Is there any working site-to-site ipesec config?
-
Yes
-
Then you might as well use IKEv2, AES-GCM, etc.
Refer to the attached diagram.
pfSense A
Phase 1
Disabled: unchecked
Key Exchange Version: V2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: 172.25.228.13
Authentication Method: Mutual PSK
My Identifier: My IP address
Peer Identifier: Peer IP Address
Pre-Shared Key: presharedkey (pick something random and strong here)
Encryption Algorithm: AES 256 bits
Hash Algorithm: SHA256
DH Group: 14
Lifetime: 28800
Disable rekey: unchecked
Disable Reauth: unchecked
Responder Only: unchecked
MOBIKE: Disable
Split Connections: unchecked
Dear Peer Detection: checked
Delay: 10
Max failures: 5Phase 2
Disabled: unchecked
Mode: Tunnel IPv4
Local Network: LAN subnet
NAT/BINAT translation: None
Remote Network: Network: 172.25.234.0 /24
Encryption Algorithms: AES256-GCM: Checked (Auto)
Hash Algorithms: None checked
PFS key group: 14
Lifetime: 3600
Automatically ping host: 172.25.234.1
pfSense C
Phase 1
Disabled: unchecked
Key Exchange Version: V2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: 172.25.228.5
Authentication Method: Mutual PSK
My Identifier: My IP address
Peer Identifier: Peer IP Address
Pre-Shared Key: presharedkey (pick something random and strong here)
Encryption Algorithm: AES 256 bits
Hash Algorithm: SHA256
DH Group: 14
Lifetime: 28800
Disable rekey: unchecked
Disable Reauth: unchecked
Responder Only: unchecked
MOBIKE: Disable
Split Connections: unchecked
Dear Peer Detection: checked
Delay: 10
Max failures: 5Phase 2
Disabled: unchecked
Mode: Tunnel IPv4
Local Network: LAN subnet
NAT/BINAT translation: None
Remote Network: Network: 172.25.232.0 /24
Encryption Algorithms: AES256-GCM: Checked (Auto)
Hash Algorithms: None checked
PFS key group: 14
Lifetime: 3600
Automatically ping host: 172.25.232.1And firewall rules on the IPsec tabs on both sides that pass the traffic you need. An example is included that is wide-open. That might or might not meet your needs/threat model.
 -
Thanks it looks better but I got:
PFSense A
Aug 24 10:17:17 charon 10[CFG] received stroke: terminate 'con1'
Aug 24 10:17:17 charon 10[CFG] no IKE_SA named 'con1' found
Aug 24 10:17:17 charon 10[CFG] received stroke: initiate 'con1'
Aug 24 10:17:17 charon 15[IKE] <con1|8>initiating IKE_SA con1[8] to 213.200.xxx.xxx
Aug 24 10:17:17 charon 15[ENC] <con1|8>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 10:17:17 charon 15[NET] <con1|8>sending packet: from 172.31.xxx.xxx[500] to 213.200.xxx.xxx[500] (464 bytes)
Aug 24 10:17:17 charon 15[NET] <con1|8>received packet: from 213.200.xxx.xxx[500] to 172.31.xxx.xxx[500] (464 bytes)
Aug 24 10:17:17 charon 15[ENC] <con1|8>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 24 10:17:17 charon 15[IKE] <con1|8>local host is behind NAT, sending keep alives
Aug 24 10:17:17 charon 15[IKE] <con1|8>remote host is behind NAT
Aug 24 10:17:17 charon 15[IKE] <con1|8>authentication of '172.31.xxx.xxx' (myself) with pre-shared key
Aug 24 10:17:17 charon 15[IKE] <con1|8>establishing CHILD_SA con1
Aug 24 10:17:17 charon 15[ENC] <con1|8>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 24 10:17:17 charon 15[NET] <con1|8>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (320 bytes)
Aug 24 10:17:17 charon 15[NET] <con1|8>received packet: from 213.200.xxx.xxx[4500] to 172.31.xxx.xxx[4500] (80 bytes)
Aug 24 10:17:17 charon 15[ENC] <con1|8>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 24 10:17:17 charon 15[IKE] <con1|8>received AUTHENTICATION_FAILED notify errorPFsense B
Aug 24 10:17:17 charon 06[NET] <8> received packet: from 213.200.229.167[500] to 172.31.xxx.xxx[500] (464 bytes)
Aug 24 10:17:17 charon 06[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 10:17:17 charon 06[IKE] <8> 213.200.229.167 is initiating an IKE_SA
Aug 24 10:17:17 charon 06[IKE] <8> local host is behind NAT, sending keep alives
Aug 24 10:17:17 charon 06[IKE] <8> remote host is behind NAT
Aug 24 10:17:17 charon 06[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 24 10:17:17 charon 06[NET] <8> sending packet: from 172.31.xxx.xxx[500] to 213.200.229.167[500] (464 bytes)
