Configuring RSA Authentication for IPsec

Using certificate-based RSA authentication for identification of VPN tunnel peers is much stronger than using a simple Pre-Shared Key.

To utilize RSA authentication, first a PKI structure must be made. This can be performed in the pfSense® webGUI using the Certificate Management feature. Refer to the Certificate Management article for specifics on creating certificate authorities and certificates.

First, designate one firewalls to hold the CA/Certificate structure. For this document, it will be called Firewall A. The other firewall will be Firewall B.

On Firewall A:

• Create a Certificate Authority (CA).

• Create a Certificate for Firewall A. Set the Common Name to the hostname of Firewall A, add an Alternative Names entry with a Type of IP and the Value set to the IP address of the WAN interface on Firewall A.

• Create a Certificate for Firewall B. Set the Common Name to the hostname of Firewall B, add an Alternative Names entry with a Type of IP and the Value set to the IP address of the WAN interface on Firewall B.

• Export the CA Certificate, and the Firewall B certificate and key

On Firewall B:

• Import the CA Certificate and the Firewall B certificate and key

On both firewalls:

• Configure the IPsec tunnel as usual, with the following exceptions

  • Set Authentication method to Mutual RSA

  • Select the certificate for this firewall for My Certificate

  • Select the certificate authority created above for My Certificate Authority

• Click Save

• Click Apply Changes