If you wanted to connect two sites over the internet, the very popular method is to use the IPsec. By default, the IP alone doesn’t provide security, so we need to wrap the IP packet with IPsec to encrypt the traffic inside the IP. Once the IPsec connection is established between two sites, no one on the internet can decrypt the packet.
Does Pfsense support Site to Site VPN using IPsec?
When I first heard about the Pfsense firewall, I asked the same question: Is it possible to set up an IPsec tunnel on a free and opensource firewall?
You can build multiple site-to-site VPN using IPsec Tunnels on a Pfsense firewall, and it works great just like any other firewall would. So if you are on a tighter budget and wanted to spin up a firewall in the network, Pfsense is the way to go.
If you wanted to set up a Site to Site VPN using Pfsense, it is first to build them on a lab environment before deploying it in the production. Initially, when I wanted to set up an IPsec VPN, I was unsure how the routing would work, so I built the lab and set up a basic IPsec network, and I was ready to deploy it to production.
So if you are like me wanted to test things out in the lab, follow the step by step guide here.
You can spin up the pfSense lab in different ways, follow the appropriate guide below that works for your environment, and build the lab per the guide here.
How to Setup IPsec Tunnel between Paloalto and PFsense?
How To Configure Palo Alto Site To Site VPN Using IPsec?
How To Configure IPsec VPN Between pfSense And Cisco Router?
How To Configure IPsec Site-to-Site VPN On Cisco Router?
How have I built the Pfsense IPsec topology?
Before we build the IPsec tunnel, lets talk about the lab that we are going to configure the tunnel.
You can skip this part if you want to go right into the configuration.
Below is the topology that we are going to use. If you are using GNS3 and do not know how you can set up Pfsense in GNS3, I highly recommend you start here and come back.
- Create Site to Site IPsec tunnels between the branches.
- Both the LAN hosts should be able to talk to each other over the tunnel.
- Enable ICMP between the branches then all other protocols.
If you are not using GNS3, please set up the lab as per the above topology.
Simulate the internet router?
The confusing part will be the internet. How you can get two different IPs to get connected, branch 1 has an IP address of 188.8.131.52, and Branch 2 has an IP address of 184.108.40.206.
To simulate the internet, I will use a cisco router that can act as an internet router.
You don’t have to do much on the router, drag and drop a router and configure 220.127.116.11 on the branch 1 side and configure 18.104.22.168 on the branch2 side.
Here is the router configuration.
Connect the Pfsense firewall to the internet router.
After you configured the internet router, make sure that the Firewall’s default gateway pointed to the internet router. Please note that we are not connecting the Firewall to the real internet. We are just simulating an internet using a cisco router to provide an end to end IP connectivity from branch 1 to branch2.
Branch1 WAN gateway configuration.
Branch2 WAN gateway configuration.
Configure the PfSense LAN side.
I have configured the Pfsense LAN side with an IP address 10.1.1.0/24 for branch1 and 10.2.2.0/24 for the Branch2.
Connect the local machine to the Pfsense LAN.
Once you configured the LAN side of the Pfsense, the easiest way you can access the web GUI is via your local machine.
Please check out step 6 in this articles to know how you can connect the Pfsense LAN side to your local machine.
I will be connecting a cloud (VMnet6) to the Branch1 firewall LAN side and another cloud (VMnet7) to the Branch2 firewall LAN side.
Simulate the end-user machine.
We are going to use end-user machine to test the IPsec connectivity after it is deployed. We don’t need to have any big client operating system for this to test. You could use a tiny Linux mint host, Webterm or even Cisco Router.
For simplicity’s sake, I am going to use a cisco router as the end-user machine. So I dragged and dropped the Cisco router to the topology and followed the below.
- For both end-user machines (cisco routers) I disabled the IP routing features with no IP routing. This would make the router to act as a client machine.
- On the Branch1 end device, I pointed the gateway as the Pfsense LAN IP 10.1.1.1.
- Similarly, on Branch2, I pointed to 10.2.2.2.
- Finally, I configured IP address 10.1.1.11 and 10.2.2.22 for branch1 and branch2, respectively.
- I also configured http service on this router, which we can test at the end of the lab.
Below is the actual configuration.
Branch 1 end host.
no ip routing interface GigabitEthernet0/0 ip address 10.1.1.11 255.255.255.0 ip default-gateway 10.1.1.1 ip http server
branch 2 configuration
no ip routing interface GigabitEthernet0/0 ip address 10.2.2.22 255.255.255.0 ip default-gateway 10.2.2.2 ip http server
After you build the lab, you are off to go!.
