IPsec between pfSense at home and Ubuntu in data center

  • I would like to encrypt all of my internet traffic at home and enter and leave the internet via an Ubuntu server in a data center. Basically a site to site IPsec tunnel between the two of them.

    Home: pfSense 2.2.2-RELEASE (amd64) with a public IP on the wan interface and DHCP on the lan interface

    Data center: Ubuntu 14.04 server with 1 interface with a public IP

    I've installed Openswan on the Ubuntu server and am wondering if anyone can help me out with the right ipsec.conf settings and pfSense settings? I'd really appreciate it.

  • do you have to use ubuntu?  what about freebsd or virtualization?

  • So I've changed my data center setup to a VPS (Ubuntu server 14.04 x64) with Strongswan and UFW. The configuration is not optimal yet as I'm learning how everything works but it works for now. I do have issues loading certain websites and will play around with mss settings to try and resolve these.


    config setup
            uniqueids = yes
            charondebug = ""

    conn con1000
            reqid = 1
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = PUBLIC.IP.DATA.CENTER
            right = PUBLIC.IP.PFSENSE.HOME
            leftid = PUBLIC.IP.DATA.CENTER
            ikelifetime = 28800s
            lifetime = 3600s
            ike = aes128-sha1-modp1024!
            esp = aes128gcm128-sha1!
            leftauth = psk
            rightauth = psk
            rightid = PUBLIC.IP.PFSENSE.HOME
            rightsubnet = PRIVATE.LAN.AT.HOME/24
            leftsubnet =



    Added to /etc/ufw/before.rules


    NAT table rules



    and allowed the following traffic in UFW


    My pfSense has the following settings.





    And of course NAT outbound and firewall rules for IPsec.

  • You're probably better off using OpenVPN for that usage case, as that gives you much better flexibility in what you route out via the VPS.

  • @cmb:

    You're probably better off using OpenVPN for that usage case, as that gives you much better flexibility in what you route out via the VPS.

    That is correct and I agree. The problem with OpenVPN however is that I can't max out the connection. OpenVPN works great but limits around 160 Mbit/s. With IPsec I easily reach the full 200 Mbit/s I currently have between the two sites. Both ends have a CPU with AES-NI support and I played around with all OpenVPN recommended settings but I can't push it beyond 160 Mbit/s. So that's why I'm back at IPsec.

  • Ah. Yeah OpenVPN doesn't yet support AES-GCM, that's coming in OpenVPN 2.4 later this year it appears. That'll get you AES-NI acceleration benefits with it.

  • Dump the contents of the generated StrongSwan configuration on pfSense, it looks like you have it configured for esp = aes128gcm128-sha1-modp1024! which is different to the other side.

Log in to reply