Wednesday, July 01, 2009

Basic pfsense to pfsense IPSEC tunnel config

Part of my security redesign this year is to replace our aging Cisco PIX boxes with pfsense.  Yesterday I spent the day setting up a simulated environment for 3 of our offices over an Internet connection.  I was able to get the IPSEC tunnel up and running between two pfsense boxes pretty quick.  Here’s a quick and dirty process for getting it all to work:

Site 1:  Outside IP: 200.200.200.201/29
           Outside Gateway:  200.200.200.202
           Inside IP: 192.168.1.0/24

Site 2:  Outside IP: 100.100.100.100/29
           Outside Gateway:  100.100.100.101
           Inside IP: 192.168.2.0/24

Note: I assume everything is wired correctly and there is a router which will provide connectivity between 200.200.200.202/29 and 100.100.100.101/29.  Also, if you are faking Internet addresses like I am above, be sure they aren’t in the bogon list that pfsense uses.  Otherwise you’ll have to remove the bogon firewall rules on the WAN interface.


Step 1: Install pfsense and set local IP’s on both firewalls.

Step 2: Logon to the web interface for pfsense on each box and assign the WAN addresses.

Step 3: Enable IPSEC (VPN->IPSEC->Enable IPSec). Do this on both firewalls.

Step 4: Add a tunnel on Site 1’s firewall to Site 2 by adding a tunnel and changing only the following items:
* Remote Subnet:  192.168.2.0/24
* Remote Gateway: 100.100.100.100
* Phase 1 Lifetime: 28800
* PreShared Key:  thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Now hit the save button

Step 5: Add a tunnel on Site 2’s firewall to Site 1 by adding a tunnel and changing only the following items:
* Remote Subnet:  192.168.1.0/24
* Remote Gateway: 200.200.200.201
* Phase 1 Lifetime: 28800
* PreShared Key:  thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Now hit the save button

Step 6: Be sure to “Apply Changes” when prompted on each firewall.

NOTE: SEE COMMENTS…STEP 7 IS NOT NEEDED…

Step 7: Allow Authenticated Headers (TCP/51) and ISAKMP (UPD/500) with Firewall rules so that IPSEC can pass.  Firewall->Rules: WAN Tab.
Rule 1
* Source IP: Any
* Destination IP: WAN Address
* Protocol: TCP
* Port: 51 (Other)
   Hit Save
Rule 2
* Source IP: Any
* Destination IP: WAN Address
* Protocol: UDP
* Port:500 (isakmp)
   Hit Save

Do this on both firewalls and Apply Changes when prompted

Step 8: Allow all traffic to pass through the IPSEC tunnel.  Firewall->Rules : IPSEC Tab
Rule 1
* Source IP: Any
* Destination IP: Any
* Protocol: Any
* Port Range: Any
   Hit Save

Do this on both firewalls and Apply Changes when prompted

That’s pretty much it.  You should now be able to ping inside interfaces between firewall with the ping diagnostic tool.  From here you can further restrict traffic with firewall rules as needed.

If something goes wrong, use the Status-> System Logs to check out what is going on both on the firewall and on the IPSec tabs.  Note that any firewall denies for the IPSEC interface appear as enc0 as the interface on the Firewall tab of System Logs.

Enjoy!

12 comments:

Bylie said...

Hi,

Nice article but I see that you use the TCP protocol port 51 on a rule to allow AH traffic. Isn't AH an entirely separate protocol besides TCP, UDP, ESP, etc? In that case shouldn't you have to choose AH as protocol instead of TCP?

http://www.iana.org/assignments/protocol-numbers/

Rolfsa said...

I think you are correct. I'll have to go back to my lab config and see what I actually did. It's probably just a typo. After I review the config I'll correct the posting. Thanks for letting me know.

Rolfsa said...

Ok...first off sorry on the late reply. It's taken me awhile to get back and test this. You are correct, I had a typo in my config. AH is it's own protocol and should not be listed as TCP. However, one thing I learned is that you don't even need the rules on the WAN interface for AH or ISAKMP. pfsense will automatically allow inbound AH and ISAKMP on the WAN interfaces as soon as you enable IPSEC. You don't need to write a rule for them at all. I guess this bothers me a little because you can't determine that from looking at the rule base. My perference would be that they autogenerate the rule but then grey it out so you can't change it directly. At least that way there are no suprizes.

Bylie said...

Hi,

First I haven't used IPsec on pfSense so I'm not familiar with the particular setup details myself. Actually that's why I came looking at your article :-), to see how it compared to a Juniper IPsec setup. Have you verified that they setup the pf rules in the background? The command "pfctl -sa" seems to give the complete running pf config but it's quite intimidating :-), I really have to look a little closer to pf one of these days.

I have however setup a couple of OpenVPN client connections on my pfSense firewall and in this case I specifically had to open UDP port 1194 on the WAN interface.

Imho they could improve the following:
- Make autogenerated rules visible in the webUI as much as possible with proper comments, like you suggested.
- Autogenerate rules for all services or don't autogenerate anything at all to keep it simple. I prefer the former because sometimes getting services running can be daunting enough :-) so any help you can get is appreciated if they don't hide it.

Rolfsa said...

Honestly...I haven't messed with the pf command line stuff at all. I've been able to do everything I've needed from the webgui. I do plan on taking a look at it soon.

Nate said...

If you have a VPN configuration for pfSense like

a <=> b <=> c

Can point a contact sites on point c? That is, does it form a hub & spoke system or is it necessary to build a mesh between all firewall points you want to communicate between?

Rolfsa said...

Nate,

I bet it is possible but it might take some creative routing to make work correctly. When I've had to do this type of thing I create the mesh myself. I do understand that that doesn't scale well but I've just not had the need.

Premod said...

Hi Rolfsa,

It's a nice article for setting up IPSec VPN on PfSense.I love the way you presented.

I would like to say, have you implemented this on production? If so how is the overall experience so far.

Rolfsa said...

Hi Premod,

We've had a remoet officed connected with the IPSEC pfsense tunnel for over a year now with no real issues. Performance has been great!

-Rolfsa

Hosting Chile said...

Excellent article.
thanks

Speedydowt said...

Excellent article, i didn't even need to add firewall rules to allow traffic between tunneled sites- i presume this is only needed to block traffic....

Speedydowt said...

sorry, previous comment maybe wrong, outgoing connections work ok from pfsense to billion route i've setup on, yet to try billion to pfsense box (i presume i will need to add a rule as its an incomming connection)

many thanks