Site to Site IPsec VPN - pfSense to Ubiquiti EdgeOS

danmanners

Original post here: Site to Site VPN: pfSense to Ubiquiti EdgeOS - Just reformatted a bit for the pfSense forum

Hey everyone! As many of you have helped me either directly or indirectly, I wanted to share with you my how-to on getting pfSense (2.2.6) and Ubiquiti's EdgeRouter (EdgeOS 1.8.0) site-to-site VPN up and operational! I was having difficulty finding a tutorial online for this specific configuration, so I figured I'd give a little back to the community!

Few notes before diving in:

• I'm assuming that you have a basic enough understanding of both pfSense and EdgeOS in order to get your devices physically connected to their respective WAN cables and online with static public IP's.
  I've been running this config for a few days without any hiccups as far as I can tell. If you're operating without a static public IP, this may not be as helpful for you as anytime your IP changes you'd be required to change your IP settings on both pfSense and EdgeOS.

• I'm definitely not setting this up with a security-conscious mindset; this is just a proof of concept "get-it-up-and-running" guide.

• As always, YMMV!

Without further ado, please read below!

Variable References

pfSense

• Static WAN IP: 1.1.1.1

• LAN IP: 192.168.1.1

• LAN Subnet: 192.168.1.0/24

EdgeOS

• Static WAN IP: 2.2.2.2

• LAN IP: 192.168.2.1

• LAN Subnet: 192.168.2.0/24

Please note that the variables above will vary with your LAN settings and should be modified accordingly. Let's jump into the pfSense config!

pfSense - VPN Config
Navigate to VPN > IPSEC and make sure that you Enable IPsec and Save, or none of this will work at the end :)

pfSense Phase 1 General Settings

• Key Exchange Version: V1

• Internet Protocol: IPv4

• Interface: WAN

• Remote Gateway: 2.2.2.2

• Description: EdgeOS Router

pfSense Phase 1 Proposal (Authentication)

• Authentication method: Mutual PSK

• Negotiation mode: Main

• My identifier: My IP address

• Peer identifier: Peer IP address

• Pre-Shared Key: ChangeYourPreSharedKeyDontActuallyUseThis

pfSense Phase 1 Proposal (Algorithms)

• Encryption algorithm: AES 256 bits

• Hash algorithm: SHA1

• DH key group: 2 (1024 bit)

• Lifetime: 3600

pfSense Phase 1 Advanced Options

• NAT Traversal: Auto

• Dead Peer Detection: Enable DPD, 30 seconds, 5 retries

pfSense Phase 2 General Settings

• Mode: Tunnel IPv4

• Local Network: LAN subnet

• Remote Network: 192.168.2.0/24

pfSense Phase 2 Proposal (SA/Key Exchange)

• Protocol: ESP

• Encryption algorithm: AES 256 bits

• Hash algorithm: SHA1

• PFS key group: 2 (1024 bits)

• Lifetime: 3600

Okay, now you're good to press save and apply.

pfSense - Firewall > Rules

You'll want to add 3 rules: Pass TCP/UDP 4500 IPsec, Pass TCP 51 for IPsec Authentication Headers, and Pass UDP 500 ISAKMP.

Add new rule 1:

• Action: Pass

• Disabled: Unchecked

• Interface: WAN

• TCP/IP Version: IPv4

• Protocol: TCP/UDP

• Source: any

• Destination: WAN address

• Destination port range: IPsec NAT-T (4500)

• Description: IPsec NAT | PASS

New rule 2:

• Action: Pass

• Disabled: Unchecked

• Interface: WAN

• TCP/IP Version: IPv4

• Protocol: UDP

• Source: any

• Destination: WAN address

• Destination port range: ISAKMP (500)

• Description: IPsec ISAKMP | PASS

And new rule 3:

• Action: Pass

• Disabled: Unchecked

• Interface: WAN

• TCP/IP Version: IPv4

• Protocol: TCP

• Source: any

• Destination: WAN address

• Destination port range: (other) 51

• Description: IPsec Authentication Headers | PASS

Now, click on the new IPsec tab.

Add a new rule:

• Action: Pass

• Disabled: Unchecked

• Interface: IPsec

• TCP/IP Version: IPv4

• Protocol: any

• Source: any

• Destination: any

• Log: Checked

• Description: PASS | EVERYTHING

Save and apply your settings again

Okay! Now that you've gotten this far, let's go through the EdgeOS config!

EdgeOS - VPN Config
Go ahead and SSH to your EdgeOS box, log in, and enter configure and press enter. Your box will change from admin@EdgeOS$ to admin@EdgeOS#, indicating that you're ready to start inputting your VPN settings!

