TNSR IPsec Hub for pfSense

Current scenario:

HQ (hub) with 3 branch (spoke) sites, with secure interconnection between thier local networks. One of the branch routers is assumed to be BGP capable. Internet access for one of the sites should be provided through the hub node.

Input Data

The information in this section defines the local configuration which is covered in this recipe. These input values can be substituted by the actual corresponding values for a real-world implementation.

Scenario Topology

../../_images/diagram-tnsr-ipsec-hub.png

TNSR IPsec Hub

TNSR and Peer Network Configuration

TNSR Setup
Item Value
LAN Interface GigabitEthernetb/0/0
LAN Network 192.168.0.0/24
LAN IP Address static 192.168.0.1/24
WAN Interface GigabitEthernet13/0/0
WAN IP Address DHCP 10.129.0.10/24
IPsec VTI Peer 1 IP Address 10.131.1.1/30
IPsec VTI Peer 2 IP Address 10.131.2.1/30
IPsec VTI Peer 3 IP Address 10.131.3.1/30
Peer 1 Setup
Item Value
LAN Interface LAN
LAN Network 192.168.1.0/24
LAN IP Address static 192.168.1.1/24
WAN Interface WAN
WAN IP Address DHCP 10.129.0.11/24
IPsec VTI TNSR IP Address 10.131.1.2/30
Peer 2 Setup
Item Value
LAN Interface LAN
LAN Network 192.168.2.0/24
LAN IP Address static 192.168.2.1/24
WAN Interface WAN
WAN IP Address DHCP 10.129.0.12/24
IPsec VTI TNSR IP Address 10.131.2.2/30
Peer 3 Setup
Item Value
LAN Interface LAN
LAN Network 192.168.3.0/24
LAN IP Address static 192.168.3.1/24
WAN Interface WAN
WAN IP Address DHCP 10.129.0.13/24
IPsec VTI TNSR IP Address 10.131.3.2/30

TNSR and Peer IPsec Configuration

General IPsec settings are the same for every node.

IPsec IKE/Phase 1 Settings
Item Value
Network Interface WAN Interface
IKE type IKEv2
Authentication method PSK
Pre-Share Key 01234567
Local identifier WAN IP Address
Remote identifier Remote WAN IP Address
Encryption AES-128-CBC
Hash SHA1
DH group 14 (2048 bit modulus)
Lifetime 28800
IPsec SA/Phase 2 Settings
Item Value
Mode Routed IPsec (VTI)
Protocol ESP
Encryption AES-128-CBC
Hash SHA1
PFS group 14 (2048)
Lifetime 3600

Setup Details

Initial setup

It is assumed that devices have generic default setup, do not have any existing configuration errors, and are ready to be configured.

Note

In this scenario every device obtains its own static IP address on its WAN interface from an external lab gateway which is not a part of the considered scenario.

TNSR

LAN settings

Setup LAN interface with static IP address:

tnsr tnsr# configure
tnsr tnsr(config)# interface GigabitEthernetb/0/0
tnsr tnsr(config-interface)# description LAN
tnsr tnsr(config-interface)# ip address 192.168.0.1/24
tnsr tnsr(config-interface)# enable
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
WAN settings

Setup WAN interface for obtaining IP address via DHCP:

tnsr tnsr# configure
tnsr tnsr(config)# interface GigabitEthernet13/0/0
tnsr tnsr(config-interface)# description WAN
tnsr tnsr(config-interface)# dhcp client ipv4 hostname tnsr
tnsr tnsr(config-interface)# enable
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
DHCP server

Setup DHCP server on LAN interface with following settings:

