Part of my security redesign this year is to replace our aging Cisco PIX boxes with pfsense. Yesterday I spent the day setting up a simulated environment for 3 of our offices over an Internet connection. I was able to get the IPSEC tunnel up and running between two pfsense boxes pretty quick. Here’s a quick and dirty process for getting it all to work:
Site 1: Outside IP: 200.200.200.201/29
Outside Gateway: 200.200.200.202
Inside IP: 192.168.1.0/24
Site 2: Outside IP: 100.100.100.100/29
Outside Gateway: 100.100.100.101
Inside IP: 192.168.2.0/24
Note: I assume everything is wired correctly and there is a router which will provide connectivity between 200.200.200.202/29 and 100.100.100.101/29. Also, if you are faking Internet addresses like I am above, be sure they aren’t in the bogon list that pfsense uses. Otherwise you’ll have to remove the bogon firewall rules on the WAN interface.
Step 1: Install pfsense and set local IP’s on both firewalls.
Step 2: Logon to the web interface for pfsense on each box and assign the WAN addresses.
Step 3: Enable IPSEC (VPN->IPSEC->Enable IPSec). Do this on both firewalls.
Step 4: Add a tunnel on Site 1’s firewall to Site 2 by adding a tunnel and changing only the following items:
* Remote Subnet: 192.168.2.0/24
* Remote Gateway: 100.100.100.100
* Phase 1 Lifetime: 28800
* PreShared Key: thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600
Now hit the save button
Step 5: Add a tunnel on Site 2’s firewall to Site 1 by adding a tunnel and changing only the following items:
* Remote Subnet: 192.168.1.0/24
* Remote Gateway: 200.200.200.201
* Phase 1 Lifetime: 28800
* PreShared Key: thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600
Now hit the save button
Step 6: Be sure to “Apply Changes” when prompted on each firewall.
NOTE: SEE COMMENTS…STEP 7 IS NOT NEEDED…
Step 7: Allow Authenticated Headers (TCP/51) and ISAKMP (UPD/500) with Firewall rules so that IPSEC can pass. Firewall->Rules: WAN Tab.
Rule 1
* Source IP: Any
* Destination IP: WAN Address
* Protocol: TCP
* Port: 51 (Other)
Hit Save
Rule 2
* Source IP: Any
* Destination IP: WAN Address
* Protocol: UDP
* Port:500 (isakmp)
Hit Save
Do this on both firewalls and Apply Changes when prompted
Step 8: Allow all traffic to pass through the IPSEC tunnel. Firewall->Rules : IPSEC Tab
Rule 1
* Source IP: Any
* Destination IP: Any
* Protocol: Any
* Port Range: Any
Hit Save
Do this on both firewalls and Apply Changes when prompted
That’s pretty much it. You should now be able to ping inside interfaces between firewall with the ping diagnostic tool. From here you can further restrict traffic with firewall rules as needed.
If something goes wrong, use the Status-> System Logs to check out what is going on both on the firewall and on the IPSec tabs. Note that any firewall denies for the IPSEC interface appear as enc0 as the interface on the Firewall tab of System Logs.
Enjoy!