EdgeRouter - Site-to-Site IPsec VPN to pfSense
Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a pfSense router.
NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Devices used in this article:
Frequently Asked Questions (FAQ)
1. What site-to-site IPsec VPN types can be configured on EdgeOS?
The following IPsec VPN types can be configured on EdgeOS:
|
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?
Encryption
Hashing
|
Setting up a Policy-Based VPN
The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.
GUI: Access the EdgeRouter Web UI.
1. Define the IPsec peer and hashing/encryption methods.
VPN > IPsec Site-to-Site > +Add Peer
- Check: Show advanced options
- Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24
2. Apply the changes.
GUI: Access the pfSense Router Web UI.
1. Add the firewall rules for IPsec.
Firewall > Rules > WAN > Add
Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From ISAKMP (500) to ISAKMP (500)
Description: ike
Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: ESP
Source: any
Destination: any
Description: esp
Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From IPsec NAT-T (4500) to IPsec NAT-T (4500)
Description: nat-t
Firewall > Rules > IPsec > Add
Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Network 192.168.1.0/24
Destination: Network 172.16.1.0/24
2. Define and save the IKE settings.
VPN > IPsec > Tunnels > + Add P1
Key Exchange Version: IKEv1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: 203.0.113.1
Description: ipsec
Authentication Method: Mutual PSK
Negotiation Mode: Main
My Identifier: My IP address
Peer Identifier: Peer IP address
Pre-Shared Key: <secret>
Encryption Algorithm: AES 128 bits
Hash Algorithm: SHA128
DH Group: 14 (2048 bit)
Lifetime (Seconds): 28800
Dead Peer Detection: Uncheck / disabled
NAT Traversal: Auto
3. Define and save the ESP settings.
VPN > IPsec > Tunnels > Show Phase 2 Entries > +Add P2
Mode: Tunnel IPv4
Local Network: Network 172.16.1.0/24
NAT/BINAT Translation: None
Remote Network: Network 192.168.1.0/24
Protocol: ESP
Encryption Algorithms: AES 128 bits
Hash Algorithms: SHA1
PFS Key Group: 14
Lifetime (Seconds): 3600