TUTORIAL

CONFIGURE SITE-TO-SITE IPSec VPN with pfSense

In this tutorial, we’ll see how to configure a site-to-site IPSec VPN with pfSense and a Ubiquiti
EdgeRouter Lite router.

This tutorial is 100% functional on all EdgeRouter devices being in 1.9.7 version minimum.

Equipment used in this article:

 EdgeRouter Lite
 pfSense Community Edition 2.4

I’m quite fan of Ubiquiti hardware. It’s simple, sober, robust and efficient.  I have the EdgeRouter
Lite available here and the Ubiquiti Networks UAP-AC-LITE (802.11 a/b/g/n/ac) Wifi Access Point
available here.

Network topology

To begin, the network topology

ERL :

eth0 (LAN1) : 192.168.10.254/24

eth1 (WAN) : 82.227.24.25

eth2 (LAN2) : 192.168.11.254/24

pfSense :

vmx0 (WAN) : 151.80.84.160

vmx1 (LAN) : 192.168.20.254/24

Configuring Site-to-Site IPSec VPN with pfSense – ERL

Configuration via GUI

1. Connect to the router’s web interface and go to the VPN tab> IPsec Site-to-Site > + Add
Peer
2. Select : Show advanced options
3. Select : Automaticaly open firewall and exclude from NAT
4. Complete info as below :

Clic on +Add subnets

Configuration via CLI

Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using
a program such as PuTTY.

1. Enter configuration mode :

2. Change the IKE proposal (P1) and Security Associations (SAs)

3. Change the ESP proposal (P2) and Security Associations (SAs)

4. Disable Perfect Forward Secrecy (PFS)

5. Change the local IPsec interface address (Optional) :Use the following command to specify the
local IP address to be used as the source for IPsec packets destined for the remote peer. The   dhcp-
interface  and  local-address  statements CANNOT be used simultaneously. Decide on which
command is best for your situation using these options:(A) You are using multiple WAN interfaces
and want the VPN to respond on multiple interfaces.With this statement any IPv4 address present
on the system can be used as the source of the VPN. You can also use this command if your WAN
interface receives an address through PPPoE.

(B) Your WAN interface receives an address through DHCP

6. Enable the IPsec offloading feature to increase ESP (not IKE) performance (optional – need
reboot)

7. Commit the changes

8. Save the configuration

Configuring Site-to-Site IPSec VPN with pfSense – pfSense

Listed pfSense we use the downloadable appliance on the publisher’s website, and in a VMware
environment. We are in version 2.4 (last stable available on this date). Listed pfSense, everything
can be done via the web interface.

Adding IPSec firewall rules

To add rules in the pfSense, go to Firewall > Rules > WAN and click on Add
We should have something like this:

Phase 1 configuration (IKE)

To configure the phase 1 on the pfSense, go to VPN > IPSec > Tunnels > +Add P1

We should have something like this :

Phase 2 configuration (ESP)

To configure phase 2 on the pfSense, go to VPN > IPSec > Tunnels > Show Phase 2 Entries > +Add

P2
We should have something like this :

Do the same thing for the second subnet.

Select “Enable” if it is not done automatically and click on “Apply changes“:

Check that the status of the IPsec daemon is OK by going to Status > Services

Adding subnet firewall rules

To configure subnet firewall rules, go to Firewall > Rules > IPSec > Add

We should have something like this :

Do the same thing for the second subnet.

Troubleshooting

With pfSense

To verify that the connection is well established, go to Status > IPsec 

If the status is “ESTABLISHED” then the connection is up!

With EdgeRouter

With Ubiquiti, just go to the tab Wizards > VPN Status

 ##########################################################################

CASE 2:

Few notes before diving in:

 I'm assuming that you have a basic enough understanding of both pfSense and
EdgeOS in order to get your devices physically connected to their respective WAN
cables and online with static public IP's.
I've been running this config for a few days without any hiccups as far as I can tell.
If you're operating without a static public IP, this may not be as helpful for you as
anytime your IP changes you'd be required to change your IP settings on both
pfSense and EdgeOS.
 I'm definitely not setting this up with a security-conscious mindset; this is just a
proof of concept "get-it-up-and-running" guide.
 As always, YMMV!

Without further ado, please read below!

Variable References

pfSense

 Static WAN IP: 1.1.1.1

 LAN IP: 192.168.1.1
 LAN Subnet: 192.168.1.0/24

EdgeOS

 Static WAN IP: 2.2.2.2

 LAN IP: 192.168.2.1
 LAN Subnet: 192.168.2.0/24

Please note that the variables above will vary with your LAN settings and should be
modified accordingly. Let's jump into the pfSense config!

pfSense - VPN Config

Navigate to VPN > IPSEC and make sure that you Enable IPsec and Save, or none of this
will work at the end
pfSense Phase 1 General Settings

 Key Exchange Version: V1

 Internet Protocol: IPv4
 Interface: WAN
 Remote Gateway: 2.2.2.2
 Description: EdgeOS Router

pfSense Phase 1 Proposal (Authentication)

