TNSR IPsec Hub for pfSense software nodes

Current scenario:

HQ (hub) with 3 branch (spoke) sites, with secure interconnection between thier local networks. One of the branch routers is assumed to be BGP capable. Internet access for one of the sites should be provided through the hub node.

Tip

This recipe does not contain configuration examples for IPsec cryptographic acceleration, which can greatly improve the efficiency and performance of IPsec tunnels. The availability of acceleration varies by hardware, so the specifics of acceleration configuration must be customized to the target environment.

For more information, see IPsec Cryptographic Acceleration

Input Data

The information in this section defines the local configuration which is covered in this recipe. These input values can be substituted by the actual corresponding values for a real-world implementation.

Scenario Topology

../../_images/diagram-tnsr-ipsec-hub.png

TNSR IPsec Hub

TNSR and Peer Network Configuration

TNSR Setup

Item

Value

VRF Name

default

LAN Interface

GigabitEthernetb/0/0

LAN Network

192.168.0.0/24

LAN IP Address static

192.168.0.1/24

WAN Interface

GigabitEthernet13/0/0

WAN IP Address DHCP

10.129.0.10/24

IPsec VTI Peer 1 IP Address

10.131.1.1/30

IPsec VTI Peer 2 IP Address

10.131.2.1/30

IPsec VTI Peer 3 IP Address

10.131.3.1/30

Peer 1 Network Setup

Item

Value

LAN Interface

LAN

LAN Network

192.168.1.0/24

LAN IP Address static

192.168.1.1/24

WAN Interface

WAN

WAN IP Address DHCP

10.129.0.11/24

IPsec VTI TNSR IP Address

10.131.1.2/30

Peer 2 Network Setup

Item

Value

LAN Interface

LAN

LAN Network

192.168.2.0/24

LAN IP Address static

192.168.2.1/24

WAN Interface

WAN

WAN IP Address DHCP

10.129.0.12/24

IPsec VTI TNSR IP Address

10.131.2.2/30

Peer 3 Network Setup

Item

Value

LAN Interface

LAN

LAN Network

192.168.3.0/24

LAN IP Address static

192.168.3.1/24

WAN Interface

WAN

WAN IP Address DHCP

10.129.0.13/24

IPsec VTI TNSR IP Address

10.131.3.2/30

TNSR and Peer IPsec Configuration

General IPsec settings are the same for every node.

IPsec IKE/Phase 1 Settings

Item

Value

Network Interface

WAN Interface

IKE type

IKEv2

Authentication method

PSK

Pre-Share Key

01234567

Local identifier

WAN IP Address

Remote identifier

Remote WAN IP Address

Encryption

AES-256-CBC

Hash

SHA256

DH group

14 (2048 bit modulus)

Lifetime

28800

IPsec SA/Phase 2 Settings

Item

Value

Mode

Routed IPsec (VTI)

Protocol

ESP

Encryption

AES-256-CBC

Hash

SHA256

PFS group

14 (2048)

Lifetime

3600

Setup Details

Initial setup

It is assumed that devices have generic default setup, do not have any existing configuration errors, and are ready to be configured.

Note

In this scenario every device obtains its own static IP address on its WAN interface from an external lab gateway which is not a part of the considered scenario.

TNSR Setup

LAN settings

Setup LAN interface with static IP address:

tnsr tnsr# configure
tnsr tnsr(config)# interface GigabitEthernetb/0/0
tnsr tnsr(config-interface)# description LAN
tnsr tnsr(config-interface)# ip address 192.168.0.1/24
tnsr tnsr(config-interface)# enable
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
WAN settings

Setup WAN interface for obtaining IP address via DHCP:

tnsr tnsr# configure
tnsr tnsr(config)# interface GigabitEthernet13/0/0
tnsr tnsr(config-interface)# description WAN
tnsr tnsr(config-interface)# dhcp client ipv4 hostname tnsr
tnsr tnsr(config-interface)# enable
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
DHCP server

Setup DHCP server on LAN interface with following settings:

