Wiki

User Tools

Site Tools

Trace: string_operations ip_forwarding pfblockerng general_setup dhcp_server cert_manager union_injections my_configuration
pfsense:vpn:ipsec:site_to_site_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
pfsense:vpn:ipsec:site_to_site_setup [2020/11/29 22:50] – created peterpfsense:vpn:ipsec:site_to_site_setup [2021/02/16 15:06] (current) – [Requirements] peter
Line 1: Line 1:
 ====== PFSense - VPN - IPSec - Site to Site Setup ====== ====== PFSense - VPN - IPSec - Site to Site Setup ======
 +
 +pfSense to pfSense - IPsec - site to site Setup.
 +
 +Setup an IPSec VPN between 2 instances of pfSense using both a static (work) and dynamic IP address (home office).
 +
 +
 +<WRAP info>
 +**NOTE:**  A static IP is NOT a requirement.
 +</WRAP>
 +
 +
 +
 +----
 +
 +===== Requirements =====
 +
 +  * Dynamic or Static IP address.
 +  * A domain name or a free [[https://www.maketecheasier.com/best-dynamic-dns-providers/|dynamic DNS provider]].
 +  * CPU with [[https://en.wikipedia.org/wiki/AES_instruction_set|AES-NI]] (if your uplink is 20Mbps or faster).
 +
 +----
 +
 +
 +===== Assumptions =====
 +
 +You already have a working pfSense configuration at both locations.
 +
 +Both locations must NOT have the same internal LAN address - meaning both can’t be running 192.168.1.x addresses, one can run 192.168.1.x while the other can run 192.168.2.x.
 +
 +Final note - the VPN configuration on both firewalls will be exactly the same, save for parts that require IP addresses or hostnames.
 +
 +----
 +
 +===== Configuration =====
 +
 +Click on **VPN -> IPsec**, and on the bottom right, click on the green **+ Add P1** button at the bottom of the screen.
 +
 +==== Phase 1 ====
 +
 +=== General Info ===
 +
 +  * Key exchange version: **IKEv2**
 +  * Internet Protocol: **IPv4** (IPv6/Dual stack will work if you’re running IPv6 at both sites)
 +  * Interface: **WAN** (or whatever you named the interface with the public IP address)
 +  * Remote Gateway: this is where you need either your own domain, or a free Dynamic DNS provider - or manually entering the IP addresses works, users with dynamic IP addresses the “work” location will have to update your IP address manually every time it changes.
 +    * Remote Gateway (home): work.sharewiz.net
 +    * Remote Gateway (work): home.sharewiz.net
 +  * Description: **A description** 
 +
 +
 +=== Phase 1 Proposal (Authentication): ===
 +
 +  * Authentication Method: **Mutual PSK**
 +  * My Identifier: Distinguished name:
 +    * Home: **home.sharewiz.net**
 +    * Work: **work.sharewiz.net**
 +  * Peer identifier: Distinguished name
 +    * Home: work.sharewiz.net
 +    * Work: home.sharewiz.net
 +  * Pre-Shared Key: **On one firewall, click generate key, then copy & paste that key to the other firewall**
 +
 +
 +=== Phase 1 Proposal (Encryption Algorithm) ===
 +
 +  * Encryption Algorithm:
 +    * Algorithm: **AES128-GCM**
 +    * Key Length: **128 bits**
 +    * Hash: **SHA256**
 +    * DH Group: **14 (2048)**
 +  * Lifetime (Seconds): **28800**
 +
 +
 +=== Advanced Options ===
 +
 +Leave everything defaulted in this section, and click Save. When finished, it should look like this:
 +
 +----
 +
 +==== Phase 2 ====
 +
 +From the above screen, click on **Show Phase 2 Entries (0)** and expand out the menu, then click on the green **+ Add P2** button that appears.
 +
 +=== General Information ===
 +
 +  * Mode: **Tunnel IPv4**
 +  * Local Network: **LAN subnet**
 +  * NAT/BINAT translation: **None**
 +  * Remote Network: Network
 +    * Address (Work): **192.168.10.0/24**
 +    * Address (Home): **192.168.1.0/24**
 +  * Description:
 +    * Home: **Work LAN**
 +    * Work: **Home LAN**
 +
 +
 +=== Phase 2 Proposal (SA/Key Exchange) ===
 +
 +  * Protocol: **ESP**
 +  * Encryption Algorithms: **AES128-GCM @ 128 bits**
 +    * Hash Algorithms: **AES-XCBC (or SHA256 if your CPU doesn’t have AES-NI)**
 +    * PFS key group: **14 (2048)**
 +    * Lifetime: **3600**
 +
 +
 +=== Advanced Configuration ===
 +
 +  * Automatically ping host: **set this IP address to a server you run 24/7, this will keep the VPN up 24/7**
 +
 +After you hit **Save**, this is what your Phase 2 will look like:
 +
 +{{:pfsense:pssense_ipsec_tunnell.png?800|}}
 +
 +----
 +
 +==== Firewall Rules ====
 +
 +After you hit **Apply Changes** on both firewalls, your IPsec VPN should connect right away. 
 +
 +You may find that you can’t ping anything across the VPN though - you’ll need to click on **Firewall -> Rules -> Add** to create a hole in the firewall to allow traffic to pass.
 +
 +=== Insecure allow all traffic rule ===
 +
 +
 +<WRAP important>
 +**WARNING:**  This rule will allow ALL traffic to traverse the firewalls (remember you have to make the same rule for both sides).
 +
 +This is NOT a secure setting! If your home network gets compromised, your home network can be a jumping off point for bots/hackers/viruses to invade the network on the other side of the VPN.
 +
 +You have been warned.
 +</WRAP>
 +
 +
 +=== Edit Firewall Rule ===
 +
 +  * Protocol: **Any**
 +
 +And that’s it, unless you want to add a description.
 +
 +End result looks like this:
 +
  
pfsense/vpn/ipsec/site_to_site_setup.1606690219.txt.gz · Last modified: 2020/11/29 22:50 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki