To begin IPsec configuration, navigate to VPN | IPsec. You can configure an IPsec tunnel from the default tab, Tunnels. This tab displays a table of all existing IPsec tunnels. Each IPsec tunnel requires a Phase 1 configuration, and one or more Phase 2 configurations. To begin Phase 1 configuration, click on the Add P1 button below the table on the right side.

The Phase 1 configuration page has four sections: General Information, Phase 1 Proposal (Authentication), Phase 1 Proposal (Algorithms), and Advanced Options. The first option under General Information is the Disabled check box. If checked, the Phase 1 entry is disabled, but will still be in the table. The next option is the Key Exchange version drop-down box. This allows you to choose between IKEv1 (V1), IKEv2 (V2), or Auto. If Auto is chosen, IKEv2 will be used when initiating a connection, but either IKEv1 or IKEv2 will be accepted when pfSense is responding to a request to initiate a connection. Auto is the more foolproof option, as it will work unless the responder requires IKEv1; if you are setting up a VPN tunnel in a corporate environment, however, your choice may be dictated by company policy. 

Next is the Internet Protocol drop-down box. This allows you to choose between IPv4, IPv6, or Both (Dual Stack). In the Interface drop-down box, you select the interface that is the local endpoint of the tunnel. Typically, you'll want to leave this as WAN since you will be accepting connections from the WAN side, but you can set it to any interface. In the Remote Gateway edit box, you must enter the public IP address or hostname of the remote gateway. If you are configuring IPsec on a pfSense box that sits at the boundary between the internet and your local network, then the value entered here should match the IP address of the WAN interface, or the domain name that matches that IP address. If you are configuring IPsec on a router that is behind one or more other routers, however, the value entered here may be different. You may enter a brief, non-parsed description in the Description edit box.

The first option in the next section is the Authentication Method drop-down box. The options are Mutual PSK and Mutual RSA. Mutual PSK allows for authentication using a pre-shared key (PSK), whereas Mutual RSA allows for authentication using certificates. The Negotiation Mode drop-down box allows you to choose the type of authentication security that will be used. What differentiates the two is what happens when the VPN tunnel needs to be rebuilt. Main will force the peer to re-authenticate, which is more secure, but will take longer, while Aggressive will rebuild the tunnel quickly, sacrificing security. The Aggressive mode is generally recommended, since it will ensure that if the VPN tunnel is down, it will be able to rebuild itself quickly. My identifier identifies the pfSense router to the far side of the connection. It can usually be left as My IP address. Peer identifier identifies the router on the far side; this can usually be left as Peer IP address. 

If you selected Mutual PSK as your Authentication Method, then the next field will be Pre-Shared Key, where you enter the PSK string. You should choose a long key (at least 10 characters), and since special characters are supported, it might be a good idea to use them as well. If you chose Mutual RSA, then the next two options will be the My Certificate drop-down box, where you select a certificate previously configured in the pfSense certificate manager, and the Peer Certificate Authority drop-down box, where you select a Certificate Authority (CA) (also previously configured in the certificate manager).

The next section deals with encryption options. The Encryption Algorithm drop-down box allows you to choose an encryption method. Both AES and Blowfish allow you to choose between 128 bit, 192 bit, and 256-bit encryption using an adjacent drop-down box, while 3DES and CAST128 do not have this option. The default option is AES-256, which is a good choice, but if a peer on the other end can only support DES encryption, you can choose 3DES. IPsec employs a hash function to ensure the integrity of its data, and the Hash Algorithm drop-down box allows you to choose which one is used. SHA1 is considered stronger and more reliable than MD5, but some devices only support MD5, so it is included as an option. If you require a more secure hash function, several are available (for example, SHA512).

The DH Group drop-down box allows you to select the Diffie-Hellman (DH) group that is used to generate session keys. The default value is 1024 bits, which is generally considered safe, especially for keys that have a relatively short lifetime. You can use a greater number of bits, but this potentially comes at a cost in performance. The Lifetime (Seconds) edit box allows you to choose how long pfSense will wait for Phase 1 to complete. The default value is 28800 seconds, but you may want to increase this value.

The Advanced Options section's first option is the Disable Rekey checkbox. By default, pfSense will renegotiate an IPsec connection if it is about to expire, but checking this box disables this behavior. The Responder Only checkbox, if checked, will cause pfSense to only respond to incoming IPsec requests, and never initiate a connection.