TNSR DHCP Server Setup
Item Value
DHCP IP address pool 192.168.0.100 to 192.168.0.199
Default gateway TNSR LAN IP address
DNS 8.8.8.8 and 1.1.1.1
tnsr tnsr# configure
tnsr tnsr(config)# dhcp4 server
tnsr tnsr(config-kea-dhcp4)# description LAN DHCP
tnsr tnsr(config-kea-dhcp4)# interface listen GigabitEthernetb/0/0
tnsr tnsr(config-kea-dhcp4)# subnet 192.168.0.0/24
tnsr tnsr(config-kea-subnet4)# interface GigabitEthernetb/0/0
tnsr tnsr(config-kea-subnet4)# pool 192.168.0.100-192.168.0.199
tnsr tnsr(config-kea-subnet4-pool)# exit
tnsr tnsr(config-kea-subnet4)# option routers
tnsr tnsr(config-kea-subnet4-opt)# data 192.168.0.1
tnsr tnsr(config-kea-subnet4-opt)# exit
tnsr tnsr(config-kea-subnet4)# option domain-name-servers
tnsr tnsr(config-kea-subnet4-opt)# data 8.8.8.8, 1.1.1.1
tnsr tnsr(config-kea-subnet4-opt)# exit
tnsr tnsr(config-kea-subnet4)# exit
tnsr tnsr(config-kea-dhcp4)# exit
tnsr tnsr(config)# dhcp4 enable
tnsr tnsr(config)# exit
NAT
tnsr tnsr# configure
tnsr tnsr(config)# nat global-options nat44 forwarding true
tnsr tnsr(config)# nat pool interface GigabitEthernet13/0/0
tnsr tnsr(config)# interface GigabitEthernetb/0/0
tnsr tnsr(config-interface)# ip nat inside
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# interface GigabitEthernet13/0/0
tnsr tnsr(config-interface)# ip nat outside
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit

Peer 1

LAN settings

Setup LAN interface with static IP address.

  • Navigate to Interfaces > LAN
  • Set IPv4 Configuration Type to Static IPv4
  • Set IPv4 Address to 192.168.1.1 and mask as 24
  • Click Save
  • Click Apply Changes
WAN settings

Setup WAN interface for obtaining an IP address via DHCP. This could also be a static setup, following a similar form to the LAN settings above.

  • Navigate to Interfaces > WAN
  • Set IPv4 Configuration Type to DHCP
  • Click Save
  • Click Apply Changes
DHCP server

Setup DHCP server on LAN interface with following settings:

Peer 1 DHCP Server Setup
Item Value
DHCP IP address pool 192.168.1.100 to 192.168.1.199
Default gateway LAN IP address (pfSense Default)
DNS LAN IP address (pfSense Default)
  • Navigate to Services > DHCP Server, LAN tab
  • Set Range From as 192.168.1.100 and To as 192.168.1.199
  • Click Save

Peer 2

LAN settings

Setup LAN interface with static IP address.

  • Navigate to Interfaces > LAN
  • Set IPv4 Configuration Type to Static IPv4
  • Set IPv4 Address to 192.168.2.1 and mask as 24
  • Click Save
  • Click Apply Changes
WAN settings

Setup WAN interface for obtaining an IP address via DHCP. This could also be a static setup, following a similar form to the LAN settings above.

  • Navigate to Interfaces > WAN
  • Set IPv4 Configuration Type to DHCP
  • Click Save
  • Click Apply Changes
DHCP server

Setup DHCP server on LAN interface with following settings:

Peer 2 DHCP Server Setup
Item Value
DHCP IP address pool 192.168.2.100 to 192.168.2.199
Default gateway LAN IP address (pfSense Default)
DNS LAN IP address (pfSense Default)
  • Navigate to Services > DHCP Server, LAN tab
  • Set Range From as 192.168.2.100 and To as 192.168.2.199
  • Click Save

Peer 3

LAN settings

Setup LAN interface with static IP address.

  • Navigate to Interfaces > LAN
  • Set IPv4 Configuration Type to Static IPv4
  • Set IPv4 Address to 192.168.3.1 and mask as 24
  • Click Save
  • Click Apply Changes
WAN settings

Setup WAN interface for obtaining an IP address via DHCP. This could also be a static setup, following a similar form to the LAN settings above.

  • Navigate to Interfaces > WAN
  • Set IPv4 Configuration Type to DHCP
  • Click Save
  • Click Apply Changes
DHCP server

Setup DHCP server on LAN interface with following settings:

Peer 3 DHCP Server Setup
Item Value
DHCP IP address pool 192.168.3.100 to 192.168.3.199
Default gateway LAN IP address (pfSense Default)
DNS LAN IP address (pfSense Default)
  • Navigate to Services > DHCP Server, LAN tab
  • Set Range From as 192.168.3.100 and To as 192.168.3.199
  • Click Save

Access between local and remote networks via IPsec

This section describes minimal IPsec and routing settings in order to obtain secure interconnectivity between LAN networks for every device.

This document assumes that devices have generic initial setup successfully completed and are able to reach each other via WAN network.

TNSR

IPsec Configuration

IPsec setup for each pfSense node

Peer 1
tnsr tnsr# configure
# creating IPsec instance with id 1
tnsr tnsr(config)# ipsec tunnel 1
tnsr tnsr(config-ipsec-tunnel)# local-address 10.129.0.10
tnsr tnsr(config-ipsec-tunnel)# remote-address 10.129.0.11
tnsr tnsr(config-ipsec-tunnel)# crypto config-type ike
# P1 encryption settings
tnsr tnsr(config-ipsec-tunnel)# crypto ike
tnsr tnsr(config-ipsec-crypto-ike)# version 2
tnsr tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr tnsr(config-ike-proposal)# encryption aes128
tnsr tnsr(config-ike-proposal)# integrity sha1
tnsr tnsr(config-ike-proposal)# group modp2048
tnsr tnsr(config-ike-proposal)# exit
# creating peer IDs
tnsr tnsr(config-ipsec-crypto-ike)# identity local
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.10
tnsr tnsr(config-ike-identity)# exit
tnsr tnsr(config-ipsec-crypto-ike)# identity remote
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.11
tnsr tnsr(config-ike-identity)# exit
# authentication
tnsr tnsr(config-ipsec-crypto-ike)# authentication local
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# type psk
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
tnsr tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# type psk
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
# P2 settings
tnsr tnsr(config-ipsec-crypto-ike)# child 1
tnsr tnsr(config-ike-child)# lifetime 3600
tnsr tnsr(config-ike-child)# proposal 1
tnsr tnsr(config-ike-child-proposal)# encryption aes128
tnsr tnsr(config-ike-child-proposal)# integrity sha1
tnsr tnsr(config-ike-child-proposal)# group modp2048
tnsr tnsr(config-ike-child-proposal)# exit
tnsr tnsr(config-ike-child)# exit
tnsr tnsr(config-ipsec-crypto-ike)# exit
tnsr tnsr(config-ipsec-tunnel)# exit
# configuring tunnel interface
tnsr tnsr(config)# interface ipsec1
tnsr tnsr(config-interface)# ip address 10.131.1.1/30
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
Peer 2
tnsr tnsr# configure
# creating IPsec instance with id 2
tnsr tnsr(config)# ipsec tunnel 1
tnsr tnsr(config-ipsec-tunnel)# local-address 10.129.0.10
tnsr tnsr(config-ipsec-tunnel)# remote-address 10.129.0.12
tnsr tnsr(config-ipsec-tunnel)# crypto config-type ike
# P1 encryption settings
tnsr tnsr(config-ipsec-tunnel)# crypto ike
tnsr tnsr(config-ipsec-crypto-ike)# version 2
tnsr tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr tnsr(config-ike-proposal)# encryption aes128
tnsr tnsr(config-ike-proposal)# integrity sha1
tnsr tnsr(config-ike-proposal)# group modp2048
tnsr tnsr(config-ike-proposal)# exit
# creating peer ID's
tnsr tnsr(config-ipsec-crypto-ike)# identity local
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.10
tnsr tnsr(config-ike-identity)# exit
tnsr tnsr(config-ipsec-crypto-ike)# identity remote
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.12
tnsr tnsr(config-ike-identity)# exit
# authentication
tnsr tnsr(config-ipsec-crypto-ike)# authentication local
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# type psk
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
tnsr tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# type psk
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
# P2 settings
tnsr tnsr(config-ipsec-crypto-ike)# child 1
tnsr tnsr(config-ike-child)# lifetime 3600
tnsr tnsr(config-ike-child)# proposal 1
tnsr tnsr(config-ike-child-proposal)# encryption aes128
tnsr tnsr(config-ike-child-proposal)# integrity sha1
tnsr tnsr(config-ike-child-proposal)# group modp2048
tnsr tnsr(config-ike-child-proposal)# exit
tnsr tnsr(config-ike-child)# exit
tnsr tnsr(config-ipsec-crypto-ike)# exit
tnsr tnsr(config-ipsec-tunnel)# exit
# configuring tunnel interface
tnsr tnsr(config)# interface ipsec2
tnsr tnsr(config-interface)# ip address 10.131.2.1/30
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
Peer 3
tnsr tnsr# configure
# creating IPsec instance with id 1
tnsr tnsr(config)# ipsec tunnel 1
tnsr tnsr(config-ipsec-tunnel)# local-address 10.129.0.10
tnsr tnsr(config-ipsec-tunnel)# remote-address 10.129.0.13
tnsr tnsr(config-ipsec-tunnel)# crypto config-type ike
# P1 encryption settings
tnsr tnsr(config-ipsec-tunnel)# crypto ike
tnsr tnsr(config-ipsec-crypto-ike)# version 2
tnsr tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr tnsr(config-ike-proposal)# encryption aes128
tnsr tnsr(config-ike-proposal)# integrity sha1
tnsr tnsr(config-ike-proposal)# group modp2048
tnsr tnsr(config-ike-proposal)# exit
# creating peer ID's
tnsr tnsr(config-ipsec-crypto-ike)# identity local
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.10
tnsr tnsr(config-ike-identity)# exit
tnsr tnsr(config-ipsec-crypto-ike)# identity remote
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.13
tnsr tnsr(config-ike-identity)# exit
# authentication
tnsr tnsr(config-ipsec-crypto-ike)# authentication local
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# type psk
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
tnsr tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# type psk
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
# P2 settings
tnsr tnsr(config-ipsec-crypto-ike)# child 1
tnsr tnsr(config-ike-child)# lifetime 3600
tnsr tnsr(config-ike-child)# proposal 1
tnsr tnsr(config-ike-child-proposal)# encryption aes128
tnsr tnsr(config-ike-child-proposal)# integrity sha1
tnsr tnsr(config-ike-child-proposal)# group modp2048
tnsr tnsr(config-ike-child-proposal)# exit
tnsr tnsr(config-ike-child)# exit
tnsr tnsr(config-ipsec-crypto-ike)# exit
tnsr tnsr(config-ipsec-tunnel)# exit
# configuring tunnel interface
tnsr tnsr(config)# interface ipsec3
tnsr tnsr(config-interface)# ip address 10.131.3.1/30
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit

Routing

This section describes routing setup. This scenario assumes one of the pfSense IPsec peers, Peer 1, uses a dynamic routing protocol (BGP) and the remaining two IPsec peers use static routing.

Peer 1 BGP Routing
tnsr tnsr# configure
# defining redistributed networks, peer 2 and 3
tnsr tnsr(config)# prefix-list VPN-ROUTES
tnsr tnsr(config-prefix-list)# sequence 1 permit 192.168.2.0/23 le 24
tnsr tnsr(config-prefix-list)# exit
tnsr tnsr(config)# route-map VPN-ROUTES-MAP permit sequence 1
tnsr tnsr(config-route-map)# match ip address prefix-list VPN-ROUTES
tnsr tnsr(config-route-map)# exit
# setup BGP instance
tnsr tnsr(config)# route dynamic bgp
tnsr tnsr(config-route-dynamic-bgp)# server 65000
tnsr tnsr(config-bgp)# router-id 192.168.0.1
# defining neighbor
tnsr tnsr(config-bgp)# neighbor 10.131.1.2
tnsr tnsr(config-bgp-neighbor)# remote-as 65001
tnsr tnsr(config-bgp-neighbor)# enable
tnsr tnsr(config-bgp-neighbor)# exit
# setup peer in certain address-family space
tnsr tnsr(config-bgp)# address-family ipv4 unicast
tnsr tnsr(config-bgp-af)# neighbor 10.131.1.2
tnsr tnsr(config-bgp-af-nbr)# activate
tnsr tnsr(config-bgp-af-nbr)# exit
# defining local network in certain address-family space
tnsr tnsr(config-bgp-af)# network 192.168.0.0/24
# defining redistributed networks
tnsr tnsr(config-bgp-af)# redistribute from kernel route-map VPN-ROUTES-MAP
tnsr tnsr(config-bgp-af)# exit
tnsr tnsr(config-bgp)# exit
# enabling BGP if one is not enabled
tnsr tnsr(config-route-dynamic-bgp)# enable
tnsr tnsr(config-route-dynamic-bgp)# exit
# better to restart service in order to be sure changes applied effectively
tnsr tnsr(config)# service bgp restart
tnsr tnsr(config)# exit
Peer 2 Static Routing
tnsr tnsr# configure
tnsr tnsr(config)# route ipv4 table ipv4-VRF:0
tnsr tnsr(config-route-table-v4)# route 192.168.2.0/24
tnsr tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.131.2.2 ipsec3
tnsr tnsr(config-rttbl4-next-hop)# exit
tnsr tnsr(config-route-table-v4)# exit
tnsr tnsr(config)# exit
Peer 3 Static Routing
tnsr tnsr# configure
tnsr tnsr(config)# route ipv4 table ipv4-VRF:0
tnsr tnsr(config-route-table-v4)# route 192.168.3.0/24
tnsr tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.131.3.2 ipsec3
tnsr tnsr(config-rttbl4-next-hop)# exit
tnsr tnsr(config-route-table-v4)# exit
tnsr tnsr(config)# exit

Peer 1

IPsec Settings
Phase 1
  • Navigate to VPN > IPsec
  • Click Add P1
  • Set Key Exchange version to IKEv2
  • Set Internet Protocol to IPv4
  • Set Interface to WAN
  • Set Remote Gateway to 10.129.0.10
  • Set Authentication Method to Mutual PSK
  • Set My identifier to My IP address
  • Set Peer identifier to Peer IP address
  • Set Pre-Shared Key to 01234567
  • Set Encryption:
    • Algorithm to AES
    • Key length to 128 bit
    • Hash to SHA1
    • DH Group to 14 (2048 bit)
  • Set Lifetime as 28800
  • Click Save
Phase 2
  • On the newly created Phase 1 entry, click Show Phase 2 Entries
  • Click Add P2
  • Set Mode to Routed (VTI)
  • Set Local Network to 10.131.2.2 and mask 30
  • Set Remote Network to 10.131.2.1
  • Set Protocol to ESP
  • Set Encryption Algorithms to AES and 128 bit
  • Uncheck all other Encryption Algorithms entries
  • Set Hash Algorithms to SHA1
  • Uncheck all other Hash Algorithms entries
  • Set PFS key group to 14 (2048 bit)
  • Set Lifetime as 3600
  • Click Save
  • Click Apply Changes
Interface
  • Navigate to Interfaces > Interface Assignments
  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)
  • Click Add
  • Note the newly created interface name, such as OPTX
  • Navigate to Interfaces > OPTX
  • Check Enable
  • Click Save
  • Click Apply Changes
Routing
  • Navigate to System > Package Manager and install the FRR package

  • Browse to Services > FRR Global/Zebra

  • Check Enable FRR

  • Set Master Password to any value

    Note

    This is a requirement for the zebra management daemon to run, this password is not used by clients.

  • Check Enable logging

  • Set Router ID to 192.168.1.1

    In this case, it is the LAN interface IP address, assuming it will be always be available for routing between LAN subnets.

  • Click Save

  • Navigate to the [BGP] tab

  • Check Enable BGP Routing

  • Check Log Adjacency Changes

  • Set Local AS to 65001

  • Set Router ID to 192.168.1.1

  • Set Networks to Distribute to 192.168.1.0/24

  • Navigate to the Neighbors tab

  • Click Add

  • Set Name/Address to 10.131.1.1 (TNSR VTI interface IP address)

  • Set Remote AS to 65000

  • Click Save

At this point, routes to 192.168.0.0/24, 192.168.2.0/24, and 192.168.3.0/24 will be learned by BGP and installed in the routing table. If it is not so, check Status > FRR on the BGP tab. That page contains useful BGP troubleshooting information. Additionally, check the routing log at Status > System Logs on the Routing tab under System.

Firewall

To allow connections into the local LAN from remote IPsec sites, create necessary pass rules under Firewall > Rules on the IPsec tab. These rules would have a Source set to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely which will also prevent LAN subnet traffic from exiting out the WAN unintentionally.

Peer 2

IPsec Settings
Phase 1
  • Navigate to VPN > IPsec
  • Click Add P1
  • Set Key Exchange version to IKEv2
  • Set Internet Protocol to IPv4
  • Set Interface to WAN
  • Set Remote Gateway to 10.129.0.10
  • Set Authentication Method to Mutual PSK
  • Set My identifier to My IP address
  • Set Peer identifier to Peer IP address
  • Set Pre-Shared Key to 01234567
  • Set Encryption:
    • Algorithm to AES
    • Key length to 128 bit
    • Hash to SHA1
    • DH Group to 14 (2048 bit)
  • Set Lifetime as 28800
  • Click Save
Phase 2
  • On the newly created Phase 1 entry, click Show Phase 2 Entries
  • Click Add P2
  • Set Mode to Routed (VTI)
  • Set Local Network to 10.131.3.2 and mask 30
  • Set Remote Network to 10.131.3.1
  • Set Protocol to ESP
  • Set Encryption Algorithms to AES and 128 bit
  • Uncheck all other Encryption Algorithms entries
  • Set Hash Algorithms to SHA1
  • Uncheck all other Hash Algorithms entries
  • Set PFS key group to 14 (2048 bit)
  • Set Lifetime as 3600
  • Click Save
  • Click Apply Changes
Interface
  • Navigate to Interfaces > Interface Assignments
  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)
  • Click Add
  • Note the newly created interface name, such as OPTX
  • Navigate to Interfaces > OPTX
  • Check Enable
  • Click Save
  • Click Apply Changes
Routing
  • Navigate to System > Routing, Static Routes tab
  • Click Add
  • Set Destination network to 192.168.0.0 and mask 23
  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.2.1
  • Click Save
  • Click Add
  • Set Destination network to 192.168.3.0 and mask 24
  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.2.1
  • Click Save
  • Click Apply Changes
Firewall

