Site to Site IPsec VPN - pfSense to Ubiquiti EdgeOS



  • Original post here: Site to Site VPN: pfSense to Ubiquiti EdgeOS - Just reformatted a bit for the pfSense forum

    Hey everyone! As many of you have helped me either directly or indirectly, I wanted to share with you my how-to on getting pfSense (2.2.6) and Ubiquiti's EdgeRouter (EdgeOS 1.8.0) site-to-site VPN up and operational! I was having difficulty finding a tutorial online for this specific configuration, so I figured I'd give a little back to the community!

    Few notes before diving in:

    • I'm assuming that you have a basic enough understanding of both pfSense and EdgeOS in order to get your devices physically connected to their respective WAN cables and online with static public IP's.
      I've been running this config for a few days without any hiccups as far as I can tell. If you're operating without a static public IP, this may not be as helpful for you as anytime your IP changes you'd be required to change your IP settings on both pfSense and EdgeOS.

    • I'm definitely not setting this up with a security-conscious mindset; this is just a proof of concept "get-it-up-and-running" guide.

    • As always, YMMV!

    Without further ado, please read below!

    Variable References

    pfSense

    • Static WAN IP: 1.1.1.1

    • LAN IP: 192.168.1.1

    • LAN Subnet: 192.168.1.0/24

    EdgeOS

    • Static WAN IP: 2.2.2.2

    • LAN IP: 192.168.2.1

    • LAN Subnet: 192.168.2.0/24

    Please note that the variables above will vary with your LAN settings and should be modified accordingly. Let's jump into the pfSense config!

    pfSense - VPN Config
    Navigate to VPN > IPSEC and make sure that you Enable IPsec and Save, or none of this will work at the end :)

    pfSense Phase 1 General Settings

    • Key Exchange Version: V1

    • Internet Protocol: IPv4

    • Interface: WAN

    • Remote Gateway: 2.2.2.2

    • Description: EdgeOS Router

    pfSense Phase 1 Proposal (Authentication)

    • Authentication method: Mutual PSK

    • Negotiation mode: Main

    • My identifier: My IP address

    • Peer identifier: Peer IP address

    • Pre-Shared Key: ChangeYourPreSharedKeyDontActuallyUseThis

    pfSense Phase 1 Proposal (Algorithms)

    • Encryption algorithm: AES 256 bits

    • Hash algorithm: SHA1

    • DH key group: 2 (1024 bit)

    • Lifetime: 3600

    pfSense Phase 1 Advanced Options

    • NAT Traversal: Auto

    • Dead Peer Detection: Enable DPD, 30 seconds, 5 retries

    pfSense Phase 2 General Settings

    • Mode: Tunnel IPv4

    • Local Network: LAN subnet

    • Remote Network: 192.168.2.0/24

    pfSense Phase 2 Proposal (SA/Key Exchange)

    • Protocol: ESP

    • Encryption algorithm: AES 256 bits

    • Hash algorithm: SHA1

    • PFS key group: 2 (1024 bits)

    • Lifetime: 3600

    Okay, now you're good to press save and apply.

    pfSense - Firewall > Rules

    You'll want to add 3 rules: Pass TCP/UDP 4500 IPsec, Pass TCP 51 for IPsec Authentication Headers, and Pass UDP 500 ISAKMP.

    Add new rule 1:

    • Action: Pass

    • Disabled: Unchecked

    • Interface: WAN

    • TCP/IP Version: IPv4

    • Protocol: TCP/UDP

    • Source: any

    • Destination: WAN address

    • Destination port range: IPsec NAT-T (4500)

    • Description: IPsec NAT | PASS

    New rule 2:

    • Action: Pass

    • Disabled: Unchecked

    • Interface: WAN

    • TCP/IP Version: IPv4

    • Protocol: UDP

    • Source: any

    • Destination: WAN address

    • Destination port range: ISAKMP (500)

    • Description: IPsec ISAKMP | PASS

    And new rule 3:

    • Action: Pass

    • Disabled: Unchecked

    • Interface: WAN

    • TCP/IP Version: IPv4

    • Protocol: TCP

    • Source: any

    • Destination: WAN address

    • Destination port range: (other) 51

    • Description: IPsec Authentication Headers | PASS

    Now, click on the new IPsec tab.

