In PfSense versions before 2.1 you could create site-to-site IPsec tunnels to connect two or more sites together. This worked fine but you couldn’t (from the web interface) route internet traffic from site A through the IPsec tunnel so that it would use site B’s internet connection.

PfSense version 2.1 introduces that possibility. In such a setup internet traffic from Site A would appear to be coming from Site B. We had to use this because a vendor would check from which public IP an incoming connection was initiated.

ipsec-s2s-vork-00

 

In this article we have two sites:

  • Site A is a branch office, LAN subnet 192.168.10.0/24
  • Site B is the main office through which all internet traffic is routed, 192.168.20.0/24

 

Here’s what we’ll do:

  • Set up the IPsec tunnel Phase 1
  • Set up the IPsec tunnel Phase 2
  • Allow IPsec traffic through the firewall
  • Configure outbound NAT
  • Troubleshooting

Set up the IPsec tunnel Phase 1

In Site A

In the VPN menu select IPsec. It opens on the Tunnels tab. Click the + button to create a new Phase 1 setup. (Make sure Enable IPsec is checked and saved.)

ipsec-s2s-vork-01

Enter these values:

Internet Protocol IPv4
Interface WAN Unless you’re using a separate OPT interface
Description Site B The site’s locality
Authentication method Mutual PSK
Negotiation mode aggressive
My identifier My IP address
Peer identifier Peer IP address
Pre-Shared Key Any long key. I got mine at https://www.grc.com/passwords.htm but be careful: if you copy a string from that site your browser may add one or two spaces at the end of the string so CHECK THE COPIED STRING before you paste it in the Pre-Shared Key field.
Policy Generation Default
Proposal Checking Default
Encryption algorithm AES 256bits Unless you have a reason to choose something else. Check this for a discussion of the options.
Hash algorithm SHA256 Unless you need something else. Check this for a discussion of the options.
DH key group 2 (1024 bit) Read this for an explanation of what this is.
Lifetime 28800
NAT Traversal Disable Turn this off unless you need it.
Dead Peer Detection Enable: 10 seconds, 5 retries Turn it off if you don’t like it.

Note: the encryption options influence the speed of the line but not very significantly. You would have to use really slow hardware to notice it. I tested a range of options and found the speed doesn’t deviate more than 5% from the values I suggest here.

ipsec-s2s-vork-02

Note that your Phase 1 entry is now shown on the IPsec page. Click Save and in the next screen click Apply Changes.

ipsec-s2s-vork-03

In Site B

Do the same as in Site A but in the Remote Gateway field enter Site A’s public IP address or FQDN and in the Description field enter ‘Site A’.

Set up the IPsec tunnel Phase 2

In Site A

Click the + button under the Phase 1 entry. It will give you an overview of all available Phase 2 entries. Since we haven’t made any yet none are shown.

ipsec-s2s-vork-05

Click the + button to create a new Phase 2.

ipsec-s2s-vork-06

Enter these values:

Mode Tunnel IPv4
Local Network Type: LAN subnet. NAT/BINAT type: None.
Remote Network 0.0.0.0/0 This tells PfSense to route everything over this interface.
Description Site B
Protocol ESP
Encryption algorithm AES 256 bits
Hash algorithm SHA256
PFS key group 2 (1024 bit)
Lifetime 3600
Automatically ping host Enter a hostname or IP address to keep the tunnel alive. In my experience this is not necessary.

ipsec-s2s-vork-07

Click Save and on the next page click Appy Changes.

In Site B

Remote Network, Type: Network
Local NetworkAddress: 0.0.0.0/0
Remote Network, Address: Site A’s LAN subnet
Use the same Phase 2 proposal and Advanced options as in Site A.

ipsec-s2s-vork-13Click Save and then Apply Changes.

Allow IPsec traffic through the firewall

The tunnel should now be operational however no traffic is allowed through it until you add a firewall rule for that. You must add the rule on both sites’ routers.

From the Firewall menu, choose Rules. Go to the IPsec tab and click the + button.

ipsec-s2s-vork-09

Set the Protocol to any and in the Description field type ‘Allow everything through IPsec tunnel’. Click Save and on the next page click Apply changes. Do this on both routers.

ipsec-s2s-vork-10

At this point the tunnel should be up and you should be able to ping from one side to the other and back. Computers in Site A haven’t got an internet connection however. This is because we still need to configure NAT for the IPsec tunnel.

Configure outbound NAT

In the default setup outbound NAT is configured automatically. We need to set it to Manual in order to add Site A’s subnet.

In Site B

From the Firewall menu, choose NAT and click the Outbound tab. Note that Mode is set to Automatic outbound NAT rule generation. Select Manual Outbound NAT rule generation and click Save. On the next page, click Apply changes.

Click the + button to open the New Mapping page.

ipsec-s2s-vork-11

As the Source Type, select Network. In the Source, Address field type Site A’s subnet: 192.168.10.0/24.

In the Description field, type ‘NAT for IPsec tunnel Site A’.

ipsec-s2s-vork-14

Click Save and on the next page, click Apply changes.

Note that the new entry is shown in the outbound NAT overview.

ipsec-s2s-vork-15

You do not need to do this on Site A’s router.
At this point Site B will have a working internet connection through the IPsec tunnel out Site B’s internet provider. Any internet traffic from Site A will look as if it were coming from Site B (see the diagram at the beginning of this article).

Troubleshooting

  • You can find out what IPsec is doing by choosing System logs in the Status menu, tab IPsec. If you find it difficult to decipher this: disable the tunnel, clear the log, enable the tunnel and see what is logged. If you find nothing special, go to System, Advanced, Miscellaneous, check IPsec Debug and start again.
  • Make sure you are not trying to connect overlapping subnets. This goes for any tunneling system.
  • One of my sites ran over a VLAN that used a subnet partly like one of the connected subnets which prevented the connection from initiating. Disabling NAT-T on the endpoint of the tunnel fixed this.
  • PfSense’s IPsec statuses do not always represent their correct states.
  • If you are absolutely convinced that it should work but it doesn’t, reboot the client you are testing on and reboot the routers. It shouldn’t be necessary but it has been known to help sometimes.
  • PfSense gets confused if you have multiple VPN (either OpenVPN or IPsec) configurations that use identical subnets or names so always use unique subnets and names.
  • Check Diagnostics, Routes to check if your bits are going where they should.

Fix NAT reflection

Now I have a public webserver in Site B. It used to be accessible from the internet. It was also accessible from within Site A because A wasn’t connected to B. Clients in Site B could reach it becasuse of NAT reflection: PfSense routes internal traffic to the webserver’s external IP address to make it look like it was coming from outside in order to disclose the website to users within Site B.

Setting up internet routing through the IPsec tunnel broke this and I needed to do this:

In the System menu, under Advanced, click the Firewall/NAT tab. Scroll down to the Network Address Translation section.

I already had NAT Reflection mode for port forwards set to Enable (NAT + Proxy) but I also needed to check Enable automatic outbound NAT for Reflection.

Under Firewall, NAT, Port Forward, I edited the port forwarding rules: I set NAT reflection to Enable (Pure NAT). I’m not sure this is necessary if NAT Reflection mode for port forwards is already set to Enable but it works.