The NAT Traversal drop-down box allows you to enable the encapsulation of ESP in UDP packets on port 4500, also known as NAT-T. This should only be set if one side or both sides of the connection are behind restrictive firewalls. If necessary, choose Force to enable NAT-T.

The DPD (Dead Peer Detection) checkbox, if checked, will help detect if the other side is having a problem, and if so, will try to rebuild the tunnel. If this option is checked, you must also set values in the Delay (the delay between requesting peer acknowledgement) and Max failures (the number of consecutive failures allowed before disconnect). The default values of 10 and 5 are suitable in most cases, although you may need to change these later. Click on Save when you are done making changes, and then click on Apply Changes on the main IPsec page.

You have now configured Phase 1, but you have to create one or more Phase 2 entries to complete the process. In the table on the main IPsec page, there should be an entry for the Phase 1 connection you just configured. Click on the Show Phase 2 Entries to show any Phase 2 entries; this subsection should be empty, but there should be an Add P2 button. Click on this button to begin Phase 2 configuration.

There are three sections on the Phase 2 configuration page: General Information, Phase 2 Proposal (SA/Key Exchange), and Advanced Configuration. The first option in General Information is the Disabled checkbox, which allows you to disable this entry without removing it from the table. The Mode drop-down box allows you to choose between Tunnel IPv4, Tunnel IPv6, and Transport. The tunnel mode encrypts the entire IP packet and adds a new IP header, whereas the transport mode encrypts the payload, but not the IP header. If you choose tunnel mode, your choice between IPv4 and IPv6 will be dictated by what you set in the Internet Protocol drop-down box during Phase 1 configuration.

The Local Network drop-down box allows you to define which subnet or host can be accessed from the other side of the VPN tunnel. For example, if you select LAN subnet, the entire LAN will be accessible from the other side of the VPN tunnel. The other end of the tunnel's VPN settings will have the same setting, only the setting will be Remote Network or Remote Subnet. The settings must match on both sides for it to work.

The next setting is the NAT/BINAT translation drop-down box. This allows you to specify the settings that will be presented to the other side of the tunnel in cases where the actual local network is hidden. If you choose Address or Network, you can specify the IP address or subnet in the adjacent edit box. Next is the Remote Network drop-down. Here you specify the network or address on the other side of the tunnel, which will be accessible from this side of the tunnel. It must match the setting in the Local Network setting for the peer, or the connection will fail. You may enter a brief non-parsed description in the Description field.

The next section is Phase 2 Proposal (SA/Key Exchange). The first option is the Protocol drop-down, where you can select the protocol (for key exchange only). The options are ESP and AH. The de facto standard is ESP, and it is the recommended setting. ESP uses port 50 and AH uses port 51. pfSense should autogenerate a rule to allow ESP or AH to the endpoint of the IPsec tunnel (the rules should appear under the Floating tab). If it does not, you will have to create a rule.

The next option is Encryption Algorithm. The default is AES, but you can choose more than one algorithm. It is recommended, however, that you only check the one that is to be used. The algorithm must match the setting of the remote peer. The recommended algorithm is AES-256.

Next are the Hash Algorithms checkboxes. You can choose more than one hash algorithm, although it is recommended that you only select the one being used. As mentioned before, some devices only support MD5, so check that if the remote peer is such a device. SHA1 is the default setting.

The PFS Key Group is similar to the DH group in Phase 1. The default setting is off; as with the Phase 1 DH Group setting, there is a trade-off between security and performance. The Lifetime edit box sets the lifetime of the negotiated keys. The value should not be too high, or hackers will have more time to crack the key.

The last section, Advanced Configuration, has only one setting. The Automatically ping host edit box allows you enter an IP address for a remote Phase 2 network to ping to keep the tunnel alive. When you are done changing settings, click on the Save button at the bottom of the page, then click on Apply Changes when the main IPsec page loads.

Now that Phase 1 and Phase 2 configuration is complete, you may still need to add firewall rules (although there should be automatically-generated rules for most of these). IPsec requires the following ports to be open, so navigate to Firewall | Rules, click on the Floating tab, and confirm that the following rules (or at least the ones necessary for your configuration) exist:

Port 500 must be open in all configurations. The other rules may or may not have to be created, depending on which options you use. If you use NAT-T, port 4500 must have a NAT rule and corresponding firewall rule. For Phase 2 key exchange, you are going to use either ESP or AH. If you choose ESP, you don't need to open port 51, and if you use AH, you don't need to open port 50. The NAT entry must be created on the WAN interface, to allow port forwarding from the WAN to the IPsec tunnel.