    Add a new rule:

    • Action: Pass

    • Disabled: Unchecked

    • Interface: IPsec

    • TCP/IP Version: IPv4

    • Protocol: any

    • Source: any

    • Destination: any

    • Log: Checked

    • Description: PASS | EVERYTHING

    Save and apply your settings again

    Okay! Now that you've gotten this far, let's go through the EdgeOS config!

    EdgeOS - VPN Config
    Go ahead and SSH to your EdgeOS box, log in, and enter configure and press enter. Your box will change from admin@EdgeOS$ to admin@EdgeOS#, indicating that you're ready to start inputting your VPN settings!

    
    set firewall all-ping enable
    set firewall name WAN_LOCAL
    set firewall name WAN_LOCAL rule 5 action accept
    set firewall name WAN_LOCAL rule 5 description "ICMP 60/m"
    set firewall name WAN_LOCAL rule 5 limit burst 1
    set firewall name WAN_LOCAL rule 5 limit rate 60/minute
    set firewall name WAN_LOCAL rule 5 log enable
    set firewall name WAN_LOCAL rule 5 protocol icmp
    set vpn ipsec esp-group pfSense
    set vpn ipsec esp-group pfSense mode tunnel
    set vpn ipsec esp-group pfSense pfs enable
    set vpn ipsec esp-group pfSense proposal 1
    set vpn ipsec esp-group pfSense proposal 1 encryption aes256
    set vpn ipsec esp-group pfSense proposal 1 hash sha1
    set vpn ipsec esp-group pfSense lifetime 3600
    set vpn ipsec esp-group pfSense compression disable
    set vpn ipsec ike-group pfSense dead-peer-detection action restart
    set vpn ipsec ike-group pfSense dead-peer-detection interval 30
    set vpn ipsec ike-group pfSense dead-peer-detection timeout 60
    set vpn ipsec ike-group pfSense proposal 1
    set vpn ipsec ike-group pfSense proposal 1 encryption aes256
    set vpn ipsec ike-group pfSense proposal 1 hash sha1
    set vpn ipsec ike-group pfSense lifetime 3600
    set vpn ipsec ike-group pfSense key-exchange ikev1
    set vpn ipsec ike-group pfSense proposal 1 dh-group 2
    set vpn ipsec ipsec-interfaces interface eth0
    set vpn ipsec auto-firewall-nat-exclude enable
    set vpn ipsec nat-networks allowed-network 0.0.0.0/0
    set vpn ipsec site-to-site peer 1.1.1.1
    set vpn ipsec site-to-site peer 1.1.1.1 connection-type initiate
    set vpn ipsec site-to-site peer 1.1.1.1 authentication mode pre-shared-secret
    set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret ChangeYourPreSharedKeyDontActuallyUseThis
    set vpn ipsec site-to-site peer 1.1.1.1 ike-group pfSense
    set vpn ipsec site-to-site peer 1.1.1.1 local-address 2.2.2.2
    set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 
    set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 esp-group pfSense
    set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 local prefix 192.168.2.0/24
    set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 remote prefix 192.168.1.0/24
    set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-nat-networks disable
    set vpn ipsec site-to-site peer 1.1.1.1 tunnel 1 allow-public-networks disable
    set vpn ipsec nat-traversal enable
    commit
    save
    
    

    Once that's all done, you should be up and online just fine!

    Notes
    Just briefly: I'd like to thank everyone in the pfSense community for being just generally wonderful. I've learned more over the past year and a half and done more with pfSense than any other router/firewall product previously, and I cannot recommend it enough to other people. The community that all of you offer is just amazing!

    Please let me know if you have any questions regarding anything! I've had it up and running for a few days on my side now without any issues!