TNSR DHCP Server Setup

Item

Value

DHCP IP address pool

192.168.0.100 to 192.168.0.199

Default gateway

TNSR LAN IP address

DNS

8.8.8.8 and 1.1.1.1

tnsr tnsr# configure
tnsr tnsr(config)# dhcp4 server
tnsr tnsr(config-kea-dhcp4)# description LAN DHCP
tnsr tnsr(config-kea-dhcp4)# interface listen GigabitEthernetb/0/0
tnsr tnsr(config-kea-dhcp4)# lease lfc-interval 3600
tnsr tnsr(config-kea-dhcp4)# subnet 192.168.0.0/24
tnsr tnsr(config-kea-subnet4)# interface GigabitEthernetb/0/0
tnsr tnsr(config-kea-subnet4)# id 1
tnsr tnsr(config-kea-subnet4)# pool 192.168.0.100-192.168.0.199
tnsr tnsr(config-kea-subnet4-pool)# exit
tnsr tnsr(config-kea-subnet4)# option routers
tnsr tnsr(config-kea-subnet4-opt)# data 192.168.0.1
tnsr tnsr(config-kea-subnet4-opt)# exit
tnsr tnsr(config-kea-subnet4)# option domain-name-servers
tnsr tnsr(config-kea-subnet4-opt)# data 8.8.8.8, 1.1.1.1
tnsr tnsr(config-kea-subnet4-opt)# exit
tnsr tnsr(config-kea-subnet4)# exit
tnsr tnsr(config-kea-dhcp4)# exit
tnsr tnsr(config)# dhcp4 enable
tnsr tnsr(config)# exit
NAT

Create and activate a NAT ruleset that covers the local networks of all peers. This example has them structured so they all are covered by 192.168.0.0/22.

tnsr tnsr# configure
tnsr(config)# vpf nat ruleset WAN-nat
tnsr(config-vpf-nat-ruleset)# description NAT for WAN
tnsr(config-vpf-nat-ruleset)# rule 1000
tnsr(config-vpf-nat-rule)# description NAT from all internal networks
tnsr(config-vpf-nat-rule)# direction out
tnsr(config-vpf-nat-rule)# dynamic
tnsr(config-vpf-nat-rule)# algorithm ip-hash
tnsr(config-vpf-nat-rule)# from ipv4-prefix 192.168.0.0/22
tnsr(config-vpf-nat-rule)# nat-interface GigabitEthernet13/0/0
tnsr(config-vpf-nat-rule)# exit
tnsr(config-vpf-nat-ruleset)# exit
tnsr(config)# vpf options
tnsr(config-vpf-option)# interface GigabitEthernet13/0/0 nat-ruleset WAN-nat
tnsr(config-vpf-option)# exit

Peer 1 Basic Setup

LAN settings

Setup LAN interface with static IP address.

  • Navigate to Interfaces > LAN

  • Set IPv4 Configuration Type to Static IPv4

  • Set IPv4 Address to 192.168.1.1 and mask as 24

  • Click Save

  • Click Apply Changes

WAN settings

Setup WAN interface for obtaining an IP address via DHCP. This could also be a static setup, following a similar form to the LAN settings above.

  • Navigate to Interfaces > WAN

  • Set IPv4 Configuration Type to DHCP

  • Click Save

  • Click Apply Changes

DHCP server

Setup DHCP server on LAN interface with following settings:

Peer 1 DHCP Server Setup

Item

Value

DHCP IP address pool

192.168.1.100 to 192.168.1.199

Default gateway

LAN IP address (pfSense Default)

DNS

LAN IP address (pfSense Default)

  • Navigate to Services > DHCP Server, LAN tab

  • Set Range From as 192.168.1.100 and To as 192.168.1.199

  • Click Save

Peer 2 Basic Setup

LAN settings

Setup LAN interface with static IP address.

  • Navigate to Interfaces > LAN

  • Set IPv4 Configuration Type to Static IPv4

  • Set IPv4 Address to 192.168.2.1 and mask as 24

  • Click Save

  • Click Apply Changes

WAN settings

Setup WAN interface for obtaining an IP address via DHCP. This could also be a static setup, following a similar form to the LAN settings above.

  • Navigate to Interfaces > WAN

  • Set IPv4 Configuration Type to DHCP

  • Click Save

  • Click Apply Changes

DHCP server

Setup DHCP server on LAN interface with following settings:

Peer 2 DHCP Server Setup

Item

Value

DHCP IP address pool

192.168.2.100 to 192.168.2.199

Default gateway

LAN IP address (pfSense Default)

DNS

LAN IP address (pfSense Default)

  • Navigate to Services > DHCP Server, LAN tab

  • Set Range From as 192.168.2.100 and To as 192.168.2.199

  • Click Save

Peer 3 Basic Setup

LAN settings

Setup LAN interface with static IP address.

