
MSS	1446

From the pfSense WebGUI, select Interfaces > Assignments.

pfSense interface assignment settings for route based configuration

From Available network ports, select + Add.

Adding an interface to a pfSense interface assignment with a route based configuration

Under Interface, select OPT1.

pfSense interface general configuration settings for a route based configuration

Ensure Enable interface is selected.
For Description, add a description to help you identify the interface.
For MSS, enter 1446, which should be the same as the LAN interface.
Select Save to save your changes when you are done.

Routing configuration

From the pfSense WebGUI, select System, Routing, Static Routes.
On the Static Routes page, select Add.
Create static routes for all network that will be routed via the tunnel with Gateway as the IPsec VTI interface.

pfSense interface routing configuration settings for a route based configuration

Firewall configuration

From the pfSense WebGUI, select Firewall Rules.
Select LAN.
Ensure a rule exists that allows traffic from LAN to IPsec.
Select Save when you are done.

If you need to allow traffic from IPsec to LAN, you will need to create rules that allow this.