To allow connections into the local LAN from remote IPsec sites, create necessary pass rules under Firewall > Rules on the IPsec tab. These rules would have a Source set to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely which will also prevent LAN subnet traffic from exiting out the WAN unintentionally.

Peer 3

IPsec Settings
Phase 1
  • Navigate to VPN > IPsec
  • Click Add P1
  • Set Key Exchange version to IKEv2
  • Set Internet Protocol to IPv4
  • Set Interface to WAN
  • Set Remote Gateway to 10.129.0.10
  • Set Authentication Method to Mutual PSK
  • Set My identifier to My IP address
  • Set Peer identifier to Peer IP address
  • Set Pre-Shared Key to 01234567
  • Set Encryption:
    • Algorithm to AES
    • Key length to 128 bit
    • Hash to SHA1
    • DH Group to 14 (2048 bit)
  • Set Lifetime as 28800
  • Click Save
Phase 2
  • On the newly created Phase 1 entry, click Show Phase 2 Entries
  • Click Add P2
  • Set Mode to Routed (VTI)
  • Set Local Network to 10.131.4.2 and mask 30
  • Set Remote Network to 10.131.4.1
  • Set Protocol to ESP
  • Set Encryption Algorithms to AES and 128 bit
  • Uncheck all other Encryption Algorithms entries
  • Set Hash Algorithms to SHA1
  • Uncheck all other Hash Algorithms entries
  • Set PFS key group to 14 (2048 bit)
  • Set Lifetime as 3600
  • Click Save
  • Click Apply Changes
Interface
  • Navigate to Interfaces > Interface Assignments
  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)
  • Click Add
  • Note the newly created interface name, such as OPTX
  • Navigate to Interfaces > OPTX
  • Check Enable
  • Click Save
  • Click Apply Changes
Routing
  • Navigate to System > Routing, Static Routes tab
  • Click Add
  • Set Destination network to 192.168.0.0 and mask 23
  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.3.1
  • Click Save
  • Click Add
  • Set Destination network to 192.168.2.0 and mask 24
  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.3.1
  • Click Save
  • Click Apply Changes
Firewall

To allow connections into the local LAN from remote IPsec sites, create necessary pass rules under Firewall > Rules on the IPsec tab. These rules would have a Source set to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely which will also prevent LAN subnet traffic from exiting out the WAN unintentionally.

Access to the internet for remote network

This section describes minimal routing and NAT settings which provide access to the Internet for one of the remote networks. In current case this is Peer 1 that exchanges routing information with TNSR via BGP.

This document assumes that devices have IPsec setup successfully completed, able to reach each other via IPsec tunnel using path information from the dynamic routing protocol.

TNSR

NAT/PAT

Setup NAT for remote network. In this case PAT is used.

tnsr tnsr# configure
# defining NAT inside interface for internet traffic sourced from Peer 1.
#  Note: Outside interface and PAT were defined earlier
tnsr tnsr(config)# interface ipsec1
tnsr tnsr(config-interface)# ip nat inside
tnsr tnsr(config-interface)# exit

Peer 1

Routing

Setup access to the internet via IPsec VTI interface with a policy-based routing rule.

  • Navigate to Firewall > Rules
  • Create (or modify existing default pass ipv4 LAN any) rule:
    • Set Address Family to IPv4
    • Set Protocol to ANY
    • Set Source to LAN net
    • Set Destination to ANY
    • Click Display Advanced
    • Set Gateway to <IPsec interface name>_VTIV4
    • Click Save

Note

VTI on pfSense does not support reply-to. Despite this policy routing rule on Peer1 which covers all traffic, there must also be kernel routes to remote LANs for the return traffic to find the way back.