Site to Site IPsec VPN - pfSense to Ubiquiti EdgeOS
-
Original post here: Site to Site VPN: pfSense to Ubiquiti EdgeOS - Just reformatted a bit for the pfSense forum
Hey everyone! As many of you have helped me either directly or indirectly, I wanted to share with you my how-to on getting pfSense (2.2.6) and Ubiquiti's EdgeRouter (EdgeOS 1.8.0) site-to-site VPN up and operational! I was having difficulty finding a tutorial online for this specific configuration, so I figured I'd give a little back to the community!
Few notes before diving in:
-
I'm assuming that you have a basic enough understanding of both pfSense and EdgeOS in order to get your devices physically connected to their respective WAN cables and online with static public IP's.
I've been running this config for a few days without any hiccups as far as I can tell. If you're operating without a static public IP, this may not be as helpful for you as anytime your IP changes you'd be required to change your IP settings on both pfSense and EdgeOS. -
I'm definitely not setting this up with a security-conscious mindset; this is just a proof of concept "get-it-up-and-running" guide.
-
As always, YMMV!
Without further ado, please read below!
Variable References
pfSense
-
Static WAN IP: 1.1.1.1
-
LAN IP: 192.168.1.1
-
LAN Subnet: 192.168.1.0/24
EdgeOS
-
Static WAN IP: 2.2.2.2
-
LAN IP: 192.168.2.1
-
LAN Subnet: 192.168.2.0/24
Please note that the variables above will vary with your LAN settings and should be modified accordingly. Let's jump into the pfSense config!
pfSense - VPN Config
Navigate to VPN > IPSEC and make sure that you Enable IPsec and Save, or none of this will work at the end :)pfSense Phase 1 General Settings
-
Key Exchange Version: V1
-
Internet Protocol: IPv4
-
Interface: WAN
-
Remote Gateway: 2.2.2.2
-
Description: EdgeOS Router
pfSense Phase 1 Proposal (Authentication)
-
Authentication method: Mutual PSK
-
Negotiation mode: Main
-
My identifier: My IP address
-
Peer identifier: Peer IP address
-
Pre-Shared Key: ChangeYourPreSharedKeyDontActuallyUseThis
pfSense Phase 1 Proposal (Algorithms)
-
Encryption algorithm: AES 256 bits
-
Hash algorithm: SHA1
-
DH key group: 2 (1024 bit)
-
Lifetime: 3600
pfSense Phase 1 Advanced Options
-
NAT Traversal: Auto
-
Dead Peer Detection: Enable DPD, 30 seconds, 5 retries
pfSense Phase 2 General Settings
-
Mode: Tunnel IPv4
-
Local Network: LAN subnet
-
Remote Network: 192.168.2.0/24
pfSense Phase 2 Proposal (SA/Key Exchange)
-
Protocol: ESP
-
Encryption algorithm: AES 256 bits
-
Hash algorithm: SHA1
-
PFS key group: 2 (1024 bits)
-
Lifetime: 3600
Okay, now you're good to press save and apply.
pfSense - Firewall > Rules
You'll want to add 3 rules: Pass TCP/UDP 4500 IPsec, Pass TCP 51 for IPsec Authentication Headers, and Pass UDP 500 ISAKMP.
Add new rule 1:
-
Action: Pass
-
Disabled: Unchecked
-
Interface: WAN
-
TCP/IP Version: IPv4
-
Protocol: TCP/UDP
-
Source: any
-
Destination: WAN address
-
Destination port range: IPsec NAT-T (4500)
-
Description: IPsec NAT | PASS
New rule 2:
-
Action: Pass
-
Disabled: Unchecked
-
Interface: WAN
-
TCP/IP Version: IPv4
-
Protocol: UDP
-
Source: any
-
Destination: WAN address
-
Destination port range: ISAKMP (500)
-
Description: IPsec ISAKMP | PASS
And new rule 3:
-
Action: Pass
-
Disabled: Unchecked
-
Interface: WAN
-
TCP/IP Version: IPv4
-
Protocol: TCP
-
Source: any
-
Destination: WAN address
-
Destination port range: (other) 51
-
Description: IPsec Authentication Headers | PASS
Now, click on the new IPsec tab.
Add a new rule:
-
Action: Pass
-
Disabled: Unchecked
-
Interface: IPsec
-
TCP/IP Version: IPv4
-
Protocol: any
-
Source: any
-
Destination: any
-
Log: Checked
-
Description: PASS | EVERYTHING
Save and apply your settings again
Okay! Now that you've gotten this far, let's go through the EdgeOS config!