Aug 24 10:17:17 charon 06[NET] <8> received packet: from 213.200.229.167[4500] to 172.31.xxx.xxx[4500] (320 bytes)
Aug 24 10:17:17 charon 06[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 24 10:17:17 charon 06[CFG] <8> looking for peer configs matching 172.31.xxx.xxx[213.200.xxx.xxx]…213.200.229.167[172.31.xxx.xxx]
Aug 24 10:17:17 charon 06[CFG] <bypasslan|8>selected peer config 'bypasslan'
Aug 24 10:17:17 charon 06[IKE] <bypasslan|8>no shared key found for '213.200.xxx.xxx' - '172.31.xxx.xxx'
Aug 24 10:17:17 charon 06[IKE] <bypasslan|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 24 10:17:17 charon 06[ENC] <bypasslan|8>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 24 10:17:17 charon 06[NET] <bypasslan|8>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (80 bytes)</bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8> -
You couldn't have possibly done that that fast. Delete what you have and start over. Carefully. It works. I have it working right here.
-
Aug 24 10:04:49 charon 08[NET] <con1|5>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (256 bytes)
Aug 24 10:04:49 charon 08[NET] <con1|5>received packet: from 213.200.xxx.xxx[4500] to 172.31.xxx.xxx[4500] (80 bytes)You can't sent packets directly between an RFC1918 address and a public address. Either something else is in the middle you're not telling me about or you have the configuration screwed up. Slow down, be careful, do it right, and it'll work.</con1|5></con1|5>
-
Okay I will delete it and start again.
-
If one side is behind another NAT device, you probably need to set "My identifier" on that side to be the actual public IP address - the one you see from there when you go to http://ifconfig.io/ for example.
My identifier: IP address: Actual public IP address
Like I said, every situation is different. There is no "universal walk through" to setting up a VPN.
-
WOHOOOOOO YOU ARE MY HERO !!!!! after I changed my Identifier to the public IP VPN is working. Now I have to setup mobile devices with greenbow. Could I use the same?
-
I hope you take my advice and use IKEv2, AES-GCM, etc.
No idea about the remote access. Completely different thread required.
-
Thank you so much. I did it like your example :). Will create a new thread vor IPSec mobile.
-
THANKS!
I was about to post this question (i might add it here for some additional key words relating to this)
–----------------
I've been reading about the 'issues' that might present in swanstrong for the authentication of identifiers that could be causing me problems. (possibly adding pre-shared keys?) I've been trying all sorts but just cant seem to hit a working configuration.
I have approx 25 remote PPPoE sites connecting to each other and to a static IP address great. I recently added a new site using Australian NBN (the customer IP is assigned via DHCP)
I cant get the new DHCP site to connect to the Static IP server, it connects fine to other PPPoE servers.I'm running APU box and virtual pfsense routers:
Do you consider this VPN config the best all rounder settings?
What was key to this config allowing the DHCP to Static IP connections to work successfully? -
Connecting to a static IP address doesn't generally require anything special. Are you connecting from behind another NAT device?
-
Both IPs are fully Public IPs once being allocated by DHCP rather than PPPoE was the only difference I could discern - the other was always Static.
Anyway - working a treat now :)
Do you consider using those specs as a basic for all tunnels to be the most efficient/CPU wise v's no massive need for crazy security v's stability etc?
I was previously using V2 DH2 P1-AES256 SHA1 / P2 AES128 Hash SHA1
-
AES-GCM in a child SA provides authenticated encryption and therefore does not require a separate authentication/hash step (like SHA1/SHA256) and will therefore perform better especially with AES-NI enabled.
I personally believe that AES-128 is perfectly acceptable in almost all circumstances but you will not likely notice a difference between AES-128 and AES-256 so why not…
So, yes, I like the settings I used in this example. That's why I used them. :)
