How to Configure a Multi Site to Site to Site IPSec VPN with PFSense

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another tech tip by VM nerd our tech topic for today is how to create a multi site to site VPN using IPSec and PSN's in this tutorial we'll perform the following create a basic diagram to provide context to the network layout that we'll be working with configure MTU clamping to control how larger packets are handled when traveling through the VPN tunnels set up firewall rules to allow VPN connectivity between the three site locations establish the site-to-site VPN tunnels between the three site locations configure name resolutions so guests between the site locations can resolve each other and finally configure site to machines to use site ones internet connection and with that let's get started all right so let's go ahead and get this diagram going just really quick shouldn't take too long so it's this way better so this drawing right here this piece of it it's called a bus which is the network bus is what we're referring to here and this will actually be our internet ozone and so let's go ahead and just add some subtext to it here call this the Internet and this is for illustration of our network topology here the next thing we're going to need is firewalls and this is our internet firewall the one that next she allows us out to the Internet to our Internet service provider and let's see we have one here which is for our what we'll label is here in a minute computer please laptop and for illustration we are not going to have computers at all of the site we're just going to have them at two of the three sites for illustration purposes and so we can test test connectivity between them as we light up the VPN tunnels okay so let's go ahead and add some IP addresses and all that wonderful stuff okay so this will be labeled site one okay so be labeled site - this will be labeled slate three now each Network here has its own IP address so 10.1 is 79 that 44 11 so P but when interface on our firewalls okay and just so you know the 10.1 79 while it's not truly routable on the Internet it is routable in our lab which mirrors and simulates the Internet okay so site 2 will be IP of 12 this will be 13 and now for our land interfaces one-sixty dot about fifty four which is twelve one in interface I'll do the same thing here so this will be follow the same naming scheme here so this would be that twelve and of course this one over here will be thirteen and then of course our computers are computers themselves have their own respective IP so let's go ahead and go to this this will be test VM actually not we won't even give IP so you'll just see them as we go to start doing name resolution and whatnot and this is the machine we are currently working from so let me get the IP it is right here 40 4.99 we 10.19 4.99 okay and this is actually the management machine that we are currently using and this is where we're doing our drawings and what would be connecting to each of the firewall students and configurations okay and of course this is our gateway up here so let's go ahead when people assess such a gateway this is our entered is how all of our machines will actually connect to the internet itself even though these VPNs and all that are not internet accessible but for the purposes of representation this is really this is our internet zone okay all right let's go ahead and move on to the next step which is let's go ahead and start by connecting to each of the firewalls and in the video for those of you interested I use the default PS fence password I will assume you guys will have different so if you look right here here's the IP go back to our diagram it'll be 40 4.13 on our way inside 210 179 44 1310 1 744 13 okay all right so the first thing we want to do is let's go ahead and configure the VPN clamping okay and that's done under the Advanced Settings here and this is the clamping and basically what this is doing is it says any packet that's over 1,400 n tu bytes 400 bytes it'll actually put it together when it gets to the other side so even though the packets are going to Crockett 1400 it'll actually put them together when it transfers through the tunnel on the other end and then delivers it to the destination okay so it's going to enable that if we set it any lower or if we set it higher than what it's going to do is it could potentially drop packets and then not rebuild okay so let's go ahead and click Save and we need to do this to each of these locations so site 2 you will get the same configuration all right so the next step let's go ahead and just move these over to the tunnel section all right so the next thing we're going to do is we're going to go ahead and add the firewalls to allow connectivity between the locations so I'm going to set up an alias for this and the a-list is going to be called the VPN location or we'll just call it IPSec VPN connections okay what we're going to do is just add the house so in this case it'll be 10.1 79 that 44 dot 12 will be 1 and 13 that's because these two here are going to connect to him so glad to save and now I need to go do this to each of these good a list ad and I think on it IPSec VPN consenting we just need to add so from site to because its that's well we need to add dot 11 and dot 13 Wow say than sending in and yeah and we'll go ahead and add about eleven as well one okay so now let's go back to first firewall it's good and build our rule okay go ahead allow go inside okay