Let's remember our network:
As you can see, I have two pfSense boxes here:
One that has a WAN IP address of 172.20.0.1 and LAN IP address 10.0.0.1;
Another that that a WAN IP address of 172.30.0.1, LAN IP address 192.168.100.1 and OPT1 IP address 192.168.110.1.
What I want to do is create an IPSec VPN tunnel between the 10.0.0.0/24 and the 192.168.100.0/24 network. Remember, all settings must be the same between our two firewalls.
Time to go to our second node (192.168.0.100.1) and select VPN->IPSec.
Now select the "Tunnels" tab (if not already there) and click on the "+" (add phase1 entry).
Here we'll need to add the public IP address of the other gateway (in our case, the second pfSense box), which in our case is 172.20.0.1 and a description for this.
Now, everything below this, we should make sure that it matches our other pfSense's box settings. Here's one catch though.
Remember I had changed the identifiers? In this case, "My identifier" is this pfSense's identifier and the peer identifier is the other ones. Which means that we should reverse the user distinguished names identifiers.
Everything else is made sure to be exactly the same as the other box.
After we've saved, we should now be on our VPN:IPSec page, Tunnels tab. Click on the "+" button below our newly created Phase 1 entry, right next to the "Show 0 Phase-2 entries":
A new entry below our Phase 1 entry should now appear with the fields "Mode/P2 Protocol/P2 Transforms/P2 Auth Methods". Let's click on the "+" sign right next to it.
Now, we need to connect our LAN interface with the LAN interface of the other pfSense box. In other words, I'll need to choose "LAN subnet" as the local network and "10.0.0.0/8" as the remote network.
Remember, everything should be the same on both sides.
Now, let's go to Firewall, Rules and click on the IPSec tab. Click on the "+".
Over here, we should allow any traffic we'd expect to see through the IPSec tunnel. For instance, if only SSH is expected then only TCP port 22 should be allowed. In reality though, most IPSec tunnels are set to allow all.
Now, we'll need to add a rule to our WAN interface so as to actually allow the other box to be able to connect in the first place. In real life situations, we might trust the incoming IPSec traffic, but allowing all from the firewall on the other side is something that is generally frowned upon (unless of course you own both boxes, in which case it's fine). From the pfSense docs:
Rules are automatically added to the WAN to allow the tunnel to connect, but if the option to disable automatic VPN rules is checked, then manual rules may be required. In that case, check the WAN rules to ensure that the traffic from the remote pfSense host is allowed. IPsec uses UDP port 500 and 4500, and protocol ESP (or AH if set that way). If there is trouble establishing a tunnel, check the firewall logs (Status > System Logs, Firewall tab), and if blocked packets are seen, add appropriate rules to allow that traffic.
Obviously, I own both boxes so I'll just allow all from my other pfSense's IP.
Now, we need to make sure that we have enabled our IPSec service on both boxes:
pfSense 1 (10.0.0.1):
pfSense 2 (192.168.100.1):
Let's see if it all works:
Brilliant!
As you can see, I have two pfSense boxes here:
One that has a WAN IP address of 172.20.0.1 and LAN IP address 10.0.0.1;
Another that that a WAN IP address of 172.30.0.1, LAN IP address 192.168.100.1 and OPT1 IP address 192.168.110.1.
What I want to do is create an IPSec VPN tunnel between the 10.0.0.0/24 and the 192.168.100.0/24 network. Remember, all settings must be the same between our two firewalls.
Time to go to our second node (192.168.0.100.1) and select VPN->IPSec.
Now select the "Tunnels" tab (if not already there) and click on the "+" (add phase1 entry).
Here we'll need to add the public IP address of the other gateway (in our case, the second pfSense box), which in our case is 172.20.0.1 and a description for this.
Now, everything below this, we should make sure that it matches our other pfSense's box settings. Here's one catch though.
Remember I had changed the identifiers? In this case, "My identifier" is this pfSense's identifier and the peer identifier is the other ones. Which means that we should reverse the user distinguished names identifiers.
Everything else is made sure to be exactly the same as the other box.
After we've saved, we should now be on our VPN:IPSec page, Tunnels tab. Click on the "+" button below our newly created Phase 1 entry, right next to the "Show 0 Phase-2 entries":
A new entry below our Phase 1 entry should now appear with the fields "Mode/P2 Protocol/P2 Transforms/P2 Auth Methods". Let's click on the "+" sign right next to it.
Now, we need to connect our LAN interface with the LAN interface of the other pfSense box. In other words, I'll need to choose "LAN subnet" as the local network and "10.0.0.0/8" as the remote network.
Remember, everything should be the same on both sides.
Now, let's go to Firewall, Rules and click on the IPSec tab. Click on the "+".
Over here, we should allow any traffic we'd expect to see through the IPSec tunnel. For instance, if only SSH is expected then only TCP port 22 should be allowed. In reality though, most IPSec tunnels are set to allow all.
Now, we'll need to add a rule to our WAN interface so as to actually allow the other box to be able to connect in the first place. In real life situations, we might trust the incoming IPSec traffic, but allowing all from the firewall on the other side is something that is generally frowned upon (unless of course you own both boxes, in which case it's fine). From the pfSense docs:
Rules are automatically added to the WAN to allow the tunnel to connect, but if the option to disable automatic VPN rules is checked, then manual rules may be required. In that case, check the WAN rules to ensure that the traffic from the remote pfSense host is allowed. IPsec uses UDP port 500 and 4500, and protocol ESP (or AH if set that way). If there is trouble establishing a tunnel, check the firewall logs (Status > System Logs, Firewall tab), and if blocked packets are seen, add appropriate rules to allow that traffic.
Obviously, I own both boxes so I'll just allow all from my other pfSense's IP.
Now, we need to make sure that we have enabled our IPSec service on both boxes:
pfSense 1 (10.0.0.1):
pfSense 2 (192.168.100.1):
Let's see if it all works:
Brilliant!