IPsec Site-to-Site VPN Setup (pfSense)

This guide will explain how to configure IPsec site-to-site VPN for connecting remote sites to the OpenStack environment. Make sure you have followed the Prepare VPN-appliance  guide before proceeding with this guide.

 

Remote site

We'll start with deciding what settings we want to have for encryption, in this case I have a pre-configured Vyatta based firewall that I want to connect with the network in MyELITS.
Here's the config on my VyOS router on the Stockholm side:

IP's
  • External: 185.149.44.61
  • Internal: 10.62.0.147
  • Subnet: 10.62.0.0/24
IKE Group (phase 1)
  • Lifetime 28800
  • Encryption: AES256
  • Hash: SHA1
  • DH-Group: 2
ESP Group (phase 2)
  • Lifetime 3600
  • PFS: disabled
  • Encryption: AES256
  • Hash: SHA1



Now that we know the settings we want to use we can move on to the pfSense and adding our IPsec configuration.

 

IPsec Phase 1

We need to start with enabling IPsec and defining a Phase 1 config for the VPN tunnel.
Go to VPN - IPsec. Click on the green Add P1 button to add a new Phase 1.
In this guide we'll assume that we are going to use a IKEv1 tunnel, this is usually what you want unless you are read into IKEv2 and know what you are doing.

Below is an example configuration based on the "Remote site" security settings, we just need to make sure to match the settings in our end with the settings from OpenStack STO, because we are behind NAT we specify the "My Identifier" and "Peer Identifier" manually to make sure that we don't get a mismatch there.

This is an example configuration

The picture attached is a example configuration. You should not copy the configuration to the letter.

Screen_Shot_2017-08-17_at_13.51.17.png

 

IPsec Phase 2

In the pfSense web UI, go to VPN - IPsec.
You should see the Phase 1 that we created in the last step, now expand the "Phase 2" settings and click the green "Add P2" button.

This is an example configuration

The picture attached is a example configuration. You should not copy the configuration to the letter.

Screen_Shot_2017-08-17_at_13.51.17.png


Now press Save, we are done with the IPsec setup so we can continue to add the necessary firewall rules.

Firewall configuration

Go to Firewall Rules - IPsec. Add new rule. Now we need to allow the traffic over the IPsec interface.

Screen_Shot_2017-08-17_at_15.36.42.png

Hit save and then apply. We still have one firewall left to configure, the one in Openstack.
In the MyELITS portal, go to Infrastructure - Servers Access & Security -> Create Security Group, give the security group the name ipsec and a good description (if you already have a ipsec rule you can go ahead and attach the rule to the VPN server).

Click on Add Rule, add the rules one-by-one according to the table below.

Rule Direction Open Port Port Remote CIDR
Other protocol Ingress - 50 CIDR 0.0.0.0/0
Other protocol Ingress - 51 CIDR 0.0.0.0/0
UDP Ingress Port 500 CIDR 0.0.0.0/0


Once you have added the rules you can go back to  Infrastructure Servers List Servers.
Click the arrow to the right of your VPN Server and select Edit Security Groups.
Add the new security group to your server and hit Save.

Routing

Right now, the other servers in your project do not know where to go if they get traffic from your virtual network. We can solve that by adding a new route in MyELITS Portal.

Go to Infrastructure Network Networks.
Click on default-network and then Edit Subnet.

On the Subnet Details tab we find the host routes.
Here you want to add the subnet on the remote site followed by the VPN server's local IP.

STO:
Screen_Shot_2017-08-17_at_15.58.20.png

LPI:
Screen_Shot_2017-08-17_at_15.59.20.png

 

Testing

Now we can move on to testing the IPsec tunnel inside pfSense by navigating to Diagnostics Ping, enter the internal IP of the remote gateway and click Ping.

 

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.