 Authentication method: Mutual PSK

 Negotiation mode: Main
 My identifier: My IP address
 Peer identifier: Peer IP address
 Pre-Shared Key: ChangeYourPreSharedKeyDontActuallyUseThis

pfSense Phase 1 Proposal (Algorithms)

 Encryption algorithm: AES 256 bits

 Hash algorithm: SHA1
 DH key group: 2 (1024 bit)
 Lifetime: 3600

pfSense Phase 1 Advanced Options

 NAT Traversal: Auto

 Dead Peer Detection: Enable DPD, 30 seconds, 5 retries

pfSense Phase 2 General Settings

 Mode: Tunnel IPv4

 Local Network: LAN subnet
 Remote Network: 192.168.2.0/24

pfSense Phase 2 Proposal (SA/Key Exchange)

 Protocol: ESP
 Encryption algorithm: AES 256 bits
 Hash algorithm: SHA1
 PFS key group: 2 (1024 bits)
 Lifetime: 3600

Okay, now you're good to press save and apply.

pfSense - Firewall > Rules

You'll want to add 3 rules: Pass TCP/UDP 4500 IPsec, Pass TCP 51 for IPsec
Authentication Headers, and Pass UDP 500 ISAKMP.

Add new rule 1:

 Action: Pass
 Disabled: Unchecked
 Interface: WAN
 TCP/IP Version: IPv4
 Protocol: TCP/UDP
 Source: any
 Destination: WAN address
 Destination port range: IPsec NAT-T (4500)
 Description: IPsec NAT | PASS

New rule 2:

 Action: Pass
 Disabled: Unchecked
 Interface: WAN
 TCP/IP Version: IPv4
 Protocol: UDP
 Source: any
 Destination: WAN address
 Destination port range: ISAKMP (500)
 Description: IPsec ISAKMP | PASS

And new rule 3:

 Action: Pass
 Disabled: Unchecked
 Interface: WAN
 TCP/IP Version: IPv4
 Protocol: TCP
 Source: any
 Destination: WAN address
 Destination port range: (other) 51
 Description: IPsec Authentication Headers | PASS

Now, click on the new IPsec tab.

Add a new rule:

  Action: Pass
 Disabled: Unchecked
 Interface: IPsec
 TCP/IP Version: IPv4
 Protocol: any
 Source: any
 Destination: any
 Log: Checked
 Description: PASS | EVERYTHING

Save and apply your settings again

Okay! Now that you've gotten this far, let's go through the EdgeOS config!

EdgeOS - VPN Config

Go ahead and SSH to your EdgeOS box, log in, and enter configure and press enter. Your
box will change from admin@EdgeOS$ to admin@EdgeOS#, indicating that you're ready
to start inputting your VPN settings!

Code: [Select]
set firewall all-ping enable
set firewall name WAN_LOCAL
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description "ICMP 60/m"
set firewall name WAN_LOCAL rule 5 limit burst 1
set firewall name WAN_LOCAL rule 5 limit rate 60/minute
set firewall name WAN_LOCAL rule 5 log enable
set firewall name WAN_LOCAL rule 5 protocol icmp
set vpn ipsec esp-group pfSense
set vpn ipsec esp-group pfSense mode tunnel
set vpn ipsec esp-group pfSense pfs enable
set vpn ipsec esp-group pfSense proposal 1
set vpn ipsec esp-group pfSense proposal 1 encryption aes256
set vpn ipsec esp-group pfSense proposal 1 hash sha1
set vpn ipsec esp-group pfSense lifetime 3600
set vpn ipsec esp-group pfSense compression disable
set vpn ipsec ike-group pfSense dead-peer-detection action restart
set vpn ipsec ike-group pfSense dead-peer-detection interval 30
set vpn ipsec ike-group pfSense dead-peer-detection timeout 60
set vpn ipsec ike-group pfSense proposal 1
set vpn ipsec ike-group pfSense proposal 1 encryption aes256
set vpn ipsec ike-group pfSense proposal 1 hash sha1
set vpn ipsec ike-group pfSense lifetime 3600
set vpn ipsec ike-group pfSense key-exchange ikev1
set vpn ipsec ike-group pfSense proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 1.1.1.1
set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-
secret
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret
ChangeYourPreSharedKeyDontActuallyUseThis
set vpn ipsec site-to-site peer 1.1.1.1 ike-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 local-address 2.2.2.2
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 esp-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix
192.168.2.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix
192.168.1.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-nat-networks
disable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-public-networks
disable
set vpn ipsec nat-traversal enable
commit
save

Once that's all done, you should be up and online just fine!

Notes
Just briefly: I'd like to thank everyone in the pfSense community for being just generally
wonderful. I've learned more over the past year and a half and done more with pfSense than
any other router/firewall product previously, and I cannot recommend it enough to other
people. The community that all of you offer is just amazing!

Please let me know if you have any questions regarding anything! I've had it up and
running for a few days on my side now without any issues!