pfSense | IPsec site to site VPN Configuration - Easy Step by Step guide

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys welcome to another video and in this one we are going to take a look at the IP SEC configuration between two PFS firewalls if you like to go through the step-by-step instructions this is my blog article which I will link in the description below so that you can follow along and this is the topology that we're going to work on today I have a PF firewall of the branch one which has a subnet of 10.1.1 24 and another one of the branch to with the subnet of 10.2.2 do0 sl24 the land connectivity at the firewall is working absolutely fine and also the land users are able to talk to the internet however if they wanted to talk to each other meaning if Branch one wanted to talk to Branch two it doesn't work and we are going to fix that specific problem by setting up an ipvpn before we proceed I have a request if you like what you're watching please like this video And subscribe to my channel that would encourage me to create more content like this one and if you guys have any questions or suggestions on the topic that you want me to cover please let me know in the comment section below let's first check the connectivity at the each side I have a Linux machine at the branch One open Terminal uh type IP addr that will show you the IP address of the machine as you can see I got an IP address of 10.1.1 120 from the PFS firewall at the branch one and if I try to Ping the gate p 10.1.1.1 i c two times I want to Ping and you can see that it's working fine same way if I try to Ping any external website for example ping www. google.com and two times I want to Ping so hyphone C2 and it is responding as well but if I change the IP address to remote IP which is 10.2.2 do1 you can see that it's not responding let me continue to Ping that I'm not going to stop it after we setting up the VPN you will see that it is responding back I have the same open to server on the to let me log into that it's already logged in good just like we did before let me open the terminal and type IP ADR and I have an IP address 10.22.2 from the PFS Branch 2 DCP service which is good if I try to Ping Gateway 10. 2.2.1 you can see that I'm getting a response and let me now try to Ping hyph C2 www.google.com and the internet connectivity looks good here as well but when I try to Ping remote Branch IP 10.1.1.1 it doesn't respond which means on both the sides the land connectivity and the internet is working fine however between the branch sides the connectivity is not good so we are going to fix that now let me open the PFS firewall from both Branch 1 and Branch 2 to easily identify and differentiate between these two firewalls I have made the branch F PFS firewall with the default theme however on the branch two I have a PF sense Dark theme moreover if you look closely you could see there is a difference did you get it on Branch one I'm using pfSense Community Edition however on Branch two I use pfSense plus let's start the IP configuration at the branch one to configure the IP SEC go to VPN IP SEC click on ADD P1 which is nothing but phase one this is where you configure the IP SEC phase one in PFC sense let's start with the general information give a description something like tunnel to Branch 2 and in the ik endpoint configuration key exchange version choose iv2 leave Internet Protocol to ipv4 leave the van interface to default unless you have multiple van interfaces and you would like to change which is not the case I have only one single van interface so it should be okay remote Gateway enter the branch to Van public IP which is 9. 99102 and in the phe one proposal authentication part in the authentication method choose Mutual psk which is a common method to create ipvpn tunnel in the pre-share key pfSense can create a pre-share key for you all you have to do is generate new pre-share key that would then create a new complex preet key as you can see let me copy that as well next phase one proposal encryption algorithm we are using pfSense version 2.7.2 at the time of this recording pfSense already deprecated previously less secure encryption algorithm such as D 3es and so on so you feel free to choose whatever the available options here some government agencies or organizations strictly use GCM ones as it provide more security but in my case I'm choosing the AES and the key length as 256 which is very common in Enterprise Network and the hash as sh 256 and the Dy Helman group DH for short I choose 14 you could have multiple sets of encryption algorithms but in my case I'm just using single one which is more secure leave everything as as default and scroll all the way down click on the save button at the bottom and apply changes you will now see the phase one of the IP tunnel configuration is now complete next we will configure the phase two to configure the phase two click on the show phase two entri is which is empty at the moment one C tip here if you have multiple pH to subnets you can continue to add p2s here by clicking on ADD P2 but remember to match on both sides I'll create a separate video that covers how to set up ipvpn in pf sense with multiple subnet later for now let's go ahead and add the phase two parameters for our tunnel with the single subnet click on ADD P2 to add the phase two parameters now in the phase two tunnel configuration under general information I'm adding the description first for example phase two tunnel to Branch 2 in the mode list drop down you will see multiple choices but choose the tunnel ipb for under networks choose local networks as Lan subnet that will select the Lan IP subnet of the PF sense that I have and in the remote Network choose network from the drop- down and enter the subnet as 10. 