  • Navigate to Interfaces > LAN

  • Set IPv4 Configuration Type to Static IPv4

  • Set IPv4 Address to 192.168.3.1 and mask as 24

  • Click Save

  • Click Apply Changes

WAN settings

Setup WAN interface for obtaining an IP address via DHCP. This could also be a static setup, following a similar form to the LAN settings above.

  • Navigate to Interfaces > WAN

  • Set IPv4 Configuration Type to DHCP

  • Click Save

  • Click Apply Changes

DHCP server

Setup DHCP server on LAN interface with following settings:

Peer 3 DHCP Server Setup

Item

Value

DHCP IP address pool

192.168.3.100 to 192.168.3.199

Default gateway

LAN IP address (pfSense Default)

DNS

LAN IP address (pfSense Default)

  • Navigate to Services > DHCP Server, LAN tab

  • Set Range From as 192.168.3.100 and To as 192.168.3.199

  • Click Save

Access between local and remote networks via IPsec

This section describes minimal IPsec and routing settings in order to obtain secure interconnectivity between LAN networks for every device.

This document assumes that devices have generic initial setup successfully completed and are able to reach each other via WAN network.

TNSR

IPsec Configuration

IPsec setup for each pfSense software node

IPsec to Peer 1

Enter config state:

tnsr tnsr# configure

Create an IPIP tunnel with id 1:

tnsr(config)# tunnel ipip 1
tnsr(config-ipip)# source ipv4 address 10.129.0.10
tnsr(config-ipip)# destination ipv4 address 10.129.0.11
tnsr(config-ipip)# exit

Creating IPsec instance with id 1:

tnsr tnsr(config)# ipsec tunnel 1
tnsr tnsr(config-ipsec-tunnel)# enable
tnsr tnsr(config-ipsec-tunnel)# crypto config-type ike

P1 encryption settings:

tnsr tnsr(config-ipsec-tunnel)# crypto ike
tnsr tnsr(config-ipsec-crypto-ike)# version 2
tnsr tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr tnsr(config-ike-proposal)# encryption aes256
tnsr tnsr(config-ike-proposal)# integrity sha256
tnsr tnsr(config-ike-proposal)# group modp2048
tnsr tnsr(config-ike-proposal)# exit

Creating peer IDs:

tnsr tnsr(config-ipsec-crypto-ike)# identity local
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.10
tnsr tnsr(config-ike-identity)# exit
tnsr tnsr(config-ipsec-crypto-ike)# identity remote
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.11
tnsr tnsr(config-ike-identity)# exit

Authentication:

tnsr tnsr(config-ipsec-crypto-ike)# authentication local
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
tnsr tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit

P2 settings:

tnsr tnsr(config-ipsec-crypto-ike)# child 1
tnsr tnsr(config-ike-child)# lifetime 3600
tnsr tnsr(config-ike-child)# proposal 1
tnsr tnsr(config-ike-child-proposal)# encryption aes256
tnsr tnsr(config-ike-child-proposal)# integrity sha256
tnsr tnsr(config-ike-child-proposal)# group modp2048
tnsr tnsr(config-ike-child-proposal)# exit
tnsr tnsr(config-ike-child)# exit
tnsr tnsr(config-ipsec-crypto-ike)# exit
tnsr tnsr(config-ipsec-tunnel)# exit

Configuring tunnel interface

tnsr tnsr(config)# interface ipip1
tnsr tnsr(config-interface)# ip address 10.131.1.1/30
tnsr tnsr(config-interface)# mtu 1400
tnsr tnsr(config-interface)# enable
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
IPsec to Peer 2

Enter config state:

tnsr tnsr# configure

Create an IPIP tunnel with id 2:

tnsr(config)# tunnel ipip 2
tnsr(config-ipip)# source ipv4 address 10.129.0.10
tnsr(config-ipip)# destination ipv4 address 10.129.0.12
tnsr(config-ipip)# exit

Creating IPsec instance with id 2:

tnsr tnsr(config)# ipsec tunnel 2
tnsr tnsr(config-ipsec-tunnel)# enable
tnsr tnsr(config-ipsec-tunnel)# crypto config-type ike