Setup IPsec Tunnel between Paloalto and PFsense.
Configure Palo Alto Site To Site VPN Using IPsec.
Fix USB Ethernet Not Recognized By pfSense.
Install PfSense on VirtualBox.
Install Pfsense On KVM.
Install PfSense On VMware Workstation.
Steps to configure the Site to Site VPN in Pfsense.
- Allow ICMP packet.
- Build the IPsec Tunnel.
- PfSense allow IPsec traffic
- Pfsense IPsec Verification.
The primary check that you have to perform before you build any IPsec tunnel is to verify remote peers’ reachability. You can use Ping to verify the other side, unfortunately, the communication from the outside to the Firewall outside interface is disabled.
So you need to create a rule to allow only ICMP packets for the remote peers. This step is not necessary, though, but it would make our life a lot easier when you wanted to troubleshoot some issues in the future.
Note: While allowing anything from outside in the real network, make sure you allow only ICMP and nothing else. It is not recommended to expose any other protocol to the internet-facing IP.
1. Allow ICMP packet.
First, let’s go ahead and initiate a ping from Branch2 outside IP (22.214.171.124) to Branch1 (126.96.36.199) outside IP.
In the console, press 7 and enter the public IP of the Branch1 Firewall.
As you can see, I am trying to ping 188.8.131.52 from the Branch2 Firewall, but I can’t.
How about my internet router IP 184.108.40.206? Will I be able to communicate?
And Yes, I can communicate with that IP, and it works just fine.
This indicates that the Firewall blocks the Ping. Let’s allow communication using Pfsense easy rule.
Allow ICMP with PFsense EASY rules.
Instead of creating the rules manually, there is an easy way you can create Pfsense rules. It is called easy rules. When we initiated the Ping from branch2 to branch1, it should trigger logs for the same, and with the help of the logs we will create rules right within those logs, so let’s take a look.
The Ping was not working on the Branch1 Firewall outside IP.
- Access the web GUI of the Branch1 Firewall.
- Click on Status, and in the dropdown list, click on System logs.
- And click on the Firewall to see logs specific to the Firewall.
You should be able to see that the ICMP packet is getting denied. To add Pfsense easy rule, click on the Plus icon.
It will help you create an easy rule Just for ICMP, click on Confirm.
You can now see the rule has been configured.
If you open the rule, you should see the echo request has been allowed under ICMP.
Let’s verify the Ping now. As you can see, we can reach the public IP of the Branch1.
Do the same steps for the other side as well.
As you can see, I allowed the ICMP echo request on the Branch2 side, and you now should be able to ping the Branch2 public IP from the Branch1.
2. Build the IPsec Tunnel.
After you verified the WAN side’s reachability over ICMP, let’s go ahead and configure the IPsec tunnel.
Below are the IPsec parameters that we are going to use.
We will go ahead with the above information and configure Phase 1 of the IPsec tunnel on Branch1 and Branch2 and then move on to phase2. We basically mirror the configuration on both sides except the peer IP and remote subnet information.
After we completed both the phases, the tunnel should come up just fine.
So let’s go ahead and set up phase 1 of the tunnel.
How to setup Pfsense Phase1 IPsec configuration?
Click on the VPN and then click on IPsec.
Let’s go ahead and add the phase 1 configuration by clicking Add p1.
It would open a phase 1 configuration wizard. Let’s look at each item.
Below is the field that you need to modify under the General information.
On the Branch1.
Select the Key exchange version – IKEv2
Remote Gateway – 220.127.116.11
Description – Branch2-IPsec
On the Branch2.
Select the Key exchange version – IKEv2
Remote Gateway – 18.104.22.168
Description – Branch2-IPsec
Phase1 proposal (Authentication)
We are leaving the default value and just adding the Pre-shared Key.
It is recommended to use a complex pre-shared key in the production. You can even generate a new pre-shared key by clicking the button just below the Pre-shared key.
I clicked on the button which created a Pre-shared Key for me, let me copy and keep the same PSK on both sides.
Branch 1 and 2 configurations are the same here.
Phase 1 Proposal (Encryption Algorithm)
Below is what we will configure for the Encryption Algorithm, and yes, both the Branch1 and 2 configurations are the same.
Algorithm – AES256-GCM
Key Length – 128 bits
Hash – SHA256
DH Group – 14 (2048)
There is nothing much on the Advanced Options. You can click on Save here.
Note: In a real network scenario, if you have kept the Firewall behind the NAT, you should check the option NAT Traversal. Since we are not behind the NAT, I am not bothered about it.
