Beruflich Dokumente
Kultur Dokumente
In this tutorial, we’ll see how to configure a site-to-site IPSec VPN with pfSense and a Ubiquiti
EdgeRouter Lite router.
This tutorial is 100% functional on all EdgeRouter devices being in 1.9.7 version minimum.
EdgeRouter Lite
pfSense Community Edition 2.4
I’m quite fan of Ubiquiti hardware. It’s simple, sober, robust and efficient. I have the EdgeRouter
Lite available here and the Ubiquiti Networks UAP-AC-LITE (802.11 a/b/g/n/ac) Wifi Access Point
available here.
Network topology
ERL :
pfSense :
Configuration via GUI
1. Connect to the router’s web interface and go to the VPN tab> IPsec Site-to-Site > + Add
Peer
2. Select : Show advanced options
3. Select : Automaticaly open firewall and exclude from NAT
4. Complete info as below :
Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using
a program such as PuTTY.
6. Enable the IPsec offloading feature to increase ESP (not IKE) performance (optional – need
reboot)
Listed pfSense we use the downloadable appliance on the publisher’s website, and in a VMware
environment. We are in version 2.4 (last stable available on this date). Listed pfSense, everything
can be done via the web interface.
To add rules in the pfSense, go to Firewall > Rules > WAN and click on Add
We should have something like this:
Troubleshooting
With pfSense
With EdgeRouter
CASE 2:
I'm assuming that you have a basic enough understanding of both pfSense and
EdgeOS in order to get your devices physically connected to their respective WAN
cables and online with static public IP's.
I've been running this config for a few days without any hiccups as far as I can tell.
If you're operating without a static public IP, this may not be as helpful for you as
anytime your IP changes you'd be required to change your IP settings on both
pfSense and EdgeOS.
I'm definitely not setting this up with a security-conscious mindset; this is just a
proof of concept "get-it-up-and-running" guide.
As always, YMMV!
Variable References
pfSense
EdgeOS
Please note that the variables above will vary with your LAN settings and should be
modified accordingly. Let's jump into the pfSense config!
Protocol: ESP
Encryption algorithm: AES 256 bits
Hash algorithm: SHA1
PFS key group: 2 (1024 bits)
Lifetime: 3600
You'll want to add 3 rules: Pass TCP/UDP 4500 IPsec, Pass TCP 51 for IPsec
Authentication Headers, and Pass UDP 500 ISAKMP.
Action: Pass
Disabled: Unchecked
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: any
Destination: WAN address
Destination port range: IPsec NAT-T (4500)
Description: IPsec NAT | PASS
New rule 2:
Action: Pass
Disabled: Unchecked
Interface: WAN
TCP/IP Version: IPv4
Protocol: UDP
Source: any
Destination: WAN address
Destination port range: ISAKMP (500)
Description: IPsec ISAKMP | PASS
Action: Pass
Disabled: Unchecked
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP
Source: any
Destination: WAN address
Destination port range: (other) 51
Description: IPsec Authentication Headers | PASS
Okay! Now that you've gotten this far, let's go through the EdgeOS config!
Code: [Select]
set firewall all-ping enable
set firewall name WAN_LOCAL
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description "ICMP 60/m"
set firewall name WAN_LOCAL rule 5 limit burst 1
set firewall name WAN_LOCAL rule 5 limit rate 60/minute
set firewall name WAN_LOCAL rule 5 log enable
set firewall name WAN_LOCAL rule 5 protocol icmp
set vpn ipsec esp-group pfSense
set vpn ipsec esp-group pfSense mode tunnel
set vpn ipsec esp-group pfSense pfs enable
set vpn ipsec esp-group pfSense proposal 1
set vpn ipsec esp-group pfSense proposal 1 encryption aes256
set vpn ipsec esp-group pfSense proposal 1 hash sha1
set vpn ipsec esp-group pfSense lifetime 3600
set vpn ipsec esp-group pfSense compression disable
set vpn ipsec ike-group pfSense dead-peer-detection action restart
set vpn ipsec ike-group pfSense dead-peer-detection interval 30
set vpn ipsec ike-group pfSense dead-peer-detection timeout 60
set vpn ipsec ike-group pfSense proposal 1
set vpn ipsec ike-group pfSense proposal 1 encryption aes256
set vpn ipsec ike-group pfSense proposal 1 hash sha1
set vpn ipsec ike-group pfSense lifetime 3600
set vpn ipsec ike-group pfSense key-exchange ikev1
set vpn ipsec ike-group pfSense proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 1.1.1.1
set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-
secret
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret
ChangeYourPreSharedKeyDontActuallyUseThis
set vpn ipsec site-to-site peer 1.1.1.1 ike-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 local-address 2.2.2.2
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 esp-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix
192.168.2.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix
192.168.1.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-nat-networks
disable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-public-networks
disable
set vpn ipsec nat-traversal enable
commit
save
Once that's all done, you should be up and online just fine!
Notes
Just briefly: I'd like to thank everyone in the pfSense community for being just generally
wonderful. I've learned more over the past year and a half and done more with pfSense than
any other router/firewall product previously, and I cannot recommend it enough to other
people. The community that all of you offer is just amazing!
Please let me know if you have any questions regarding anything! I've had it up and
running for a few days on my side now without any issues!