P1 encryption settings:

tnsr tnsr(config-ipsec-tunnel)# crypto ike
tnsr tnsr(config-ipsec-crypto-ike)# version 2
tnsr tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr tnsr(config-ike-proposal)# encryption aes256
tnsr tnsr(config-ike-proposal)# integrity sha256
tnsr tnsr(config-ike-proposal)# group modp2048
tnsr tnsr(config-ike-proposal)# exit

Creating peer ID’s:

tnsr tnsr(config-ipsec-crypto-ike)# identity local
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.10
tnsr tnsr(config-ike-identity)# exit
tnsr tnsr(config-ipsec-crypto-ike)# identity remote
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.12
tnsr tnsr(config-ike-identity)# exit

Authentication:

tnsr tnsr(config-ipsec-crypto-ike)# authentication local
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
tnsr tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit

P2 settings:

tnsr tnsr(config-ipsec-crypto-ike)# child 1
tnsr tnsr(config-ike-child)# lifetime 3600
tnsr tnsr(config-ike-child)# proposal 1
tnsr tnsr(config-ike-child-proposal)# encryption aes256
tnsr tnsr(config-ike-child-proposal)# integrity sha256
tnsr tnsr(config-ike-child-proposal)# group modp2048
tnsr tnsr(config-ike-child-proposal)# exit
tnsr tnsr(config-ike-child)# exit
tnsr tnsr(config-ipsec-crypto-ike)# exit
tnsr tnsr(config-ipsec-tunnel)# exit

Configuring tunnel interface:

tnsr tnsr(config)# interface ipip2
tnsr tnsr(config-interface)# ip address 10.131.2.1/30
tnsr tnsr(config-interface)# mtu 1400
tnsr tnsr(config-interface)# enable
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit
IPsec to Peer 3

Enter config state:

tnsr tnsr# configure

Create an IPIP tunnel with id 3:

tnsr(config)# tunnel ipip 3
tnsr(config-ipip)# source ipv4 address 10.129.0.10
tnsr(config-ipip)# destination ipv4 address 10.129.0.13
tnsr(config-ipip)# exit

Creating IPsec instance with id 3:

tnsr tnsr(config)# ipsec tunnel 3
tnsr tnsr(config-ipsec-tunnel)# enable
tnsr tnsr(config-ipsec-tunnel)# crypto config-type ike

P1 encryption settings:

tnsr tnsr(config-ipsec-tunnel)# crypto ike
tnsr tnsr(config-ipsec-crypto-ike)# version 2
tnsr tnsr(config-ipsec-crypto-ike)# lifetime 28800
tnsr tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr tnsr(config-ike-proposal)# encryption aes256
tnsr tnsr(config-ike-proposal)# integrity sha256
tnsr tnsr(config-ike-proposal)# group modp2048
tnsr tnsr(config-ike-proposal)# exit

Creating peer ID’s:

tnsr tnsr(config-ipsec-crypto-ike)# identity local
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.10
tnsr tnsr(config-ike-identity)# exit
tnsr tnsr(config-ipsec-crypto-ike)# identity remote
tnsr tnsr(config-ike-identity)# type address
tnsr tnsr(config-ike-identity)# value 10.129.0.13
tnsr tnsr(config-ike-identity)# exit

Authentication:

tnsr tnsr(config-ipsec-crypto-ike)# authentication local
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit
tnsr tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr tnsr(config-ike-authentication)# round 1
tnsr tnsr(config-ike-authentication-round)# psk 01234567
tnsr tnsr(config-ike-authentication-round)# exit
tnsr tnsr(config-ike-authentication)# exit

P2 settings:

tnsr tnsr(config-ipsec-crypto-ike)# child 1
tnsr tnsr(config-ike-child)# lifetime 3600
tnsr tnsr(config-ike-child)# proposal 1
tnsr tnsr(config-ike-child-proposal)# encryption aes256
tnsr tnsr(config-ike-child-proposal)# integrity sha256
tnsr tnsr(config-ike-child-proposal)# group modp2048
tnsr tnsr(config-ike-child-proposal)# exit
tnsr tnsr(config-ike-child)# exit
tnsr tnsr(config-ipsec-crypto-ike)# exit
tnsr tnsr(config-ipsec-tunnel)# exit

Configuring tunnel interface:

tnsr tnsr(config)# interface ipip3
tnsr tnsr(config-interface)# ip address 10.131.3.1/30
tnsr tnsr(config-interface)# mtu 1400
tnsr tnsr(config-interface)# enable
tnsr tnsr(config-interface)# exit
tnsr tnsr(config)# exit

Routing

This section describes routing setup. This scenario assumes one of the pfSense software IPsec peers, Peer 1, uses a dynamic routing protocol (BGP) and the remaining two IPsec peers use static routing.