you think this will go well I win so we're going to add and allow we're going to allow you t P source is going to be the alias that we created which will be IPSec VPN connection destination it's going to be the one address and it's going to be IPSec where's that IPSec not that one there's another one like 500 or something like that where this 500 okay this will save and we just need to mirror this across ad mu TP source IP stack destination LAN address no H the 501 course that then again Holmes ran add ATP source and address you see alright so in theory these firewalls can now communicate with each other over the IPSec court there that has been established which is a UDP 500 okay so let's go ahead and let's start configuring the site-to-site tunnel okay so I'd be Sakhalin to go ahead and add the tunnel component here we'll go ahead and exchange version of to Internet Protocol the interface in this case here we're going to go to 180 sorry 1 okay so we're going to be 10 dot 179 dot 40 4.12 okay and [Music] we're going to do the PSK and we'll do ip-address against peer IP address and just for illustration purposes of GP s PS PS it is case sensitive for a EES 256 sha-256 and I just make it the same across the board you see tunnel doesn't matter [Music] all right so that's part one now let's go ahead and add Phase two and what we're going to do is our intake this subnet local subnet and we're going to allow it to the remote network so in this case it's going to be then to 168 that 12.0 / - 4 let's do this ESP for encryption we want encryption we'll go ahead and do a EES 256 and algorithm is 256 PSS group two and go ahead and click Save like a pawn all right so now let's go ahead and go to the second firewall we'll see the same thing push ad and two when remote gateway is going to be 10 that 1 7 9 3 4.11 control PS key paste it remember it was PSS PSS PSS AES 256 256 to 2048 that should be sufficient wouldn't put flame go ahead and add the subnet that we're going to a lot LAN subnet the network we're going to connect to is 1 min to one sixty eight dot a lot of that 0/24 yeah 256 here shot 256 K I'll have to go back and check that I don't remember if I get that one right just go ahead and that looks good now let's take a look I'll make sure I did that one correctly I might not have bottom and it did not so it's good set that to 2048 we want to keep it the same across the board okay so then take a look and do the status of the VPN so we'll do the IPSec and if you look right here we're already established okay let's go ahead and go to the other one and we'll do the same thing and there's our connectivity okay very simple very straightforward okay so the next thing we need to do is let's go ahead and just for to keep this simple for now let's go to the firewall and admirals and we're just going to allow for now any any okay so we'll do any any it's just just for the purposes of what we're doing obviously you can clamp and tighten it higher you see fit rules sec and and nearly and should be good all right now what we're doing what we're going to do here is we're going to go to our test VM let's go back to the drawing here so we have tested em1 and test VM too so let's go ahead and connect SVM one and we're just going to try and ping the land gateway okay which is 12 that 254 from this one year which is 11 and I'll show you what the IP is right here if you look right here 192 168 11 so when bring up a quick command prompt just go ahead and do the ping here so being 1.2 we're going to ping 12 254 we should get a reply and we do okay now let's see if we can get the IP for techie mo2 which is this guy here different so he's look right here is 12 dot 100 let's just see if we can ping it should work but we need to make sure that twelve dot 100 and we can so as it stands our VPN tunnel from site 1 to site 2 is fully operational okay so now what we need to do is configure another tunnel that goes from site 1 to site 3 ok so let's go ahead and do that let's go back to where site 1 and let's go ahead and establish another tunnel here so what add to here forlán and this case going to do 10.1 79 that 40 4.13 in this case okay same thing mutual TS key my IP melty and we'll use the same pss-pss whatever that we use 256 2048 and we'll go ahead and click Save let's go ahead and add the Phase two so we'll do here is we'll add Network so this case is going to be 1 2 u 1 6 8 13 that 0/24 and basically the slash 24 just means any IP that's 13.1 through 254 will be allowed to the tunnel okay and we'll select AES 256 and 256 2048 vanish apply and now we need to go to any other the same thing with the other guy okay next with the services we will create VPN IPSec and we will create the same pretty much the same rules the only difference is the Gateway if we're going to have to go to so in this case 10.1 so 9.40 4.11 mutual PS key IP to IP 256 256 all these numbers they just have to match with the exception of source and destination otherwise you're going to get a mismatch and they will not connect ok so it's when add the save to we're going to take our land subnet and we're going to connect 0 190 that 11 that 0/24 SP aes-256 sha-256 2048 and that should do it click Save apply let's just take a look and you're not connected yet but we'll give it just a moment click connect see what happens there we go Tunnel is already established let's go back let's just take a look and see what this one looks like your status IPSec and look at that we have puddles okay so from our just