pfSense Firewall

To configure the tunnel in the pfSense Management Portal:

  1. Log in to the pfSense Management Portal with the Administrator account.

  2. Go to VPN > IPsec.

  3. Click +Add P1.

  4. In the General Information section:

    Field

    Enter
    Key Exchange version IKEv2 if supported. Otherwise IKEv1.
    Internet Protocol IPv4

    Interface

    WAN
    Remote Gateway Public IP address of the Harmony SASE gateway.

  5. In the Phase 1 Proposal (Authentication) section:

    Field

    Enter
    Authentication Method Mutual PSK
    Negotiation Mode Main
    My Identifier

    My IP Address

    Note - For Dynamic-IP Tunnel, select Distinguished Name and enter the predefined Remote ID.

    Peer Identifier

    Peer IP Address

    Pre-Shared Key

    Secret key specified in Configuring the Tunnel in the Harmony SASE Administrator Portal .

  6. In the Phase 1 Proposal (Encryption Algorithm) section:

    Field

    Enter
    Algorithm AES
    Key Length 256 bits
    HASH

    SHA256

    DH Group

    14

    Lifetime (Seconds)

    28800

  7. In the Advanced Options section:

    Field

    Enter
    Disable rekey Clear
    Margintime (Seconds) Blank
    Responder Only

    Clear

    NAT Traversal

    Auto

    Dead Peer Detection

    Select

    Delay

    10

    Max failures

    5

  8. Click Save.

  9. Click +Add P2.

  10. In the General Information section:

    Field

    Enter
    Mode Tunnel IPv4
    Local Network Type Network

    Local Network Address

    Your local LAN network subnet.
    Remote Network Type Network

    Remote Network Address

    Harmony SASE remote network subnet.

  11. In the Phase 2 Proposal (SA/Key Exchange) section:

    Field

    Enter
    Protocol ESP
    Encryption Algorithm AES 256 bits
    Hash Algorithm

    SHA256

    PFS Key Group

    14

  12. Click Save.

  13. (Optional) Configure firewall rules:

    1. Go to Firewall > Rules.

    2. Under IPSEC, add a new rule:

      Field

      Enter
      Action Pass
      Quick Mark v
      Interface

      WAN and IPSEC

      Source

      Public IP address of Harmony SASE gateway

      Destination

      Any or an external IP address.

    3. Click Save.

  14. Under IPSEC, add a new rule:

    Field

    Enter
    Action Pass

    Source

    Public IP address of Harmony SASE gateway

    Destination

    Any or an external IP address.

  15. Click Save.

  16. Click Apply Changes.

  17. Activate the tunnel:

    1. From the Menu Bar, click Status > IPsec.

    2. Click Connect VPN for the tunnel to Harmony SASE gateway.