Net-to-Net Connections are the most common connection type for IPsec. They connect two networks securely and transparently with each other over the Internet.
IPFire supports the following features:
In order to set up an IPsec VPN, both systems need to be able to talk to each other. IPsec uses UDP/500, UDP/4500 and ESP which will automatically be opened in IPFire.
Static IP addresses are helpful, but dynamic DNS hostnames are supported, too.
Start creating a new connection by clicking on "Add" and select "Net-to-Net Virtual Private Network".
On the next page, choose a name for your connection.
Then, select the local IP address you would like to use for this connection. Enter the remote peer address which could be their hostname or a static IP address.
Then, you will have to decide which networks you want to connect with each other. The default for the local site is the GREEN network. The remote network cannot overlap with any local networks and you can enter multiple networks as a comma-separated list.
Filling in the IDs depends on the connection type you are choosing.
Connections authenticated using certificates are more robust against brute-force attacks and should be preferred over pre-shared keys. This does not have any effect on the throughput of the VPN.
Connections with certificates are very easy to set up. All it takes is the host and root certificate of the peer.
The root certificate needs to be loaded into IPFire on the main configuration page before the connection is being created and will act as a trust anchor for the host certificate.
The host certificate will be uploaded when the connection is being created and IPFire will ask the peer to present the same certificate. To do that, select "Upload a certificate" and upload the file. If the peer holds the secret key for the host certificate, the connection is authenticated.
The ID fields at the top section of the page should be left empty.
Connections with PSKs are very common and set up with only three settings:
@. It is common to use the hostname (e.g.
After clicking "Save", the connection should come straight up. You can try to ping a system on the remote network to verify that is successfully transmitting data.