hypothetically here we should be able to ping from here not eleven sorry this will be Regulus 13 that t54 so this is site one going over to site three and we should be able to at least resolve that oh wait a minute it will not work yet we still forgot one more piece over here in site three we need to add the firewall rule to allow IPSec so just click Add and we will allow oops - just do any any again for illustration purposes I will let you guys kind of lock down how you see fit okay so let's go back to our test one VM which is our site one VM which is going to connect to site 3 ok let's go and just do a ping and it should resolve urgent reply ok perfect so the connectivity is good now we need to go do the same thing to psych - ok so inside here we should have this is site 3 over here looks we should have - one that goes from site one site two and then one that goes from site one to site 3 ok which is what we have now we need to go to site 2 and do the same thing so let's go ahead and go VPN IP sex and let's do the exact same things though we're going to do a site to to site 3 so to 10.1 79 dot 40 4.13 and just so you know you guys really can use the hostname if you want so if your external firewalls are resolvable via the internet you can potentially type those in if you do use the IP address it's assumed that you have a static IP assigned by your provider and you know it just it doesn't require the name resolution so in the event that you have a meme resolution dependency you could potentially have issues if the name servers that host renamed IP are down or unavailable at least while the tunnel is attempting to establish so if you have a dynamic IP huh and you got to kind of work with with what you got so ok so I followed all the same rules as before so the next thing we need to do is add phase to ok so local subnet and I'm going to be connecting to one which you won't succeed that 15.0 slash 24 348 quick quick save and we'll apply now let's go over to the third firewall their site three I should say and then let's go ahead and add the connectivity from site three to site 2 to win 10.1 79 dot forty twelve okay mutual PSG and we'll just use the same one again I mean it usually is a good idea that you have different keys for different connections but just for illustration in the video it was easier just do it as well 2048 go ahead and add the phase two so why don't you choose 160 12 0 / 24 is paes164 6 2048 and that should do it applaud and in theory we should have connections if not we hit the connect button and law we have connectivity so let's go ahead from the VM here let's go ahead and from a site to test VM and let's see if we can talk to site 3 ping 192 168 dot 13.2 54 and we should reply and we do ok that means that our connectivity is good we can traverse packets through the VPN tunnels etc ok so the next thing we need to do is set up PMF okay and actually set up DNS mean forwarding so let's go ahead and attempt to do that okay from site one we want site 2 and site 3 to resolve now with DNS it's a little tricky because in a corporate environment let me go ahead and let me let me put another drawing together okay and I'm just going to basically show two different architectures okay so in a corporate environment we typically have centralized DNS servers usually located in their data centers or something to that effect and it looks something like this let me go ahead and some clients out there so that we can get the idea but I mean bottom line is as a corporate environment typically have centralized BNF infrastructure that resolve named IP so that way they can talk to one another and and all of that stuff however with our pfSense installations and the way that we have things we're going to be something a little bit different where we'll be able to resolve the names we just have to handle it a little bit different just because of the fact that each site can end up becoming its own Island if you will okay this is what we don't want you know we don't want machines to not be able to resolve services that could be local to that particular site you know VPN connectivity well you know they can be realized they are for the most part reliable but if you are depending upon the internet or something like that you could potentially have downtime and then have your clients completely offline and yeah there are there are ways to mitigate that but to keep this as simple as possible so I can explain it easily I'm going to go ahead and separate the DNS servers or resolvers of PSN place to calm so that way each client actually would get realized each client will use its respective resolver so for example this is site one this is site to the site three so when a client is going to go do name resolution lookup it's going to talk locally okay and same thing with the other site and vice versa okay okay so to make let's work we need to do is we need to go make sure what the local host is actually using the correct domain name so for site one that site one got laptop via nerd let's go to the resolver or actually let's check the HCP okay and if you look right here it's actually define the domain name so that means going to use the the firewall hostname okay so now let's go back at the services go to the resolver and oh we need to make sure we enable registration of BGP Lisa's Indian ask so that way they automatically will input their information and max they didn't say that and we're going to do this for each of the firewall rules okay need to go and