EdgeRouter - Site-to-Site IPsec VPN to pfSense


Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a pfSense router.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Policy-Based VPN
  4. Related Articles

FAQ


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the routers:

ER-4

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

pfSense

  • em0 (WAN) - 192.0.2.1
  • em1 (LAN) - 172.16.1.1/24

topology.png


Policy-Based VPN


Back to Top

GUI: Access the Graphical User Interface (GUI) on the EdgeRouter.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

 

GUI: Access the Graphical User Interface (GUI) on the pfSense router.

1. Add the firewall rules for IPsec.

Firewall > Rules > WAN > Add

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From ISAKMP (500) to ISAKMP (500)
Description: ike

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: ESP
Source: any
Destination: any
Description: esp

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From IPsec NAT-T (4500) to IPsec NAT-T (4500)
Description: nat-t

Firewall > Rules > IPsec > Add

Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Network 192.168.1.0/24
Destination: Network 172.16.1.0/24

2. Define and save the IKE settings.

VPN > IPsec > Tunnels > + Add P1

Key Exchange Version: IKEv1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: 203.0.113.1
Description: ipsec

Authentication Method: Mutual PSK
Negotiation Mode: Main
My Identifier: My IP address
Peer Identifier: Peer IP address
Pre-Shared Key: <secret>

Encryption Algorithm: AES 128 bits
Hash Algorithm: SHA128
DH Group: 14 (2048 bit)
Lifetime (Seconds): 28800

Dead Peer Detection: Uncheck / disabled
NAT Traversal: Auto

3. Define and save the ESP settings.

VPN > IPsec > Tunnels > Show Phase 2 Entries > +Add P2

Mode: Tunnel IPv4
Local Network: Network 172.16.1.0/24
NAT/BINAT Translation: None
Remote Network: Network 192.168.1.0/24

Protocol: ESP
Encryption Algorithms: AES 128 bits
Hash Algorithms: SHA1
PFS Key Group: 14
Lifetime (Seconds): 3600

Related Articles


Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

EdgeRouter - Route-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!