[TUTO] – Ubiquiti ERL : Configure a site-to-site IPSec VPN with pfSense

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...

By | 6 November 2017

In this tutorial, we’ll see how to configure a site-to-site IPSec VPN with pfSense and a Ubiquiti EdgeRouter Lite router.

This tutorial is 100% functional on all EdgeRouter devices being in 1.9.7 version minimum.

Equipment used in this article:

  • EdgeRouter Lite
  • pfSense Community Edition 2.4

I’m quite fan of Ubiquiti hardware. It’s simple, sober, robust and efficient.  I have the EdgeRouter Lite available here and the Ubiquiti Networks UAP-AC-LITE (802.11 a/b/g/n/ac) Wifi Access Point available here.

Network topology

To begin, the network topology

ERL :

eth0 (LAN1) : 192.168.10.254/24

eth1 (WAN) : 82.227.24.25

eth2 (LAN2) : 192.168.11.254/24

pfSense :

vmx0 (WAN) : 151.80.84.160

vmx1 (LAN) : 192.168.20.254/24

VPN IPsec site-à-site avec pfSense

Source image

Configuring Site-to-Site IPSec VPN with pfSense – ERL

Configuration via GUI

  1. Connect to the router’s web interface and go to the VPN tab> IPsec Site-to-Site > + Add Peer
  2. Select : Show advanced options
  3. Select : Automaticaly open firewall and exclude from NAT
  4. Complete info as below :

Clic on +Add subnets

VPN IPsec site-à-site avec pfSense

Configuration via CLI

Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

  1. Enter configuration mode :
  2. Change the IKE proposal (P1) and Security Associations (SAs)
  3. Change the ESP proposal (P2) and Security Associations (SAs)
  4. Disable Perfect Forward Secrecy (PFS)
  5. Change the local IPsec interface address (Optional) :Use the following command to specify the local IP address to be used as the source for IPsec packets destined for the remote peer. The dhcp-interface and local-address statements CANNOT be used simultaneously. Decide on which command is best for your situation using these options:(A) You are using multiple WAN interfaces and want the VPN to respond on multiple interfaces.With this statement any IPv4 address present on the system can be used as the source of the VPN. You can also use this command if your WAN interface receives an address through PPPoE.

    (B) Your WAN interface receives an address through DHCP
  6. Enable the IPsec offloading feature to increase ESP (not IKE) performance (optional – need reboot)
  7. Commit the changes
  8. Save the configuration

     

Configuring Site-to-Site IPSec VPN with pfSense – pfSense

Listed pfSense we use the downloadable appliance on the publisher’s website, and in a VMware environment. We are in version 2.4 (last stable available on this date). Listed pfSense, everything can be done via the web interface.

Adding IPSec firewall rules

To add rules in the pfSense, go to Firewall > Rules > WAN and click on Add

We should have something like this:

VPN IPsec site-à-site avec pfSense

Phase 1 configuration (IKE)

To configure the phase 1 on the pfSense, go to VPN > IPSec > Tunnels > +Add P1

We should have something like this :

VPN IPsec site-à-site avec pfSenseVPN IPsec site-à-site avec pfSense

Phase 2 configuration (ESP)

To configure phase 2 on the pfSense, go to VPN > IPSec > Tunnels > Show Phase 2 Entries > +Add P2

We should have something like this :

VPN IPsec site-à-site avec pfSenseVPN IPsec site-à-site avec pfSense

Do the same thing for the second subnet.

Select “Enable” if it is not done automatically and click on “Apply changes“:

VPN IPsec site-à-site avec pfSense

Check that the status of the IPsec daemon is OK by going to Status > Services

VPN IPsec site-à-site avec pfSense

Adding subnet firewall rules

To configure subnet firewall rules, go to Firewall Rules > IPSec > Add

We should have something like this :

VPN IPsec site-à-site avec pfSense

Do the same thing for the second subnet.

Troubleshooting

With pfSense

To verify that the connection is well established, go to Status > IPsec 

VPN IPsec site-à-site avec pfSense

If the status is “ESTABLISHED” then the connection is up!

With EdgeRouter

With Ubiquiti, just go to the tab Wizards > VPN Status

VPN IPsec site-à-site avec pfSense

I hope this article has been helpful to you! If you have any questions, do not hesitate to leave me a comment!

If you like this post, don't hesitate to share it !

Hi ! I’m Maxime. Founder and independant author of vDays.net. I have worked in service IT since 3 years ago, after a 5 years’ internship. Via this blog, I would like share and discuss with you on new technologies, especially on virtualization and VMware.

Leave a Reply

Your email address will not be published. Required fields are marked *