Peer 1 BGP Routing

Enter config state:

tnsr tnsr# configure

Defining redistributed networks, peer 2 and 3:

tnsr tnsr(config)# route dynamic prefix-list VPN-ROUTES
tnsr tnsr(config-prefix-list)# sequence 1 permit 192.168.2.0/23 le 24
tnsr tnsr(config-prefix-list)# exit
tnsr tnsr(config)# route dynamic route-map VPN-ROUTES-MAP
tnsr tnsr(config-route-map)# sequence 1
tnsr tnsr(config-route-map-rule)# policy permit
tnsr tnsr(config-route-map-rule)# match ip address prefix-list VPN-ROUTES
tnsr tnsr(config-route-map-rule)# exit
tnsr tnsr(config-route-map)# exit

Setup BGP instance:

tnsr tnsr(config)# route dynamic bgp
tnsr tnsr(config-frr-bgp)# server vrf default
tnsr tnsr(config-bgp)# as-number 65000
tnsr tnsr(config-bgp)# router-id 192.168.0.1
tnsr tnsr(config-bgp)# no ebgp-requires-policy
tnsr tnsr(config-bgp)# no network import-check

Defining neighbor:

tnsr tnsr(config-bgp)# neighbor 10.131.1.2
tnsr tnsr(config-bgp-neighbor)# remote-as 65001
tnsr tnsr(config-bgp-neighbor)# enable
tnsr tnsr(config-bgp-neighbor)# exit

Setup peer in certain address-family space:

tnsr tnsr(config-bgp)# address-family ipv4 unicast
tnsr tnsr(config-bgp-ip4uni)# neighbor 10.131.1.2
tnsr tnsr(config-bgp-ip4uni-nbr)# activate
tnsr tnsr(config-bgp-ip4uni-nbr)# exit

Defining local network in certain address-family space:

tnsr tnsr(config-bgp-ip4uni)# network 192.168.0.0/24

Defining redistributed networks

tnsr tnsr(config-bgp-ip4uni)# redistribute kernel route-map VPN-ROUTES-MAP
tnsr tnsr(config-bgp-ip4uni)# exit
tnsr tnsr(config-bgp)# exit

Enabling BGP if one is not enabled:

tnsr tnsr(config-frr-bgp)# enable
tnsr tnsr(config-frr-bgp)# exit

Better to restart service in order to be sure changes applied effectively:

tnsr tnsr(config)# service bgp restart
tnsr tnsr(config)# exit
Peer 2 Static Routing
tnsr tnsr# configure
tnsr tnsr(config)# route table default
tnsr tnsr(config-route-table)# route 192.168.2.0/24
tnsr tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.131.2.2
tnsr tnsr(config-rttbl4-next-hop)# exit
tnsr tnsr(config-route-table)# exit
tnsr tnsr(config)# exit
Peer 3 Static Routing
tnsr tnsr# configure
tnsr tnsr(config)# route table default
tnsr tnsr(config-route-table)# route 192.168.3.0/24
tnsr tnsr(config-rttbl4-next-hop)# next-hop 0 via 10.131.3.2
tnsr tnsr(config-rttbl4-next-hop)# exit
tnsr tnsr(config-route-table)# exit
tnsr tnsr(config)# exit

Peer 1 Setup

IPsec Settings
Phase 1
  • Navigate to VPN > IPsec

  • Click Add P1

  • Set Key Exchange version to IKEv2

  • Set Internet Protocol to IPv4

  • Set Interface to WAN

  • Set Remote Gateway to 10.129.0.10

  • Set Authentication Method to Mutual PSK

  • Set My identifier to My IP address

  • Set Peer identifier to Peer IP address

  • Set Pre-Shared Key to 01234567

  • Set Encryption:

    • Algorithm to AES

    • Key length to 256 bit

    • Hash to SHA256

    • DH Group to 14 (2048 bit)

  • Set Lifetime as 28800

  • Click Save

Phase 2
  • On the newly created Phase 1 entry, click Show Phase 2 Entries

  • Click Add P2

  • Set Mode to Routed (VTI)

  • Set Local Network to 10.131.2.2 and mask 30

  • Set Remote Network to 10.131.2.1

  • Set Protocol to ESP

  • Set Encryption Algorithms to AES and 256 bit

  • Uncheck all other Encryption Algorithms entries

  • Set Hash Algorithms to SHA256

  • Uncheck all other Hash Algorithms entries

  • Set PFS key group to 14 (2048 bit)

  • Set Lifetime as 3600

  • Click Save

  • Click Apply Changes

Interface
  • Navigate to Interfaces > Interface Assignments

  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)

  • Click Add

  • Note the newly created interface name, such as OPTX

  • Navigate to Interfaces > OPTX

  • Check Enable

  • Click Save

  • Click Apply Changes

Routing
  • Navigate to System > Package Manager and install the FRR package

  • Browse to Services > FRR Global/Zebra

  • Check Enable FRR

  • Set Master Password to any value

    Note

    This is a requirement for the zebra management daemon to run, this password is not used by clients.

  • Check Enable logging

  • Set Router ID to 192.168.1.1

    In this case, it is the LAN interface IP address, assuming it will always be available for routing between LAN subnets.

  • Click Save

  • Navigate to the [BGP] tab

  • Check Enable BGP Routing

  • Check Log Adjacency Changes

  • Set Local AS to 65001

  • Set Router ID to 192.168.1.1

  • Set Networks to Distribute to 192.168.1.0/24

  • Click Save

  • Navigate to the Advanced tab

  • Check Disable eBGP Require Policy

  • Click Save

  • Navigate to the Neighbors tab

  • Click Add

  • Set Name/Address to 10.131.1.1 (TNSR VTI interface IP address)

  • Set Remote AS to 65000

  • Click Save

At this point, routes to 192.168.0.0/24, 192.168.2.0/24, and 192.168.3.0/24 will be learned by BGP and installed in the routing table. If it is not so, check Status > FRR on the BGP tab. That page contains useful BGP troubleshooting information. Additionally, check the routing log at Status > System Logs on the Routing tab under System.

Firewall

To allow connections into the local LAN from remote IPsec sites, create necessary pass rules under Firewall > Rules on the IPsec tab. These rules would have a Source set to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely which will also prevent LAN subnet traffic from exiting out the WAN unintentionally.

Peer 2 Setup

IPsec Settings
Phase 1
  • Navigate to VPN > IPsec

  • Click Add P1

  • Set Key Exchange version to IKEv2

  • Set Internet Protocol to IPv4

  • Set Interface to WAN

  • Set Remote Gateway to 10.129.0.10

  • Set Authentication Method to Mutual PSK

  • Set My identifier to My IP address

  • Set Peer identifier to Peer IP address

  • Set Pre-Shared Key to 01234567

  • Set Encryption:

    • Algorithm to AES

    • Key length to 256 bit

    • Hash to SHA256

    • DH Group to 14 (2048 bit)

  • Set Lifetime as 28800

  • Click Save

Phase 2
  • On the newly created Phase 1 entry, click Show Phase 2 Entries

  • Click Add P2

  • Set Mode to Routed (VTI)

  • Set Local Network to 10.131.3.2 and mask 30

  • Set Remote Network to 10.131.3.1

  • Set Protocol to ESP

  • Set Encryption Algorithms to AES and 256 bit

  • Uncheck all other Encryption Algorithms entries

  • Set Hash Algorithms to SHA256

  • Uncheck all other Hash Algorithms entries

  • Set PFS key group to 14 (2048 bit)

  • Set Lifetime as 3600

  • Click Save

  • Click Apply Changes

Interface
  • Navigate to Interfaces > Interface Assignments

  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)

  • Click Add

  • Note the newly created interface name, such as OPTX

  • Navigate to Interfaces > OPTX

  • Check Enable

  • Click Save

  • Click Apply Changes

Routing
  • Navigate to System > Routing, Static Routes tab

  • Click Add

  • Set Destination network to 192.168.0.0 and mask 23

  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.2.1

  • Click Save

  • Click Add

  • Set Destination network to 192.168.3.0 and mask 24

  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.2.1

  • Click Save

  • Click Apply Changes

Firewall

To allow connections into the local LAN from remote IPsec sites, create necessary pass rules under Firewall > Rules on the IPsec tab. These rules would have a Source set to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely which will also prevent LAN subnet traffic from exiting out the WAN unintentionally.

