pfSense

pfSense - IPsec VPN Routed (VTI) site-to-site

I am struggling to establish a site-to-site VPN tunnel between a pfSense box and an OpenWRT/Linux. As a proof of concept, I have created this LAB to test the setup with two pfSense boxes instead. In the hopes that the understanding will help to narrow the issues with the intended setup.

The diagram below illustrates how the LAB was configured. It is a very basic setup.

We will create the tunnel and route the traffic through the tunnel.

Let's create the the tunnel in the first pfSense 192.168.45.10

HV2-LAB-PFSENSE-0 - 192.168.45.10

Navigate to the menu below.

And click in Add P1 and configure as below

Phase 1 Configuration

Phase 1 will use the WAN interface and we need to specify the remote gateway.

Change My identifier/Peer identifier to Distinguished name and set a unique name.

Use IP only if you have a static public IP address otherwise Distinguished name is recommended.

The Phase 1 is configured with a secure encryption algorithm.

Phase 2 Configuration

Click in Show Phase 2 Entries and Add P2 and configure as follows :

when the local subnet was as 10.10.10.1/30 only the remote was able to send and receive pings, after it has been changed to 10.10.10.1 pings from this host ( 10.10.10.1 ) started to get replies from the remote peer ( 10.10.10.2 ).

Save and repeat in the remote peer swapping the subnets and identifier.

Also, don't forget to swap the remote IP Address too.

Above is the configuration in the remote host ( 192.168.45.40 )

After configuring the remote peer ( 192.168.45.40 ) go to Status > IPsec and stablish the connection if not already connected.

Make sure that a gateway has been added for the remote peer.

And finally, we need to add a static route to our remote network.

The route will allow the traffic to flow through the tunnel as seen on the diagram below in green:

Don't forget to add a route in the remote peer too, otherwise the traffic won't return since the remote peer does not know how to route the traffic back.

We can run pings from the console to test the connectivity between the hosts.

[2.5.2-RELEASE][admin@pfSense.localdomain]/root: ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=64 time=0.736 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=0.468 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=0.729 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=64 time=0.614 ms
^C
--- 10.10.10.2 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.468/0.637/0.736/0.109 ms
[2.5.2-RELEASE][admin@pfSense.localdomain]/root: ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=0.094 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.132 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.172 ms
^C
--- 10.10.10.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.094/0.133/0.172/0.032 ms

192.168.45.10 - HV2-LAB-PFSENSE-0

[2.5.2-RELEASE][admin@pfSense.localdomain]/root: ping 172.16.15.1
PING 172.16.15.1 (172.16.15.1): 56 data bytes
64 bytes from 172.16.15.1: icmp_seq=0 ttl=64 time=0.638 ms
64 bytes from 172.16.15.1: icmp_seq=1 ttl=64 time=0.497 ms
64 bytes from 172.16.15.1: icmp_seq=2 ttl=64 time=0.702 ms
64 bytes from 172.16.15.1: icmp_seq=3 ttl=64 time=0.702 ms
^C
--- 172.16.15.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.497/0.635/0.702/0.084 ms

192.168.45.10 - HV2-LAB-PFSENSE-0

It worth to mention that there are no traffic rules applied to the firewalls in this LAB. Don't forget that the best practices is to block all traffic and selectively allow what is needed.

Finally, we have some console output describing the connection and the strongswan configuration files.