do the domain overrides now over here so this will be site to dot Labs mom and pop you up so you can paste it later when I'm to 158 that 12.25 for save and let's go ahead and add 13 as well oops like 3 excuse me we also need to enable an access control list make sure we'll come back to this so there's over so let's just do this across the board okay same thing well to make sure that site to screw to impeach Sookie make sure it's not advertising using different domain name good and while it was over they enable enable save one at the bottom with add so this will be site 1 and what we wanted to succeed download 250 pull up let's see see that to ensure safe let's go fly just got to do this one more time and then after that we'll add the access-list services result check check see okay the name overrides this we say warm save one more so this will be site to save apply okay there's still a couple more steps that we have to do okay the next thing we need to do is actually enable from an access control list perspective okay we need to make sure that we have IPSec Imperial so we'll be IPSec VPN allow basically call this whatever you want but whatever is easy right so I need to enable or allow the subnet dot 12 0 / 24 and the same thing for site 3/24 safe and of course we have to do this across all of them as well so let's go ahead and do that go back here and click copy and paste it it makes easier Swach 24 beautiful slash before now this is a just one of those things you have to do to make sure that this connectivity is authorized and allowed 0/24 trust me we're still a little bit more we got to do so we're not necessarily out of the woods yet okay so pfsense has an not really an issue it's actually a routing thing but it's it's related to the FreeBSD kernel and basically what happens is the any services that need to reach out over an IPSec VPN tunnel need to leave the default interface where it's coming from in order for that to happen it has to have a default gateway and on your default LAN interface or pretty much any interface for that matter they by default don't have default gateways to find and so what you need to do is you need to actually configure a gateway so that communication can flow out through the VPN tunnel so when the information comes in or leaves the network it knows what the what the default gateway is to get back to where it originated from so we need to go to routing we need to add the gateway which in this case is our land gateway so whatever way the interface is on LAN and we want to call this EPN LAN router Valley okay so for the Gateway it's going to be the the actual IP address of the interface so it's one ninety one sixty eight dot eleven that 254 so eleven about 254 site one which is where we're at and we need to disable the monitoring okay so file save and while we're in here we need to go ahead and add a static route okay so one on to succeed alone of zero sorry actually twelve zero gateway is going to be this guy we need to add one for thirteen as well say mum and and now we need to go do the same thing to the other two so what pr2 routing adds a gateway as we call this anyways you can when I'm ready okay select land get way since we're on site to is dot twelve and will disable monitoring so we'll save whoops what'd I do wrong there's all this case that's why and nitpicky okay so it's good this save there we go apply and you static route and 102 relevant 0/24 one more please come in to secrete that 15 M two three four sorry 0/24 o CB say one then put the plum and last about least say three you name it when the space is better mit is one I James agree that their team approve it for remember thirteen is the site this site threes land interface so we're just going to turn it into a routable gateway okay and go ahead and disable the monitoring so it doesn't take it down or anything since one static routes to zero this says go to site one and when you do make sure you use the land gateway I'll save we need to the safe way again 1 2 so 2 4 all right so in theory everything should be good to go it comes back here and let's when do some text okay so remember inside there inside the resolvers how we enable the receiving I'll show you right here where we registered vcp lives and so we need to do is we need to go to each one of these since it was unchecked we need to release RIT okay and then we'll go ahead and do a renew and then in theory that should put our mean inside the resolver okay so it's good and see if that works nslookup so our machine name is test m01 and if you look up here this is where the name of that so when it should come back with an IP and it does okay so let's do the same thing to test VMO to slash release and slash looks okay ipv6 enabled is test em0 - okay okay so let's make sure we can actually get to that site again socially made some changes let's make sure we can hit 12.2 54 and we can all right let's do it when I look up okay and let's just let's just try this out here so we're going to do test vm 0 2 because we're going to from our machine here we want to see if we can resolve the other site which is test twos VM so it's going to be site 2 dot labs but we eMERCOM undated so basically what had happened was we had to set up connectivity to allow our local DNS server to talk to that local DNS server okay and vice versa so this one should in theory be able to do the same thing so we should order test VM zero one dot site one dot labs that we entered calm okay and there you go recorded after it's