Configuring a VPN Server with pfSense

Overview

This lab focused on configuring an IPsec VPN server using pfSense, implementing secure remote connectivity, and enforcing explicit firewall rules to meet organizational security policies.

Objectives

  • Configure an IPsec VPN tunnel

  • Enable secure remote client access

  • Implement MOBIKE for IP roaming

  • Replace automatic firewall rules with explicit rules

  • Ensure all VPN traffic is logged and controlled

Technologies Used

  • pfSense firewall/router

  • IPsec VPN (IKEv2)

  • NAT Traversal (NAT-T)

  • ESP (Encapsulating Security Payload)

Key Configurations

IPsec VPN Setup

  • Configured Phase 1 (IKE): - Authentication method (Pre-shared key / certificates) - Encryption and hashing algorithms

  • Configured Phase 2: - Network ranges for secure communication

  • Verified tunnel establishment and connectivity

MOBIKE (IP Roaming)

  • Enabled MOBIKE in IPsec tunnel settings

  • Allowed clients to maintain VPN sessions during IP changes

  • Improved connection stability for remote users

Firewall Rule Management

Disabling Automatic Rules

  • Navigated to: VPN → IPsec → Advanced Settings

  • Disabled automatic IPsec rule creation

  • Ensured compliance with explicit rule policy

Manual WAN Rules Created

  1. IKE (Key Exchange) - Protocol: UDP - Port: 500 - Purpose: Establish VPN tunnel

  2. NAT-T (NAT Traversal) - Protocol: UDP - Port: 4500 - Purpose: Support VPN through NAT devices

  3. ESP (Encrypted Traffic) - Protocol: ESP (IP Protocol 50) - Purpose: Carry encrypted VPN data

Security Considerations

  • Explicit rules improve visibility and logging

  • Supports granular traffic filtering and control

  • Enables future implementation of: - IP range restrictions - Traffic shaping - Advanced monitoring

Results

  • VPN connectivity remained stable across network changes

  • Remote users experienced uninterrupted sessions

  • Firewall rules are now fully visible and auditable

  • Organization policy requirements successfully met

Conclusion

This lab demonstrated the importance of combining secure VPN configuration with explicit firewall rule management. By disabling automatic rule creation and manually defining IPsec traffic rules, greater control, visibility, and security compliance were achieved.

Lab File