[donotprint]
| Tutorial details | |
|---|---|
| Difficulty | Advanced (rss) |
| Root privileges | Yes |
| Requirements | PFSense |
| Time | 15m |
Our sample setup to configure PFSense Site-to-Site IPSec vpn tunnel
Fig.01: A simple site-to-site VPN setup
VPN config provided by a CISCO/OpenBSD gateway located in remote IDC
Phase 1:
| Phase 1 config | Savings |
|---|---|
| Your peer IPv4 address | 122.16.7.42 |
| Cisco/OpenBSD gateway IPv4 address | 173.191.1.42 |
| Preshared Key | YOUR-super-secret-password-key |
| Encryption | 3DES |
| Authentication | MD5 |
| Diffie-Hellman Group | 2 |
| Keylife | 14400 |
Phase 2:
| Phase 2 config | Values |
|---|---|
| Encryption | 3DES |
| Authentication | MD5 |
| Perfect Forward Secrecy (PFS) | Yes |
| Diffie-Hellman Group | 2 |
| Keylife | 3600 |
| SOHO Subnets | 192.168.1.0/24 |
| Remote Subnets | 10.10.29.64/26 and 10.12.249.192/26 |
Howto Configure PFSense Site-to-Site IPSec VPN Tunnel
Let us get started with the configuration.
PFSense appliance VPN IPSec configuration
pfSense must be set up and be working correctly for the existing local network environment. Both locations must be using non-overlapping LAN IP subnets. For demo purpose my PFSense appliance located at https://192.168.1.254/.
Step #1: Login to admin webui
Fire a browser and type the following url:
https://192.168.1.254/
Sample outputs:
Fig.02: PFSense admin Login Username and Password
Step #2: Setup the VPN Tunnel
Click on VPN > IPSec:
Fig.03: PFSense configure the vpn
Fig.04: Enable PFSense
Step #3: Configure a new tunnel
Click on + button (see fig.04) to add a new IPsec tunnel Phase 1 configuration. Make sure Interface set to “WAN”, Remote Gateway to “173.191.1.42”, Authentication Method to Pre-Shared key to “YOUR-super-secret-password-key”, Encryption to “3DES”, Authentication to “MD5”, Diffie-Hellman Group to “2”, Keylife to “14400”, and finally press the Save button.
Fig.05: PFSense New IPsec VPN Tunnel Phase 1 Configuration
The IPsec tunnel configuration has been changed. You must apply the changes in order for them to take effect.
Click on the Apply changes button:
Fig.06: Saving Phase 1 Config
Step #4: Create a new Phase 2 config
To create a new Phase 2, click the large + inside the Phase 1 entry in the list, on the left-hand side. This expands the list to display all Phase 2 entries for this Phase 1. Click the + button on the right to add a new entry:
Gif 01: Create a new Phase 2 to build the VPN
Fig. 07: PFSense IPSec VPN Phase 2 Configuration
Step #5: Add IPSec firewall rules
By default firewall rules are automatically added to the WAN to allow the tunnel to connect, but if the option to disable automatic VPN rules is checked, then manual rules may be required. The following rules added by the firewall (you can see them by typing the pfctl -sr | grep -i ipsec command at PFSense console)
anchor "ipsec/*" all pass out on enc0 all flags S/SA keep state label "IPsec internal host to host" pass out route-to (rl0 192.168.0.1) inet proto udp from any to 173.191.1.42 port = isakmp keep state label "IPsec: SL IPsec - outbound isakmp" pass in on rl0 reply-to (rl0 192.168.0.1) inet proto udp from 173.191.1.42 to any port = isakmp keep state label "IPsec: SL IPsec - inbound isakmp" pass out route-to (rl0 192.168.0.1) inet proto udp from any to 173.191.1.42 port = sae-urn keep state label "IPsec: SL IPsec - outbound nat-t" pass in on rl0 reply-to (rl0 192.168.0.1) inet proto udp from 173.191.1.42 to any port = sae-urn keep state label "IPsec: SL IPsec - inbound nat-t" pass out route-to (rl0 192.168.0.1) inet proto esp from any to 173.191.1.42 keep state label "IPsec: SL IPsec - outbound esp proto" pass in on rl0 reply-to (rl0 192.168.0.1) inet proto esp from 173.191.1.42 to any keep state label "IPsec: SL IPsec - inbound esp proto"
To setup IPSec firewall rules as per your needs, click on the Firewall > Rules and IPsec tab. Setup rules as per your needs.
How do I see the current status of the IPSec vpn?
Click on the Status > IPSec:
Fig.08: PFSense IPSec Status: Connect or Disconnect VPN Tunnel
Fig 09: Current IPSec Status
-
- System logs: IPsec VPN
-
- IPsec: SAD
-
- IPsec: SPD
-
- System logs: IPsec VPN
How do I test my vpn setup?
Try to ping or ssh into one of the remote server:
$ ping -c2 10.10.29.68 PING 10.10.29.68 (10.10.29.68): 56 data bytes 64 bytes from 10.10.29.68: icmp_seq=0 ttl=60 time=267.420 ms 64 bytes from 10.10.29.68: icmp_seq=1 ttl=60 time=271.900 ms --- 10.10.29.68 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 267.420/269.660/271.900/2.240 ms ## try ssh now ## $ ssh root@10.10.29.68
Conclusion
And, there you have it, VPN up and running from your SOHO. For more info see the official doc here.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 15 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Thank you!
Hello, I have IPsec status established, but could not ping remote server. Could you please help me? Thanks in advance, BR Nebojsa
Great write up. If your device supports it should use AES instead of 3DES. Also use group 5 for both phases.
This will offer more secure connection and transport. With today’s firewall hardware there should be small performance hit with the higher security settings.
Newer firewalls can support group 22 and higher!!
I always use almost the highest setting if both firewalls supports it. You will have to tweak the settings to provide a good balance between performance and security.
So now i will follow the same setup process on other vpn tool because i have different vpn provider that i have found on vpnranks. This is also good but first i will try to use it on my current provider.
Actually it’s “pfSense” rather than “PFSense”. I know, a small typo but it’s also part of the trademark. Check out the logo on http://pfsense.org/. My fifty cents.
Hello
Nice guide there
I need help setting up any to any vpn. We have multiple subnets across our various branches. can you please guide me how to configure any to any vpn? I will be grateful
Hello,
Why doesn´t pfsense have Key exchange version option? IPSEC phase 1 has internet protocol, interface, remote gateway and description.
pfsense 2.1.5
thanks
many thanks, this is helpful for me. thanks again..
Thanks for the guide! It’s a great help!
I have one Q though, I can connect from my network to other network (ipsec network) via ssh to any servers. But when I’m in the other network, and trying to connect back to our network, I can’t access the servers.
Any help will be appreciated!
Thanks!
hi,thanks for this helpful tutorial.
can i contact u on skype or … for ask some question?
i really need help
thanks
Most often once you establish the IPsec VPN tunnel you will need to add (on pfSense anyway) Firewall Rules of type IPsec that allow the remote subnet access to your network.
Here is an example:
Remote subnet: 192.168.51.0/24
You would add the 192.168.51.0/24 subnet as the source and the local LAN subnet (mind your aliases) as the destination. That is usually the cause and solution to one-way traffic.
hi,
i am using pfsense 2.2 and 2.3 on the remote site. is it able to link on two different versions?
tks!!
So… how we do configure ipsec on pfSense? Kinda forgot that tidbit important part.
Hi we have created VPN tunneling but we are getting disconnecting tunnel with in 2 days & once we reboot pf sense its getting connected,Any one give a resolution for this issue
The article mentions IDC. What is IDC?