[2.5.2-RELEASE][admin@pfSense.localdomain]/root: ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, FreeBSD 12.2-STABLE, amd64):
  uptime: 115 minutes, since Sep 10 17:27:51 2021
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 17
  loaded plugins: charon unbound pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.45.10
  172.16.10.1
  10.10.10.1
Connections:
      bypass:  %any...127.0.0.1  IKEv1/2
      bypass:   local:  uses any authentication
      bypass:   remote: uses any authentication
        con1:  192.168.45.10...192.168.45.40  IKEv2, dpddelay=10s
        con1:   local:  [hv2-lab-pfsense-0] uses pre-shared key authentication
        con1:   remote: [hv2-lab-pfsense-1] uses pre-shared key authentication
        con1:   child:  0.0.0.0/0|/0 === 0.0.0.0/0|/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
        con1[8]: ESTABLISHED 114 minutes ago, 192.168.45.10[hv2-lab-pfsense-0]...192.168.45.40[hv2-lab-pfsense-1]
        con1[8]: IKEv2 SPIs: 6930b6a296b3178e_i c2549ecd735ce88b_r*, rekeying in 4 hours
        con1[8]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
        con1{10}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ced7f6ea_i c5998076_o
        con1{10}:  AES_GCM_16_256/MODP_2048, 110060 bytes_i, 314972 bytes_o, rekeying in 32 minutes
        con1{10}:   0.0.0.0/0|/0 === 0.0.0.0/0|/0
[2.5.2-RELEASE][admin@pfSense.localdomain]/root:

192.168.45.10 - HV2-LAB-PFSENSE-0

# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
starter {
        load_warning = no
}
charon {
        # number of worker threads in charon
        threads = 16
        ikesa_table_size = 32
        ikesa_table_segments = 4
        init_limit_half_open = 1000
        install_routes = no
        load_modular = yes
        ignore_acquire_ts = yes
        cisco_unity = no
        syslog {
                identifier = charon
                # log everything under daemon since it ends up in the same place regardless with our syslog.conf
                daemon {
                        ike_name = yes
                        dmn = -1
                        mgr = -1
                        ike = 4
                        chd = 4
                        job = -1
                        cfg = -1
                        knl = -1
                        net = -1
                        asn = -1
                        enc = -1
                        imc = -1
                        imv = -1
                        pts = -1
                        tls = -1
                        esp = -1
                        lib = -1
                }
                # disable logging under auth so logs aren't duplicated
                auth {
                        default = -1
                }
        }
        plugins {
                # Load defaults
                include /var/etc/ipsec/strongswan.d/charon/*.conf
                unity {
                        load = no
                }
                curve25519 {
                        load = yes
                }
                pkcs11 {
                        load = yes
                        modules {
                                opensc {
                                        load_certs = yes
                                        path = /usr/local/lib/opensc-pkcs11.so
                                }
                        }
                }
        }
}

/var/etc/ipsec/strongswan.conf - 192.168.45.10 - HV2-LAB-PFSENSE-0

# This file is automatically generated. Do not edit
connections {
        bypass {
                remote_addrs = 127.0.0.1
        }
        con1 {
                fragmentation = yes
                unique = replace
                version = 2
                proposals = aes256-sha256-modp2048
                dpd_delay = 10s
                dpd_timeout = 60s
                rekey_time = 25920s
                reauth_time = 0s
                over_time = 2880s
                rand_time = 2880s
                encap = no
                mobike = no
                local_addrs = 192.168.45.10
                remote_addrs = 192.168.45.40
                local {
                        id = fqdn:hv2-lab-pfsense-0
                        auth = psk
                }
                remote {
                        id = fqdn:hv2-lab-pfsense-1
                        auth = psk
                }
                children {
                        con1 {
                                close_action = start
                                dpd_action = restart
                                policies = no
                                life_time = 3600s
                                rekey_time = 3240s
                                rand_time = 360s
                                start_action = start
                                remote_ts = 10.10.10.2,0.0.0.0/0
                                local_ts = 10.10.10.1,0.0.0.0/0
                                reqid = 1
                                esp_proposals = aes256gcm128-modp2048
                        }
                }
        }
}
secrets {
        ike-0 {
                secret = 0sZTU1OWM3NTI0NzgxODhmM2ZjYTA3YWIzZTVmY2QxZmYwMmY1YzU1NTc0YjU3NjkyMGM2N2M0NDM=
                id-0 = %any
                id-1 = fqdn:hv2-lab-pfsense-1
        }
}

/var/etc/ipsec/swanctl.conf - 192.168.45.10 - HV2-LAB-PFSENSE-0