IPsec – My LAN, Your LAN, Our LAN

For about a year I have wanted to get an IPsec tunnel between me and my parent’s.  This will allow me to drop a server there and store offsite information.  More importantly, it helps me troubleshoot their issues.  Multi-vendor IPsec never is easy, given IPsec is a standard it will always work.  I’ve been slowly learning Ubiquiti’s EdgeOS (Vyatta).  The command structure is very similar to Juniper’s JunOS.  Given that I’m not 100% familiar with EdgeOS, I’ve been using templates and code snippets from across the internet.  Like any, one cannot simply copy/paste.  These generic rule’s might not be efficient in everyone’s case.  I have modified my install heavily.  For example, I use WA8LIV.com as one of the host’s.  On consumer grade internet, my IP address could change.  Dynamic DNS updates and the tunnel fixes itself.  My parent’s are also now using Dynamic DNS.

Below is a pfSense + EdgeOS code snippet that I used to get this tunnel up (taken from here and here).  I found this very useful.  Hopefully someone else will too!

 

Variable References

pfSense

  • Static WAN IP: 1.1.1.1
  • LAN IP: 192.168.1.1
  • LAN Subnet: 192.168.1.0/24

EdgeOS

  • Static WAN IP: 2.2.2.2
  • LAN IP: 192.168.2.1
  • LAN Subnet: 192.168.2.0/24

Please note that the variables above will vary with your LAN settings and should be modified accordingly. Let’s jump into the pfSense config!

pfSense – VPN Config

Navigate to VPN > IPSEC and make sure that you Enable IPsec and Save, or none of this will work at the end 🙂

pfSense Phase 1 General Settings

  • Key Exchange Version: V1
  • Internet Protocol: IPv4
  • Interface: WAN
  • Remote Gateway: 2.2.2.2
  • Description: EdgeOS Router

pfSense Phase 1 Proposal (Authentication)

  • Authentication method: Mutual PSK
  • Negotiation mode: Main
  • My identifier: My IP address
  • Peer identifier: Peer IP address
  • Pre-Shared Key: ChangeYourPreSharedKeyDontActuallyUseThis

pfSense Phase 1 Proposal (Algorithms)

  • Encryption algorithm: AES 256 bits
  • Hash algorithm: SHA1
  • DH key group: 2 (1024 bit)
  • Lifetime: 3600

pfSense Phase 1 Advanced Options

  • NAT Traversal: Auto
  • Dead Peer Detection: Enable DPD, 30 seconds, 5 retries

pfSense Phase 2 General Settings

  • Mode: Tunnel IPv4
  • Local Network: LAN subnet
  • Remote Network: 192.168.2.0/24

pfSense Phase 2 Proposal (SA/Key Exchange)

  • Protocol: ESP
  • Encryption algorithm: AES 256 bits
  • Hash algorithm: SHA1
  • PFS key group: 2 (1024 bits)
  • Lifetime: 3600

Okay, now you’re good to press save and apply.

pfSense – Firewall > Rules

You’ll want to add 3 rules: Pass TCP/UDP 4500 IPsec, Pass TCP 51 for IPsec Authentication Headers, and Pass UDP 500 ISAKMP.

Add new rule 1:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: WAN
  • TCP/IP Version: IPv4
  • Protocol: TCP/UDP
  • Source: any
  • Destination: WAN address
  • Destination port range: IPsec NAT-T (4500)
  • Description: IPsec NAT | PASS

New rule 2:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: WAN
  • TCP/IP Version: IPv4
  • Protocol: UDP
  • Source: any
  • Destination: WAN address
  • Destination port range: ISAKMP (500)
  • Description: IPsec ISAKMP | PASS

And new rule 3:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: WAN
  • TCP/IP Version: IPv4
  • Protocol: TCP
  • Source: any
  • Destination: WAN address
  • Destination port range: (other) 51
  • Description: IPsec Authentication Headers | PASS

Now, click on the new IPsec tab.

Add a new rule:

  • Action: Pass
  • Disabled: Unchecked
  • Interface: IPsec
  • TCP/IP Version: IPv4
  • Protocol: any
  • Source: any
  • Destination: any
  • Log: Checked
  • Description: PASS | EVERYTHING

Save and apply your settings again

Okay! Now that you’ve gotten this far, let’s go through the EdgeOS config!

EdgeOS – VPN Config

Go ahead and SSH to your EdgeOS box, log in, and enter configure and press enter. Your box will change fromadmin@EdgeOS$ to admin@EdgeOS#, indicating that you’re ready to start inputting your VPN settings!

set firewall all-ping enable
set firewall name WAN_LOCAL
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description "ICMP 60/m"
set firewall name WAN_LOCAL rule 5 limit burst 1
set firewall name WAN_LOCAL rule 5 limit rate 60/minute
set firewall name WAN_LOCAL rule 5 log enable
set firewall name WAN_LOCAL rule 5 protocol icmp
set vpn ipsec esp-group pfSense
set vpn ipsec esp-group pfSense mode tunnel
set vpn ipsec esp-group pfSense pfs enable
set vpn ipsec esp-group pfSense proposal 1
set vpn ipsec esp-group pfSense proposal 1 encryption aes256
set vpn ipsec esp-group pfSense proposal 1 hash sha1
set vpn ipsec esp-group pfSense lifetime 3600
set vpn ipsec esp-group pfSense compression disable
set vpn ipsec ike-group pfSense dead-peer-detection action restart
set vpn ipsec ike-group pfSense dead-peer-detection interval 30
set vpn ipsec ike-group pfSense dead-peer-detection timeout 60
set vpn ipsec ike-group pfSense proposal 1
set vpn ipsec ike-group pfSense proposal 1 encryption aes256
set vpn ipsec ike-group pfSense proposal 1 hash sha1
set vpn ipsec ike-group pfSense lifetime 3600
set vpn ipsec ike-group pfSense key-exchange ikev1
set vpn ipsec ike-group pfSense proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 1.1.1.1
set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret ChangeYourPreSharedKeyDontActuallyUseThis
set vpn ipsec site-to-site peer 1.1.1.1 ike-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 local-address 2.2.2.2
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 esp-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-public-networks disable
set vpn ipsec nat-traversal enable
commit
save

Leave a Reply