2.2.0 and choose 24 from the drop down pH two proposal choose protocol as ESP encryption algorithm as AES and 256 as a key length unselect the AES 128 GCM which I don't need at the moment hash algorithm as sh 256 and PFS group as 14 leave everything else as default and then scroll down and click on Save and apply changes expand the phase two and you can see both the phase one and phase two are now configured successfully and on to the security policies so we have built the tunnel now we need to create a policy for the IPC tunnel at Branch one so depending on your scenario you would have to define the security policy maybe you require a policy only from Branch one to Branch two and you don't want the branch two to initiate any traffic towards the branch one since this is a lab we are going to allow traffic from both the directions to create security policy in the PFS firewall click on firewall and then click on rules click on IPC tab to add the policy for the IPC tunnel at the moment I don't have any policy defined for the IPC tunnel and I'm going to add new one click on the add button to add new policy here action should be pass interface already picked up as IP SE which is good and the address family selected as IP V4 that is fine as well in the protocol instead of choosing TCP choose any in production setup however you most like choose TCP and the specific port numbers since this is a lab I'm just allowing all which is fine in the source address choose the land subnet as we are first allowing the outbound traffic meaning traffic from the branch one to the branch two and in the destination choose Network and then enter the subnet 10.2.2 do0 sl24 log the traffic in the description add a scripting name that can be used to identify the policy allowing traffic to Branch two perfect click on Save don't click on apply changes yet we need to create another policy but this time we are going to allow the inbound traffic from the branch to instead of adding a new policy I got a trick for you you can actually clone the existing policy here click on the copy button right next to the policy that we just defined the pfSense now copied the existing policy everything looks good the only place we have to make changes are the source and the destination address and the description of course has to be interchanged as well in the source choose Network and then enter the subnet 10.2.2 24 and in the destination choose land subnets and in the description instead of allowing traffic to Branch to add allowing traffic from Branch to and click on Save ensure everything looks good and then apply the changes we have successfully completed the IPC configuration and its policies on the PSN firewall at the branch one if you now check the PFS ip6 CHS you could see that it is in connecting state but it will never connect because we have not configured the remote side let's configure the remote branch log into the PF Sense on the remote side go to VPN IP SE and just like we did on the pfSense Branch one we will start with the phase one and then proceed with the phase two click on ADD P1 to add phase one of the tunnel in the description add for example tunnel to Branch one and key exchange version choose iv2 leave the Internet Protocol and the interface as default in the remote Gateway you would have to enter the branch one public IP from which branch one initiate the IPC communication which is 4.4.4 51 authentication method Mutual psk pre-shared key copy and paste a appreciate key from the branch one encryption algorithm choose as 256 and hash sh 256 and D group 14 leave everything else as default and click on Save and apply the changes you may now click on show face two and raise and click on ADD P2 to add the phase two tunnel information in the description add something like phase two tunnel to Branch one mod tunnel ipv4 local network choose land subnet from the drop down remote Network choose Network and then enter the remote Branch IP which is 10. 1.1.0 and 24 from the drop down encryption algorithm choose as 256 and select as 128 GCM algorithm select Shot 2 56 PFS group choose 14 and click on Save changes and apply the changes IP SEC configuration is now complete if you now check the ip6s you could see that the tunnel is now in established state that doesn't mean the traffic will now pass through the tunnel as we have not configured the policy at the branch too let's now proceed to configure the policies for the traffic to configure the policy go to firewall and then rules click on IP SEC tab click on add new policy action is pass interface is IP SEC address family is ipv4 and in the protocol instead of TCP choose any Source address choose land subnets in the Des ation choose Network and then enter the subnet 10. 1.1.0 sl24 check blog packets that are handled by this rule add a description allow traffic to Branch one and click on save like we did in the remote Branch click on copy icon to clone the same policy everything looks good let's now change the source and the destination IP address in the source choose Network and then enter the subnet 10. 1.1.0 24 and in the destination choose land subnets change the description to allow traffic from Branch one and then click on Save Ure everything looks good and then click on apply changes though we have checked already let's check the IP tunnel status one more time before we proceed with the testing the traffic to check the tunn status you can go to status and then IP SEC as you can see it is in established state on the branch one let's now move on to testing the traffic in the branch one Linux hundu machine that we have remember we had Contin ping that was running let's check the status now let me log in as you can see the Ping was stuck before and it started automatically when the tunnel came up we tried to Ping google.com initially and then we tried to Ping 10. 2.2.1 and it was stuck and after the tunnel establishment happened the Ping traffic started to flow that's awesome let's move to the branch to bundo machine let me log in as you can see the icmp traffic that was stuck before and it is now responding great you can now manage the PSS Branch one and Branch two from any of the branch sites that we have as long as the connection is active let me open the browser and try to access my local pfSense firewall login of course I'm able to log in let me try to access the remote Branch PFS firewall now which is Branch one https col 10.1.1.1 and hit enter and login if you look at the top you can see the name of the file all pfSense V1 which is Branch one so we have now successfully set up ipx side to side VPN between two branches that are running PFS firewalls we also tested the connectivity and that works perfectly fine that's it in this video and I hope you liked it and if you have any questions or comments please let me know in the comment section below thanks for watching and I'll see you guys on the next one
Info
Channel: Getlabsdone
Views: 1,778
Rating: undefined out of 5
Keywords:
Id: qwtj-oSBhMg
Channel Id: undefined
Length: 14min 23sec (863 seconds)
Published: Sat Apr 27 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.