not the authority venture but it was say hey go here okay and let's let's try this again to test not retest zero two because I test VM zero g and you see houses authoritative answer versus non-authoritative answer so this one here saying easy assorted Amphipolis domain where when I went and looked at the other one he said he's my authority meaning that he went ahead and forwarded it to the other DNS server or the other resolver so if we go back here to our drawing right so when he made the request he asked him for the information he said I don't know who he is and went to him to get it and then came back and then be able back to the client okay so from here here to here and back okay okay so now that that is actually resolving and working let's go ahead and just let's do a pink test shall we so pain test vm zero to that site two dot me eMERCOM okay forgot the lab round there you go so see no problem so now you can okay so now one thing that is kind of call it lame if you will or boring is the fact that you have to type this in here every time kind of lame so one thing we can do on our client here is we can actually go in and and if you're in a domain and you're controlling everything policies and whatnot you can actually do this through your policy that I'm not really going to get too far into that what you can do here is go to append suffixes in order okay so you can do site to site 1 dot labs.com is one you can copy and paste this so this site - I'm not sure if this will work or we're going to try it I mean in theory it should cite one two and then we'll make this the program a lot of people still work okay and almost like whatever see so we're I've actually found stable reenable and let's see if we refresh it in I'm just texting to see if this works I actually curious themselves it should but we'll see so in theory I should go to pipe texts yam and 0-2 and it should resolve and it does so basically what had happened is my client said hey I'm looking for this hostname I'm looking for this particular hostname I want you to check in the following areas okay then when we specified the search suffix it need to go check each one until we've got the answer that it was looking for okay so let's run the egg psych 3 bot lam Scott vmware.com okay okay he said hey I want to go I want to resolve his name and he said well the first one didn't have it but the second one did and actually results I came back with okay and now for the final step and that is to enable site two to use site ones internet connection okay so let's go ahead and do that all right so here's site 1 one of the first thing we need to do is we need to go to the NAT translation table and look at our outbound configurations and right now it's just these that are allowed through okay oh looks like 12 everything's already allowed through a cell we're good from that perspective since there's an auto update rule that went ahead and enabled knack for IPSec okay so with that being said let's go ahead and configure site to connectivity now before we do this I want to go ahead and show you what our external IP is to the Internet okay at least at least in the internet zone okay if you look right here we have a VM nerd IP website and click on that it's just IP dot VM nerve comm and if you look right here where our outbound internet IP is 10 179 44 12 so when we're done with this in theory it should be 11 okay so let's go back to the firewall this is actually not as difficult as it sounds actually just a VPN an IPSec VPN change okay so let's go ahead and do that alright so open up your tunnels you're going to go to phase 2 which this is connecting to site 1 ok we just need to modify the tunnel information so instead of having one 92168 11.0 we're going to switch this to 0.0.0.0 ok now we need to switch this to zero as well okay basically we're saying is any traffic that leaves this interface this is where it's going to go okay okay zero zero zero and then same thing we got to go back to the other the site one firewall and do the same thing so this is coming from site - we need to go and specify what subnets are allowed through okay so in this case here the remote network is there but the network that it's going to is going to be 0 0 0 0 / 0 we need to make sure that that I think that's correct for we'll find out right now and let's go back here one more times to make sure the remote sudden that is anything and all right let's go test it out shall we here we go so before before we did this this was our gateway so now let's go ahead and surf the internet see what happens we might have to refresh nope that was it see that's actually not too difficult and one thing I wanted I would like to do before we go any further I want to go ahead and test make sure I can still connect to site 313 that's t-54 and I can't and let's just see how it's getting naturally is it going directly or is it actually going through site 1 that's going to be the real trivia so - it's going from site - directly to site 3 well I hope you enjoyed our video on how to create a multi site to site VPN using IPSec and PSN have a great day don't forget to check out our youtube channel for more tech tips

Info

Channel: VMNerd

Views: 45,788

Rating: 4.8885794 out of 5

Keywords: How To, Howto, VMNerd, DIY, Tech, Tech Tips, VMNerd Tech Tips, VPN, IPSec, DNS, Site to Site, Internet, Opensource, Open Source, PFSense, Firewall, FREE

Id: 2IdV4CgHo3w

Channel Id: undefined

Length: 51min 46sec (3106 seconds)

Published: Thu Jan 19 2017