set firewall all-ping enable
set firewall name WAN_LOCAL
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description "ICMP 60/m"
set firewall name WAN_LOCAL rule 5 limit burst 1
set firewall name WAN_LOCAL rule 5 limit rate 60/minute
set firewall name WAN_LOCAL rule 5 log enable
set firewall name WAN_LOCAL rule 5 protocol icmp
set vpn ipsec esp-group pfSense
set vpn ipsec esp-group pfSense mode tunnel
set vpn ipsec esp-group pfSense pfs enable
set vpn ipsec esp-group pfSense proposal 1
set vpn ipsec esp-group pfSense proposal 1 encryption aes256
set vpn ipsec esp-group pfSense proposal 1 hash sha1
set vpn ipsec esp-group pfSense lifetime 3600
set vpn ipsec esp-group pfSense compression disable
set vpn ipsec ike-group pfSense dead-peer-detection action restart
set vpn ipsec ike-group pfSense dead-peer-detection interval 30
set vpn ipsec ike-group pfSense dead-peer-detection timeout 60
set vpn ipsec ike-group pfSense proposal 1
set vpn ipsec ike-group pfSense proposal 1 encryption aes256
set vpn ipsec ike-group pfSense proposal 1 hash sha1
set vpn ipsec ike-group pfSense lifetime 3600
set vpn ipsec ike-group pfSense key-exchange ikev1
set vpn ipsec ike-group pfSense proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec site-to-site peer 1.1.1.1
set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret ChangeYourPreSharedKeyDontActuallyUseThis
set vpn ipsec site-to-site peer 1.1.1.1 ike-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 local-address 2.2.2.2
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 esp-group pfSense
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-public-networks disable
set vpn ipsec nat-traversal enable
commit
save

Once that's all done, you should be up and online just fine!

Notes
Just briefly: I'd like to thank everyone in the pfSense community for being just generally wonderful. I've learned more over the past year and a half and done more with pfSense than any other router/firewall product previously, and I cannot recommend it enough to other people. The community that all of you offer is just amazing!

Please let me know if you have any questions regarding anything! I've had it up and running for a few days on my side now without any issues!

Source Reference for EdgeOS IPSec Config
How to Configure Site-to-Site IPsec VPN on Ubiquiti EdgeRouter

tep616

Thank you for the guide, I have been having the same issue getting this setup.  At times it connects but if either of the systems reboot, it never reconnects, and now currently, it won't connect.

Any thoughts on the bellow log messages from pfSense?  Google has betrayed me and I can't seem to find a solution.

May 8 02:40:54	charon		07[MGR] <con1|1418>tried to checkin and delete nonexisting IKE_SA
May 8 02:40:54	charon		07[IKE] <con1|1418>unable to resolve remotedomain.com(edgeos), initiate aborted
May 8 02:40:54	charon		17[LIB] resolving 'remotedomain.com(edgeos)' failed: hostname nor servname provided, or not known
May 8 02:40:54	charon		06[CFG] trap not found, unable to acquire reqid 0
May 8 02:40:54	charon		13[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {0}
May 8 02:40:54	charon		16[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {3}
May 8 02:40:54	charon		13[KNL] received an SADB_ACQUIRE with policy id 35 but no matching policy found</con1|1418></con1|1418> 

danmanners

@tep616:

Thank you for the guide, I have been having the same issue getting this setup.  At times it connects but if either of the systems reboot, it never reconnects, and now currently, it won't connect.

Any thoughts on the bellow log messages from pfSense?  Google has betrayed me and I can't seem to find a solution.

May 8 02:40:54   charon      07[MGR] <con1|1418>tried to checkin and delete nonexisting IKE_SA
May 8 02:40:54   charon      07[IKE] <con1|1418>unable to resolve remotedomain.com(edgeos), initiate aborted
May 8 02:40:54   charon      17[LIB] resolving 'remotedomain.com(edgeos)' failed: hostname nor servname provided, or not known
May 8 02:40:54   charon      06[CFG] trap not found, unable to acquire reqid 0
May 8 02:40:54   charon      13[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {0}
May 8 02:40:54   charon      16[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {3}
May 8 02:40:54   charon      13[KNL] received an SADB_ACQUIRE with policy id 35 but no matching policy found</con1|1418></con1|1418> 

I'm trying to replicate it on my side, rebooting my edgerouter but so far no luck. It's reconnecting for me.

I'm also seeing a lot of people complaining about StrongSwan's versioning and specific issues with IKEv1; I'll check it out and see what I can find!

EDIT: What version of pfSense and EdgeOS are you running? I couldn't get EdgeOS to connect until I upgraded to v1.8.0 and I haven't tried pfSense 2.3 IPsec yet with EdgeOS, on my to-do list.

tep616

Thanks!

If you reboot your pfSense side does it come back up?

danmanners

I'm actually testing with my pfSense in my office in production (I might be the würst), so I haven't been able to reboot the pfSense and watch it come back up.

I'm going to set up one of my other additional public IP's to a secondary pfSense and test sometime in the next few days though.

tep616

Nice test system :)

I'm going to wipe out all of the config and try again, has been a pain.  Thanks again!

MrMoo

@danmanners:

Pass TCP 51 for IPsec Authentication Headers,

The number 51 is the IP protocol number for AH not the TCP port.  Also, you have configured IPsec for ESP so you should configure a rule to pass through IP protocol number 50 instead.

jolebole

Thanks for posting this guide. It Worked great! It would have been nice to setup all this tru he gui on the EdgeRouter. Hope that Ubnt fixes that in the next firmware upgrade.

Cheers!

uscallesen

There's something wrong with firewall rule 3 on the pfsense side.

The protocol should be AH (that is protocol 51) and not TCP port 51 (which is… nothing)

I configured:

And new rule 3:
Action: Pass
Disabled: Unchecked
Interface: WAN
TCP/IP Version: IPv4
Protocol: AH
Source: any
Destination: WAN address
Description: IPsec Authentication Headers | PASS