PfSense IPsec: Site-to-Site VPN Setup Guide

by Jhon Lennon 44 views

Setting up a secure and reliable site-to-site VPN connection between two networks using pfSense is a common requirement for many organizations. This guide will walk you through the process of configuring an IPsec VPN tunnel between two pfSense firewalls, ensuring secure communication between your networks.

Understanding IPsec VPNs

Before diving into the configuration, let's understand what an IPsec VPN is and why it's useful. IPsec (Internet Protocol Security) is a suite of protocols that provides secure communication over IP networks. It ensures data confidentiality, integrity, and authenticity. A site-to-site VPN, in this context, creates a secure tunnel between two networks, allowing resources in each network to communicate as if they were on the same local network. This is particularly useful for businesses with multiple offices or for connecting to resources in the cloud.

Key benefits of using IPsec VPNs:

  • Security: IPsec provides strong encryption and authentication, protecting data from eavesdropping and tampering.
  • Reliability: IPsec is a well-established standard and is supported by a wide range of devices and operating systems.
  • Flexibility: IPsec can be configured to meet a variety of security requirements.
  • Cost-effectiveness: By using the existing internet infrastructure, IPsec VPNs can be a cost-effective way to connect multiple networks.

Prerequisites

Before you begin, make sure you have the following:

  • Two pfSense firewalls, each with a public IP address.
  • Knowledge of the IP address ranges for both networks.
  • Administrative access to both pfSense firewalls.
  • A stable internet connection for both sites.

These prerequisites are essential to ensure a smooth and successful VPN setup. Without them, you may encounter issues with connectivity and security. It's also a good idea to have a network diagram handy to visualize the setup and ensure you're configuring the correct IP addresses and subnets. This will greatly assist in troubleshooting any potential problems that may arise during the configuration process.

Step-by-Step Configuration

Now, let's get into the step-by-step configuration process. We'll configure one pfSense firewall as the primary gateway and the other as the secondary gateway. Remember to adjust the IP addresses and network ranges to match your specific environment.

Phase 1 Configuration (Both pfSense Firewalls)

Phase 1 establishes the initial secure connection between the two firewalls. This phase involves negotiating security parameters such as encryption algorithms and authentication methods.

  1. Navigate to VPN > IPsec > Tunnels: On both pfSense firewalls, go to the web interface and navigate to VPN > IPsec > Tunnels. This is where you'll configure the IPsec settings.
  2. Add a New Tunnel: Click the Add P1 button to create a new Phase 1 configuration.
  3. General Settings:
    • Key Exchange version: Set to IKEv2. IKEv2 is more secure and efficient than older versions.
    • Internet Protocol: Choose IPv4 or IPv6 depending on your network setup.
    • Interface: Select the WAN interface on both firewalls.
    • Remote Gateway: Enter the public IP address of the other pfSense firewall.
    • Description: Give your tunnel a descriptive name (e.g., "Site A to Site B").
  4. Phase 1 Proposal (Authentication):
    • Authentication Method: Select Mutual PSK. This is the most common and straightforward method.
    • Pre-Shared Key: Enter a strong, randomly generated pre-shared key. Keep this key secret and the same on both firewalls! A strong pre-shared key is crucial for the security of your VPN.
    • Encryption Algorithm: Choose AES256-GCM. This is a strong and modern encryption algorithm. You may need to install the OpenSSL Engine if it is not available.
    • Hash Algorithm: Select SHA256. This provides a good balance of security and performance.
    • DH Group: Choose 14 (2048 bit). This provides a good level of key exchange security.
  5. Phase 1 Proposal (Advanced Options):
    • Leave the default settings for most options. However, you might want to adjust the lifetime if needed.
  6. Save: Click Save to save the Phase 1 configuration. Make sure to apply the changes on both firewalls.

Phase 2 Configuration (Both pfSense Firewalls)

Phase 2 establishes the secure tunnel for data transmission after Phase 1 has successfully negotiated the initial connection.

  1. Navigate to VPN > IPsec > Tunnels: Again, go to VPN > IPsec > Tunnels on both firewalls.
  2. Edit the Phase 1 Tunnel: Click the Edit icon next to the Phase 1 tunnel you just created.
  3. Add a New Phase 2 Entry: Scroll down to the Phase 2 section and click the Add P2 button.
  4. General Settings:
    • Mode: Select Tunnel IPv4 or Tunnel IPv6 depending on your network setup.
    • Description: Give your Phase 2 entry a descriptive name (e.g., "Site A LAN to Site B LAN").
  5. Phase 2 Proposal (SA/Key Exchange):
    • Protocol: Choose ESP. This provides encryption for the data transmitted through the tunnel.
    • Encryption Algorithms: Select AES256-GCM. Ensure this matches your Phase 1 encryption.
    • Hash Algorithms: Select SHA256. Ensure this matches your Phase 1 hash algorithm.
    • PFS Key Group: Choose 14 (2048 bit). This should match your Phase 1 DH Group.
  6. Phase 2 Proposal (Advanced Options):
    • Adjust the lifetime if needed, but the defaults are usually fine.
  7. Network Configuration:
    • Local Network: Select LAN Subnet or specify the local network you want to route through the VPN. You can also create an alias if you need to specify more than one subnet.
    • Remote Network: Enter the remote network's IP address and subnet mask. This is the network behind the other pfSense firewall that you want to access.
  8. Save: Click Save to save the Phase 2 configuration. Remember to apply the changes on both firewalls.

