Technical Tip: Set up IPsec VPN between FortiGate and pfSense using IKEv2

Network Diagram.

Configuration FortiGate.:

Phase 1 Configuration:

For Phase 1 configuration, insert the correct proposals that will match the pfSense.  Include the port and the remote peer's pfSense IP:

config vpn ipsec phase1-interface
edit "VPN-TO-pfSense"
set interface "port1"

set ike-version 2

set peertype any
set net-device disable
set proposal aes256-sha1

set dpd on-idle
set dhgrp 2
set remote-gw 10.10.1.1 
set psksecret 12345678
next
end

Phase 2 Configuration:

For Phase 2 configuration, insert the correct proposals that will match the pfSense. Include the source and destination prefixes:

config vpn ipsec phase2-interface
edit "VPN-TO-pfSense"
set phase1name "VPN-TO-pfSense"
set proposal aes256-sha1
set pfs disable
set keepalive enable
set auto-negotiate enable
set src-subnet 192.168.2.0 255.255.255.0
set dst-subnet 192.168.1.0 255.255.255.0
next
end

Static route configuration:

config router static
set dst 192.168.1.0 255.255.255.0
set device "VPN-TO-pfSense"

Firewall policy configuration allowing traffic in both directions:

config firewall policy
edit 1
set srcintf "port2"
set dstintf "VPN-TO-pfSense"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

config firewall policy
edit 2
set srcintf "VPN-TO-pfSense"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Configuration pfSense:

Go to VPN > IPsec and choose IKEv2. Select the interface and insert the remote FortiGate IP.

Choose the proposals for Phase 1, and once done, click the save button:

After saving, you need to click "Apply Changes" to commit the configuration:

After committing, the message below will appear:

Then click the "Add P2" button:

Once done, choose all proposals and requirements that match those chosen on the remote FortiGate side. After that, click the save button.

Again, after pressing save, you need to click "Apply Changes" to commit all configurations:

After committing, the message below will appear:

Now click the "Pre-Shared Keys" link to enter the chosen pre-shared key. Once done, save and commit as in the previous examples:

After everything is done, it is possible to check the status of the IPSec tunnel between FortiGate and pfSense:

Just go to Status > IPsec:

Afterward, it is possible to check the status. As we can see below, it is established:

Now, to allow the flow between the source and destination through the tunnel, go to Firewall > Rules:

Inside the page, choose flags to allow traffic in both directions. Once done, click "Save" and then "Apply Changes" to commit the configuration:

In case of doubts about checking the IPSec VPN status or troubleshooting, follow the articles below:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/137844/vpn-ipsec-troubleshoo...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-automation-stitches-to-run-debugs-or...