Configuring Lan-to-Lan IPsec VPN with PFSense and Draytek.

My Case

I’m trying to connect to a server in the a datacenter for easy maintenance, this will be a Lan-to-Lan from my home network to the network in the datacenter. The server is behind a PFSense firewall which is directly connected to the internet. My home network uses a Draytek for VPN but is not directly attached to the internet, I am using the standard modem from my provider which does NAT as well. The modem is set to trigger all ports and DMZ to the Draytek. Keep in mind that this double NAT setup does change a little bit in the process, I will make a comment what to do when you are or aren’t using a double NAT setup.

Configuring The PFSense IPsec Host

Adding Phase 1 entry

First go to VPN>IPsec and click + Add P1

General information

Configure the General Information as shown in the following screenshot.
The Remote Gateway will have to be set to the Drayteks (or modems) public IP-address.

Phase 1 Proposal (authentication)

Authentication Method should be set to “Mutual PSK”, Negotiation mode to “Main” and My identifier will be “My IP address”. If the Draytek is directly attached to the internet then the Peer identifier should be left at “Peer IP address”, when using a double NAT setup like mine then use “KeyID tag” and set the ID to your Drayteks WAN IP.
Enter your super-secret Pre-Shared Key and write it down (or copy it) for later.

With double NAT:

Phase 1 Proposal (Algorithms)

I have not yet tried any other algorithms but these settings seem to work for me.
Encryption Algorithm “AES” “256 bit”, Hash Algorithm “SHA1”, DH Group “2 (1024 bit)” and Lifetime (Seconds) “28800”

Advanced Options

Advanced options can be left as is. Now save the settings for the P1.

Adding Phase 2 Entry

When back in the IPsec tunnel click the button to show Phase 2 Entries and click + Add P2

The add button will show after left click at Show Phase 2 Entries.

General information

Leave settings as is, only fill in the subnet of your home network (Draytek LAN) and a description for the VPN.

Phase 2 Proposal (SA/Key Exchange)

Set protocol to ESP. Untick every Encryption Algorithms except AES, do the same for Hash Algorithms and leave SHA1 ticked. The PFS key group should be set to “2 (1024 bit)” and Lifetime can be set at “3600”.

Advanced Configuration

Leave Automatically ping host empty or set this to the Drayteks LAN IP.
Now click save.

Configuring Firewall

Go to Firewall>Rules and click the IPsec tab.


Now press the add button.
Both Add buttons add the same firewall rule, it just places it on the top or bottom of your list.

Leave all options as is, only change the Protocol to TCP.

Now enter a description of your firewall rule in the description box and press save.

Configuring the Draytek Router

Configuring the Lan-to-Lan VPN

Click VPN and Remote Access>Lan to Lan and press 1. Or the VPN number you want to use.

1. Common Settings

Enter a Profile name, leave Call direction at both and set the WAN port you are using on the Draytek as first or only. Idle Timeout can be set to your preference.

2. Dial-Out Settings

Set Type of Server I am calling to IPsec Tunnel and fill in the public IP address of your PFSense router at Server IP.
IKE Authentication should be set at Pre-Shared Key and fill in the key you wrote down earlier.
IPsec Security Method should be set to High (ESP) and 3DES with Authentication.

Under IPsec Security Method go to Advanced .
Set the IKE Phase 1 Proposal to AES256_SHA1_G14 and set IKE Phase 2 proposal to AES128_SHA1/AES128_MD5.

3. Dial-In Settings

Set allowed Dial-In Type to IPsec Tunnel. Tick the box that says Specify Remote VPN Gateway and fill in the Public IP Address of the PFSense router. Tick the Pre-Shared Key box and fill in the Pre-Shared Key again. Under IPsec Security Method untick all boxes except AES.

4. GRE Settings

Leave Settings as is.

5. TCP/IP Network Settings

Set My WAN IP and Remote Gateway IP to 0.0.0.0. The Remote Network IP should be the network range of your PFSense network “xxx.xxx.xxx.0”. The Local Network IP should be set to the LAN IP address of your Draytek Router. Now press OK to save settings.

Setting up the connection

Right now you should be set, if it does not connect automatically you can manually start the VPN connection on your PFSense by going to to VPN>IPsec….

And click the graph icon in the top-right of the screen.

Now click Connect VPN on the right of the table and it should connect within seconds.

Your Draytek should now also state online in the Lan-to-Lan VPN table.

You will now be able to ping and access devices in both of the subnets.