EdgeOS - VPN Config
Go ahead and SSH to your EdgeOS box, log in, and enter configure and press enter. Your box will change from admin@EdgeOS$ to admin@EdgeOS#, indicating that you're ready to start inputting your VPN settings!set firewall all-ping enable set firewall name WAN_LOCAL set firewall name WAN_LOCAL rule 5 action accept set firewall name WAN_LOCAL rule 5 description "ICMP 60/m" set firewall name WAN_LOCAL rule 5 limit burst 1 set firewall name WAN_LOCAL rule 5 limit rate 60/minute set firewall name WAN_LOCAL rule 5 log enable set firewall name WAN_LOCAL rule 5 protocol icmp set vpn ipsec esp-group pfSense set vpn ipsec esp-group pfSense mode tunnel set vpn ipsec esp-group pfSense pfs enable set vpn ipsec esp-group pfSense proposal 1 set vpn ipsec esp-group pfSense proposal 1 encryption aes256 set vpn ipsec esp-group pfSense proposal 1 hash sha1 set vpn ipsec esp-group pfSense lifetime 3600 set vpn ipsec esp-group pfSense compression disable set vpn ipsec ike-group pfSense dead-peer-detection action restart set vpn ipsec ike-group pfSense dead-peer-detection interval 30 set vpn ipsec ike-group pfSense dead-peer-detection timeout 60 set vpn ipsec ike-group pfSense proposal 1 set vpn ipsec ike-group pfSense proposal 1 encryption aes256 set vpn ipsec ike-group pfSense proposal 1 hash sha1 set vpn ipsec ike-group pfSense lifetime 3600 set vpn ipsec ike-group pfSense key-exchange ikev1 set vpn ipsec ike-group pfSense proposal 1 dh-group 2 set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn ipsec site-to-site peer 1.1.1.1 set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret ChangeYourPreSharedKeyDontActuallyUseThis set vpn ipsec site-to-site peer 1.1.1.1 ike-group pfSense set vpn ipsec site-to-site peer 1.1.1.1 local-address 2.2.2.2 set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 esp-group pfSense set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix 192.168.2.0/24 set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix 192.168.1.0/24 set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-public-networks disable set vpn ipsec nat-traversal enable commit save
Once that's all done, you should be up and online just fine!
Notes
Just briefly: I'd like to thank everyone in the pfSense community for being just generally wonderful. I've learned more over the past year and a half and done more with pfSense than any other router/firewall product previously, and I cannot recommend it enough to other people. The community that all of you offer is just amazing!Please let me know if you have any questions regarding anything! I've had it up and running for a few days on my side now without any issues!
Source Reference for EdgeOS IPSec Config
How to Configure Site-to-Site IPsec VPN on Ubiquiti EdgeRouter -
-
Thank you for the guide, I have been having the same issue getting this setup. At times it connects but if either of the systems reboot, it never reconnects, and now currently, it won't connect.
Any thoughts on the bellow log messages from pfSense? Google has betrayed me and I can't seem to find a solution.
May 8 02:40:54 charon 07[MGR] <con1|1418>tried to checkin and delete nonexisting IKE_SA May 8 02:40:54 charon 07[IKE] <con1|1418>unable to resolve remotedomain.com(edgeos), initiate aborted May 8 02:40:54 charon 17[LIB] resolving 'remotedomain.com(edgeos)' failed: hostname nor servname provided, or not known May 8 02:40:54 charon 06[CFG] trap not found, unable to acquire reqid 0 May 8 02:40:54 charon 13[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {0} May 8 02:40:54 charon 16[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {3} May 8 02:40:54 charon 13[KNL] received an SADB_ACQUIRE with policy id 35 but no matching policy found</con1|1418></con1|1418>
-
Thank you for the guide, I have been having the same issue getting this setup. At times it connects but if either of the systems reboot, it never reconnects, and now currently, it won't connect.
Any thoughts on the bellow log messages from pfSense? Google has betrayed me and I can't seem to find a solution.
May 8 02:40:54 charon 07[MGR] <con1|1418>tried to checkin and delete nonexisting IKE_SA May 8 02:40:54 charon 07[IKE] <con1|1418>unable to resolve remotedomain.com(edgeos), initiate aborted May 8 02:40:54 charon 17[LIB] resolving 'remotedomain.com(edgeos)' failed: hostname nor servname provided, or not known May 8 02:40:54 charon 06[CFG] trap not found, unable to acquire reqid 0 May 8 02:40:54 charon 13[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {0} May 8 02:40:54 charon 16[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {3} May 8 02:40:54 charon 13[KNL] received an SADB_ACQUIRE with policy id 35 but no matching policy found</con1|1418></con1|1418>
I'm trying to replicate it on my side, rebooting my edgerouter but so far no luck. It's reconnecting for me.
I'm also seeing a lot of people complaining about StrongSwan's versioning and specific issues with IKEv1; I'll check it out and see what I can find!
EDIT: What version of pfSense and EdgeOS are you running? I couldn't get EdgeOS to connect until I upgraded to v1.8.0 and I haven't tried pfSense 2.3 IPsec yet with EdgeOS, on my to-do list.
-
Thanks!
If you reboot your pfSense side does it come back up?
-
I'm actually testing with my pfSense in my office in production (I might be the würst), so I haven't been able to reboot the pfSense and watch it come back up.
I'm going to set up one of my other additional public IP's to a secondary pfSense and test sometime in the next few days though.
-
Nice test system :)
I'm going to wipe out all of the config and try again, has been a pain. Thanks again!
-
Pass TCP 51 for IPsec Authentication Headers,
The number 51 is the IP protocol number for AH not the TCP port. Also, you have configured IPsec for ESP so you should configure a rule to pass through IP protocol number 50 instead.
-
Thanks for posting this guide. It Worked great! It would have been nice to setup all this tru he gui on the EdgeRouter. Hope that Ubnt fixes that in the next firmware upgrade.
Cheers!
-
There's something wrong with firewall rule 3 on the pfsense side.
The protocol should be AH (that is protocol 51) and not TCP port 51 (which is… nothing)
I configured:
And new rule 3:
Action: Pass
Disabled: Unchecked
Interface: WAN
TCP/IP Version: IPv4
Protocol: AH
Source: any
Destination: WAN address
Description: IPsec Authentication Headers | PASS