Apply the configuration.
How to setup Pfsense IPsec phase 2 configurations?
We now have completed the Phase1 of the IPsec tunnels. Lets go ahead and configure Phase2 of the tunnel now.
On the same screen, VPN – IPsec, just below the Phase1 configuration you should see show Phase2 Entries, click on that.
And click on Add P2.
The Phase2 configuration wizard now open. Below is the field that you need to modify.
Remote network – Here, you need to specify the remote network we are trying to reach over IPsec from Branch1. Add 10.2.2.0/24 here.
Description – Branch2-IPsec.
Remote Network 10.1.1.0/24
Description – Branch2-IPsec.
Phase2 Proposal (SA/Key Exchange)
We are choosing
Encryption Algorithms – AES256-GCM
And Hash algorithms – SHA256
PFS Key Group 14 (2048bit)
Both the Branch one and two configurations are the same.
Leave the lifetime Default.
You can add the remote Lan IP address here so that the Firewall should start initiating the tunnel. Reverse traffic is not checked in this case.
Apply the configuration.
How to check IPsec tunnel status in pfSense?
If you have followed the above steps, the tunnel should get established just fine.
In the Pfsense firewall, you can click the Status button on the top and from the dropdown choose IPsec to see the tunnel status. As you can see, it is established.
The first raw represents Phase1 of the tunnel and the second raw show Phase2 and both are in an established state.
3. PfSense allow IPsec traffic
Though the tunnel is up, we cannot communicate to either side yet over ipsec, as we have not allowed the traffic via the rule.
As you can see, I am trying to reach the remote end host 10.2.2.22 from the branch1 localhost, but it is not reachable.
Allow ICMP on Branch2.
Just like how we allowed the WAN connectivity over ICMP using the easy rules, we will do the same steps here as well.
Click on Status and click on System logs.
Click on Firewall and scroll down.
You should be able to see the Deny logs here for our ICMP packets.
Click on the Plus icon to add the Easy rule.
Click on Confirm. For now, this will create the auto rule.
As soon as I added this rule, I can communicate Branch2 from branch1, as you can see below.
Why am I unable to communicate via other protocols?
If you look into the Protocol under Easy rules, you should see it is allowed just ICMP on IPsec. We need to change that for other protocols to pass. Because in Site to Site IPsec traffic, the hosts should be able to communicate with remote hosts over a different variety of protocols than just ICMP, so we will have to fix that.
Also, did you notice we are allowing just a single host’s communication, not all the hosts in the subnet?
If we don’t modify that either, in the future, if you add any other hosts to the network, you shouldn’t be able to communicate with those hosts. So the simple way to fix is to modify the host address to subnet also allow any protocol.
Before enabling the port, let’s check if we can communicate via over http.
We already enabled the http server on the remote end when we configured the end hosts.
On the Branch1 localhost, let’s try to telnet into branch2 local hosts to see if we can communicate over port 80.
As you can see, it didn’t work.
Let’s check the logs. Status- system logs-firewall
As you can see above, the communication is blocked on port 80.
Let’s go ahead and fix this.
There is two way you can fix this.
You can click on the plus icon on the logs to create easy rules, or you can modify the existing ICMP rules to allow required ports.
Since adding the easy rule would create one more rule, let’s allow all the protocol to the branch1 and 2 subnets using the existing rule where we allowed ICMP.
On the Branch2 Firewall, Click on Firewall and Rules, click on Edit rule under IPsec.
And change the protocol to Any.
Change the source and destination IP to subnets and click on Save.
Apply the configuration.
Let’s try to access the branch2 router over port 80. As you can see, it just worked fine.
Excellent!, you just configured the Branch1 to Branch2 IPsec connectivity and allowed traffic from Branch1 to Branch2.
But what about Branch2 to Branch1 connectivity? Will it work?
It doesn’t, as we have not configured any rules for the same, so it would just block by default.
Let’s fix this as well.
Step1. Goto Branch1 firewall, click Firewall, and click on Rules under IPsec.
Step2. Click on Add rules.
Change the protocol to Any.
Step 3. Add the source and destination subnets.
Step 4. Click on Save and Apply configuration.
4. Pfsense IPsec Verification.
As you can, I am now able to ping from Branch2 to Branch 1 and can communicate over port 80.
Alright, we finally configured the IPsec tunnel, and both the LAN sides can talk to each other. And creating the IPsec tunnels on the Pfsense firewall is reasonably straightforward. You will get the hang of it after you build multiple tunnels.