Firewall Rules

After configuring the IPsec tunnels, you need to create firewall rules to allow traffic to pass through the VPN. Without these rules, traffic will be blocked, and the VPN will not function correctly.

  1. Navigate to Firewall > Rules > IPsec: On both pfSense firewalls, go to Firewall > Rules > IPsec. This is where you'll create the rules for IPsec traffic.
  2. Add a New Rule: Click the Add button to create a new rule.
  3. Rule Configuration:
    • Action: Set to Pass.
    • Interface: Select IPsec.
    • Protocol: Set to Any to allow all protocols.
    • Source: Select the local network (e.g., LAN Subnet) or the alias you created.
    • Destination: Select the remote network's IP address and subnet mask.
    • Description: Give your rule a descriptive name (e.g., "Allow LAN to Remote LAN").
  4. Save: Click Save to save the rule. Apply the changes on both firewalls.

Enable and Connect the VPN

Now that you've configured the tunnels and firewall rules, it's time to enable and connect the VPN.

  1. Navigate to VPN > IPsec > Tunnels: On both pfSense firewalls, go to VPN > IPsec > Tunnels.
  2. Enable the Tunnel: If the tunnel is not already enabled, click the Enable button next to the Phase 1 tunnel.
  3. Connect the Tunnel: Click the Connect button to initiate the VPN connection. You can monitor the connection status in the IPsec overview.

Verification and Troubleshooting

After setting up the IPsec VPN, it's crucial to verify that it's working correctly. Here are some steps to help you troubleshoot any issues.

  • Check the IPsec Status: Go to Status > IPsec on both firewalls. This page shows the status of the IPsec tunnels, including whether they are connected and any errors that may have occurred.
  • Ping Test: Ping a device on the remote network from a device on the local network. If the ping is successful, the VPN is likely working correctly.
  • Firewall Logs: Check the firewall logs (Status > System Logs > Firewall) for any blocked traffic. This can help you identify any firewall rules that may be blocking traffic.
  • IPsec Logs: Check the IPsec logs (Status > System Logs > IPsec) for any errors related to the IPsec tunnel. This can help you identify any issues with the IPsec configuration.
  • Packet Capture: Use a packet capture tool (such as tcpdump or Wireshark) to capture traffic on the WAN interface. This can help you see if the IPsec traffic is being encrypted and decrypted correctly.

Common Issues and Solutions

Here are some common issues you may encounter when setting up an IPsec VPN and their solutions:

  • Phase 1 or Phase 2 Failed: This usually indicates a mismatch in the configuration settings between the two firewalls. Double-check that the encryption algorithms, hash algorithms, pre-shared key, and network ranges are the same on both firewalls.
  • No Traffic Passing Through the Tunnel: This is often due to firewall rules blocking the traffic. Make sure you have created firewall rules to allow traffic to pass through the IPsec interface.
  • VPN Connection Dropping: This can be caused by a variety of factors, such as network congestion, incorrect MTU settings, or issues with the internet connection. Try adjusting the MTU settings or contacting your ISP to troubleshoot the internet connection.
  • Incorrect Subnet Mask: Ensure that the subnet masks for the local and remote networks are correctly configured. An incorrect subnet mask can prevent traffic from being routed correctly.

Advanced Configuration Options

Once you have a basic IPsec VPN up and running, you can explore some advanced configuration options to further customize your setup.

  • Dynamic DNS: If one or both of your pfSense firewalls have a dynamic IP address, you can use Dynamic DNS (DDNS) to ensure that the VPN connection remains stable. Configure DDNS on both firewalls and use the DDNS hostname as the remote gateway in the IPsec configuration.
  • Multiple Subnets: If you need to route traffic between multiple subnets on each network, you can create aliases for the subnets and use them in the firewall rules and IPsec configuration.
  • Route-Based VPN: Instead of using tunnel-based VPNs, you can configure route-based VPNs, which allow you to route traffic based on the destination IP address. This can be useful for more complex network setups.
  • Mobile Client Access: You can configure pfSense to allow mobile clients to connect to the VPN using IPsec or other VPN protocols such as OpenVPN.

Conclusion

Setting up an IPsec site-to-site VPN with pfSense can seem daunting at first, but by following this guide, you can establish a secure and reliable connection between your networks. Remember to double-check your configuration settings, create appropriate firewall rules, and monitor the VPN connection to ensure it's working correctly. With a little patience and attention to detail, you can create a robust VPN solution that meets your needs.

By understanding the underlying principles of IPsec and the configuration options available in pfSense, you can create a VPN that is tailored to your specific requirements. Whether you're connecting multiple offices, accessing resources in the cloud, or simply need a secure way to access your network remotely, IPsec VPNs with pfSense provide a flexible and cost-effective solution.