    Source Reference for EdgeOS IPSec Config
    How to Configure Site-to-Site IPsec VPN on Ubiquiti EdgeRouter



  • Thank you for the guide, I have been having the same issue getting this setup.  At times it connects but if either of the systems reboot, it never reconnects, and now currently, it won't connect.

    Any thoughts on the bellow log messages from pfSense?  Google has betrayed me and I can't seem to find a solution.

    
    May 8 02:40:54	charon		07[MGR] <con1|1418>tried to checkin and delete nonexisting IKE_SA
    May 8 02:40:54	charon		07[IKE] <con1|1418>unable to resolve remotedomain.com(edgeos), initiate aborted
    May 8 02:40:54	charon		17[LIB] resolving 'remotedomain.com(edgeos)' failed: hostname nor servname provided, or not known
    May 8 02:40:54	charon		06[CFG] trap not found, unable to acquire reqid 0
    May 8 02:40:54	charon		13[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {0}
    May 8 02:40:54	charon		16[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {3}
    May 8 02:40:54	charon		13[KNL] received an SADB_ACQUIRE with policy id 35 but no matching policy found</con1|1418></con1|1418> 
    


  • @tep616:

    Thank you for the guide, I have been having the same issue getting this setup.  At times it connects but if either of the systems reboot, it never reconnects, and now currently, it won't connect.

    Any thoughts on the bellow log messages from pfSense?  Google has betrayed me and I can't seem to find a solution.

    
    May 8 02:40:54   charon      07[MGR] <con1|1418>tried to checkin and delete nonexisting IKE_SA
    May 8 02:40:54   charon      07[IKE] <con1|1418>unable to resolve remotedomain.com(edgeos), initiate aborted
    May 8 02:40:54   charon      17[LIB] resolving 'remotedomain.com(edgeos)' failed: hostname nor servname provided, or not known
    May 8 02:40:54   charon      06[CFG] trap not found, unable to acquire reqid 0
    May 8 02:40:54   charon      13[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {0}
    May 8 02:40:54   charon      16[KNL] creating acquire job for policy pfsenseip/32|/0 === edgeosIP/32|/0 with reqid {3}
    May 8 02:40:54   charon      13[KNL] received an SADB_ACQUIRE with policy id 35 but no matching policy found</con1|1418></con1|1418> 
    

    I'm trying to replicate it on my side, rebooting my edgerouter but so far no luck. It's reconnecting for me.

    I'm also seeing a lot of people complaining about StrongSwan's versioning and specific issues with IKEv1; I'll check it out and see what I can find!

    EDIT: What version of pfSense and EdgeOS are you running? I couldn't get EdgeOS to connect until I upgraded to v1.8.0 and I haven't tried pfSense 2.3 IPsec yet with EdgeOS, on my to-do list.



  • Thanks!

    If you reboot your pfSense side does it come back up?



  • I'm actually testing with my pfSense in my office in production (I might be the würst), so I haven't been able to reboot the pfSense and watch it come back up.

    I'm going to set up one of my other additional public IP's to a secondary pfSense and test sometime in the next few days though.



  • Nice test system :)

    I'm going to wipe out all of the config and try again, has been a pain.  Thanks again!



  • @danmanners:

    Pass TCP 51 for IPsec Authentication Headers,

    The number 51 is the IP protocol number for AH not the TCP port.  Also, you have configured IPsec for ESP so you should configure a rule to pass through IP protocol number 50 instead.



  • Thanks for posting this guide. It Worked great! It would have been nice to setup all this tru he gui on the EdgeRouter. Hope that Ubnt fixes that in the next firmware upgrade.

    Cheers!



  • There's something wrong with firewall rule 3 on the pfsense side.

    The protocol should be AH (that is protocol 51) and not TCP port 51 (which is… nothing)

    I configured:

    And new rule 3:
    Action: Pass
    Disabled: Unchecked
    Interface: WAN
    TCP/IP Version: IPv4
    Protocol: AH
    Source: any
    Destination: WAN address
    Description: IPsec Authentication Headers | PASS