Net-to-Net Connections

Net-to-Net Connections are the most common connection type for IPsec. They connect two networks securely and transparently with each other over the Internet.

IPFire supports the following features:

  • Authentication using certificates and PSK
  • Classic IPsec and routed connections using GRE/VTI
  • Tunnel and Transport mode


In order to set up an IPsec VPN, both systems need to be able to talk to each other. IPsec uses UDP/500, UDP/4500 and ESP which will automatically be opened in IPFire.

Static IP addresses are helpful, but dynamic DNS hostnames are supported, too.

Creating a New Connection

Start creating a new connection by clicking on "Add" and select "Net-to-Net Virtual Private Network".

On the next page, choose a name for your connection.

Then, select the local IP address you would like to use for this connection. Enter the remote peer address which could be their hostname or a static IP address.

Then, you will have to decide which networks you want to connect with each other. The default for the local site is the GREEN network. The remote network cannot overlap with any local networks and you can enter multiple networks as a comma-separated list.

Filling in the IDs depends on the connection type you are choosing.

Certificates or PSK?

Connections authenticated using certificates are more robust against brute-force attacks and should be preferred over pre-shared keys. This does not have any effect on the throughput of the VPN.


Connections with certificates are very easy to set up. All it takes is the host and root certificate of the peer.

The root certificate needs to be loaded into IPFire on the main configuration page before the connection is being created and will act as a trust anchor for the host certificate.

The host certificate will be uploaded when the connection is being created and IPFire will ask the peer to present the same certificate. To do that, select "Upload a certificate" and upload the file. If the peer holds the secret key for the host certificate, the connection is authenticated.

The ID fields at the top section of the page should be left empty.


Connections with PSKs are very common and set up with only three settings:

  • You will need to generate a pre-shared-key that is strong enough to not be guessed. It is recommended to at least use a 32 character long key.
  • Since the PSK is not enough to identify the connection in case of multiply connections using PSK authentication, you will need to fill in the "Local ID" and "Remote ID" fields. There are no restrictions for this, the pair must only be unique across all connections you have and must match with the settings of the peer. You can use:
    • Any ASCII-string that starts with an @. It is common to use the hostname (e.g.
    • Some vendors automatically fill in the IP addresses of both peers

Check the tunnel

After clicking "Save", the connection should come straight up. You can try to ping a system on the remote network to verify that is successfully transmitting data.

Edit Page ‐ Yes, you can edit!

Older Revisions • July 21 at 3:01 pm • Michael Tremer