Contents
In this tutorial, we’ll see how to configure a site-to-site IPSec VPN with pfSense and a Ubiquiti EdgeRouter Lite router.
This tutorial is 100% functional on all EdgeRouter devices being in 1.9.7 version minimum.
Equipment used in this article:
- EdgeRouter Lite
- pfSense Community Edition 2.4
I’m quite fan of Ubiquiti hardware. It’s simple, sober, robust and efficient. I have the EdgeRouter Lite available here and the Ubiquiti Networks UAP-AC-LITE (802.11 a/b/g/n/ac) Wifi Access Point available here.
Network topology
To begin, the network topology
ERL :
eth0 (LAN1) : 192.168.10.254/24
eth1 (WAN) : 82.227.24.25
eth2 (LAN2) : 192.168.11.254/24
pfSense :
vmx0 (WAN) : 151.80.84.160
vmx1 (LAN) : 192.168.20.254/24
Configuring Site-to-Site IPSec VPN with pfSense – ERL
Configuration via GUI
- Connect to the router’s web interface and go to the VPN tab> IPsec Site-to-Site > + Add Peer
- Select : Show advanced options
- Select : Automaticaly open firewall and exclude from NAT
- Complete info as below :
|
1 2 3 4 5 6 7 8 9 |
Peer: 151.80.84.160 Description: IPsec Local IP: 82.227.24.25 Encryption: AES-256 Hash: SHA1 DH Group: 14 Pre-shared Secret: yoursecret Local subnet: 192.168.10.0/24 Remote subnet: 192.168.20.0/24 |
Clic on +Add subnets
|
1 2 |
Local subnet: 192.168.11.0/24 Remote subnet: 192.168.20.0/24 |
Configuration via CLI
Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
- Enter configuration mode :
1configure - Change the IKE proposal (P1) and Security Associations (SAs)
12set vpn ipsec ike-group FOO0 lifetime 86400set vpn ipsec ike-group FOO0 proposal 1 hash sha256 - Change the ESP proposal (P2) and Security Associations (SAs)
123set vpn ipsec esp-group FOO0 lifetime 43200set vpn ipsec esp-group FOO0 proposal 1 encryption aes128set vpn ipsec esp-group FOO0 proposal 1 hash md5 - Disable Perfect Forward Secrecy (PFS)
1set vpn ipsec esp-group FOO0 pfs disable - Change the local IPsec interface address (Optional) :Use the following command to specify the local IP address to be used as the source for IPsec packets destined for the remote peer. The dhcp-interface and local-address statements CANNOT be used simultaneously. Decide on which command is best for your situation using these options:(A) You are using multiple WAN interfaces and want the VPN to respond on multiple interfaces.With this statement any IPv4 address present on the system can be used as the source of the VPN. You can also use this command if your WAN interface receives an address through PPPoE.
1set vpn ipsec site-to-site peer 151.81.84.160 local-address 0.0.0.0
(B) Your WAN interface receives an address through DHCP
12delete vpn ipsec site-to-site peer 151.80.84.160 local-addressset vpn ipsec site-to-site peer 151.80.84.160 dhcp-interface eth1 - Enable the IPsec offloading feature to increase ESP (not IKE) performance (optional – need reboot)
1set system offload ipsec enable - Commit the changes
1commit - Save the configuration
1save
Configuring Site-to-Site IPSec VPN with pfSense – pfSense
Listed pfSense we use the downloadable appliance on the publisher’s website, and in a VMware environment. We are in version 2.4 (last stable available on this date). Listed pfSense, everything can be done via the web interface.
Adding IPSec firewall rules
To add rules in the pfSense, go to Firewall > Rules > WAN and click on Add
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Action: Pass Interface: WAN Address Family: IPv4 Protocol: UDP Source: any Destination: any Destination Port Range: From ISAKMP (500) to ISAKMP (500) Description: IKE Action: Pass Interface: WAN Address Family: IPv4 Protocol: ESP Source: any Destination: any Description: ESP Action: Pass Interface: WAN Address Family: IPv4 Protocol: UDP Source: any Destination: any Destination Port Range: From IPsec NAT-T (4500) to IPsec NAT-T (4500) Description: NAT-T |
We should have something like this:
Phase 1 configuration (IKE)
To configure the phase 1 on the pfSense, go to VPN > IPSec > Tunnels > +Add P1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Key Exchange Version: IKEv1 Internet Protocol: IPv4 Interface: WAN Remote Gateway: 82.227.24.25 Description: IPsec Authentication Method: Mutual PSK Negotiation Mode: Main My Identifier: My IP address Peer Identifier: Peer IP address Pre-Shared Key: yoursecret Encryption Algorithm: AES 256 bits Hash Algorithm: SHA256 DH Group: 14 (2048 bit) Lifetime (Seconds): 86400 Uncheck 'Dead Peer Detection' NAT Traversal: Auto |
We should have something like this :
Phase 2 configuration (ESP)
To configure phase 2 on the pfSense, go to VPN > IPSec > Tunnels > Show Phase 2 Entries > +Add P2
|
1 2 3 4 5 6 7 8 9 10 |
Mode: Tunnel IPv4 Local Network: Network 192.168.20.0/24 NAT/BINAT Translation: None Remote Network: Network 192.168.10.0/24 Protocol: ESP Encryption Algorithms: AES 128 bits Hash Algorithms: MD5 (uncheck SHA1) PFS Key Group: off Lifetime: 43200 |
We should have something like this :
Do the same thing for the second subnet.
Select “Enable” if it is not done automatically and click on “Apply changes“:
Check that the status of the IPsec daemon is OK by going to Status > Services
Adding subnet firewall rules
To configure subnet firewall rules, go to Firewall > Rules > IPSec > Add
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Action: Pass Interface: IPsec Address Family: IPv4 Protocol: Any Source: Network 192.168.10.0/24 Destination: Network 192.168.20.0/24 Action: Pass Interface: IPsec Address Family: IPv4 Protocol: Any Source: Network 192.168.11.0/24 Destination: Network 192.168.20.0/24 |
We should have something like this :
Do the same thing for the second subnet.
Troubleshooting
With pfSense
To verify that the connection is well established, go to Status > IPsec
If the status is “ESTABLISHED” then the connection is up!
With EdgeRouter
With Ubiquiti, just go to the tab Wizards > VPN Status
I hope this article has been helpful to you! If you have any questions, do not hesitate to leave me a comment!
Hi ! I’m Maxime. Founder and independant author of vDays.net. I have worked in service IT since 6 years ago, after a 5 years’ internship. Via this blog, I would like share and discuss with you on new technologies, especially on virtualization and VMware. If you want to know more about me, check out my “about me” page or follow me on Twitter and LinkedIn