Peer 3 Setup

IPsec Settings
Phase 1
  • Navigate to VPN > IPsec

  • Click Add P1

  • Set Key Exchange version to IKEv2

  • Set Internet Protocol to IPv4

  • Set Interface to WAN

  • Set Remote Gateway to 10.129.0.10

  • Set Authentication Method to Mutual PSK

  • Set My identifier to My IP address

  • Set Peer identifier to Peer IP address

  • Set Pre-Shared Key to 01234567

  • Set Encryption:

    • Algorithm to AES

    • Key length to 256 bit

    • Hash to SHA256

    • DH Group to 14 (2048 bit)

  • Set Lifetime as 28800

  • Click Save

Phase 2
  • On the newly created Phase 1 entry, click Show Phase 2 Entries

  • Click Add P2

  • Set Mode to Routed (VTI)

  • Set Local Network to 10.131.4.2 and mask 30

  • Set Remote Network to 10.131.4.1

  • Set Protocol to ESP

  • Set Encryption Algorithms to AES and 256 bit

  • Uncheck all other Encryption Algorithms entries

  • Set Hash Algorithms to SHA256

  • Uncheck all other Hash Algorithms entries

  • Set PFS key group to 14 (2048 bit)

  • Set Lifetime as 3600

  • Click Save

  • Click Apply Changes

Interface
  • Navigate to Interfaces > Interface Assignments

  • From the Available network ports list, choose ipsecNNNN (IPsec VTI) (The ID number will vary)

  • Click Add

  • Note the newly created interface name, such as OPTX

  • Navigate to Interfaces > OPTX

  • Check Enable

  • Click Save

  • Click Apply Changes

Routing
  • Navigate to System > Routing, Static Routes tab

  • Click Add

  • Set Destination network to 192.168.0.0 and mask 23

  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.3.1

  • Click Save

  • Click Add

  • Set Destination network to 192.168.2.0 and mask 24

  • Set Gateway to the newly created VTI interface gateway, which has an address of 10.131.3.1

  • Click Save

  • Click Apply Changes

Firewall

To allow connections into the local LAN from remote IPsec sites, create necessary pass rules under Firewall > Rules on the IPsec tab. These rules would have a Source set to the remote LAN or whichever network is the source of the traffic to allow.

For simplicity, this example has a rule to pass IPv4 traffic from any source to any destination since the only IPsec interface traffic will be from 192.168.0.0/22.

NAT

TNSR will perform NAT for this peer, so outbound NAT is not necessary. It may be left at the default, which will not touch IPsec traffic, or outbound NAT may be disabled entirely which will also prevent LAN subnet traffic from exiting out the WAN unintentionally.

Access to the internet for remote network

This section describes minimal routing and NAT settings which provide access to the Internet for one of the remote networks. In current case this is Peer 1 that exchanges routing information with TNSR via BGP.

This document assumes that devices have IPsec setup successfully completed, able to reach each other via IPsec tunnel using path information from the dynamic routing protocol.

TNSR

NAT/PAT

Setup NAT for remote network, in this case PAT is used.

tnsr tnsr# configure
tnsr tnsr(config)# interface ipip1
tnsr tnsr(config-interface)# exit

Peer 1 Policy Route

Routing

Setup access to the internet via IPsec VTI interface with a policy-based routing rule.

  • Navigate to Firewall > Rules

  • Create (or modify existing default pass ipv4 LAN any) rule:

    • Set Address Family to IPv4

    • Set Protocol to ANY

    • Set Source to LAN net

    • Set Destination to ANY

    • Click Display Advanced

    • Set Gateway to <IPsec interface name>_VTIV4

    • Click Save

Note

VTI on pfSense software does not support reply-to. Despite this policy routing rule on Peer1 which covers all traffic, there must also be kernel routes to remote LANs for the return traffic to find the way back.