IPsec between pfSense at home and Ubuntu in data center

ericafterdark

I would like to encrypt all of my internet traffic at home and enter and leave the internet via an Ubuntu server in a data center. Basically a site to site IPsec tunnel between the two of them.

Home: pfSense 2.2.2-RELEASE (amd64) with a public IP on the wan interface and DHCP on the lan interface

Data center: Ubuntu 14.04 server with 1 interface with a public IP

I've installed Openswan on the Ubuntu server and am wondering if anyone can help me out with the right ipsec.conf settings and pfSense settings? I'd really appreciate it.

kapara

do you have to use ubuntu? what about freebsd or virtualization?

ericafterdark

So I've changed my data center setup to a VPS (Ubuntu server 14.04 x64) with Strongswan and UFW. The configuration is not optimal yet as I'm learning how everything works but it works for now. I do have issues loading certain websites and will play around with mss settings to try and resolve these.

/etc/ipsec.conf

config setup
uniqueids = yes
charondebug = ""

conn con1000
reqid = 1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = PUBLIC.IP.DATA.CENTER
right = PUBLIC.IP.PFSENSE.HOME
leftid = PUBLIC.IP.DATA.CENTER
ikelifetime = 28800s
lifetime = 3600s
ike = aes128-sha1-modp1024!
esp = aes128gcm128-sha1!
leftauth = psk
rightauth = psk
rightid = PUBLIC.IP.PFSENSE.HOME
rightsubnet = PRIVATE.LAN.AT.HOME/24
leftsubnet = 0.0.0.0/0

/etc/ipsec.secrets

PUBLIC.IP.DATA.CENTER PUBLIC.IP.PFSENSE.HOME : PSK A-VERY-STRONG-KEY-RIGHT-HERE

Added to /etc/ufw/before.rules

START IPSEC RULES

NAT table rules

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s PRIVATE.LAN.AT.HOME/24 -o eth0 -j MASQUERADE
COMMIT

END IPSEC RULES

and allowed the following traffic in UFW

500
PUBLIC.IP.DATA.CENTER/esp
4500

My pfSense has the following settings.

<ipsec><phase1><ikeid>1</ikeid>
<iketype>ikev2</iketype>
<interface>wan</interface>
<remote-gateway>PUBLIC.IP.DATA.CENTER</remote-gateway>
<protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data><peerid_type>peeraddress</peerid_type>
<peerid_data><encryption-algorithm><name>aes</name>
<keylen>128</keylen></encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>A-VERY-STRONG-KEY-RIGHT-HERE</pre-shared-key>
<private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>

<nat_traversal>on</nat_traversal>
<mobike>off</mobike>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></peerid_data></myid_data></phase1>
<client><phase2><ikeid>1</ikeid>
<uniqid>48592e235543</uniqid>
<mode>tunnel</mode>
<reqid>1</reqid>
<localid><type>lan</type></localid>
<remoteid><type>network</type>

And of course NAT outbound and firewall rules for IPsec.

cmb

You're probably better off using OpenVPN for that usage case, as that gives you much better flexibility in what you route out via the VPS.

ericafterdark

@cmb:

You're probably better off using OpenVPN for that usage case, as that gives you much better flexibility in what you route out via the VPS.

That is correct and I agree. The problem with OpenVPN however is that I can't max out the connection. OpenVPN works great but limits around 160 Mbit/s. With IPsec I easily reach the full 200 Mbit/s I currently have between the two sites. Both ends have a CPU with AES-NI support and I played around with all OpenVPN recommended settings but I can't push it beyond 160 Mbit/s. So that's why I'm back at IPsec.

cmb

Ah. Yeah OpenVPN doesn't yet support AES-GCM, that's coming in OpenVPN 2.4 later this year it appears. That'll get you AES-NI acceleration benefits with it.

MrMoo

Dump the contents of the generated StrongSwan configuration on pfSense, it looks like you have it configured for esp = aes128gcm128-sha1-modp1024! which is different to the other side.