Pfsense Ipsec with Acreto

Overview

This article will help you connect and secure your pfSense installation with Acreto Ecosystem. Network Diagram Network Diagram

Prerequisites

  1. pfSense installation.
  2. Ecosystem set up with proper security policies.

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the exact requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway Wedge - New Gateway
Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the pfSense configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

pfSense - VPN wizard panel pfSense - VPN wizard panel

Task 2: Configure IPsec on pfSense

  1. Log in to your pfSense panel.

  2. Go to VPN > IPsec. Click on Add P1 to configure the Phase 1 settings.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. In the following window, configure VPN Phase1 settings as below:

    • General Information:
      1. IKE Exchange Version: IKEV2
      2. Internet Protocol: IPv4
      3. Interface: WAN
      4. Remote Gateway: Acreto Peer IP
      5. Description: AcretoVPN

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Phase 1 Proposal (Authentication)
      1. Authentication Method: Mutual PSK
      2. My Identifier: select Distinguished Name and use Peer ID in the value field.
      3. Pre-Shared Key: PSK
    • Phase 1 Proposal (Encryption Algorithm)
      1. Encryption Algorithm: AES 128 SHA256 15(3072)
      2. Expiration and Replacement
      3. Lifetime: 10800

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Advanced Options
      1. Dead Peer Detection: Enable
      2. Delay: 30
      3. Max Failures: 5
  4. Click Save to save the configuration.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  5. Click on Show Phase 2 Entries and Click on Add P2.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  6. In the next window, configure the Phase 2 setting as below:

    • General Information:
      1. Mode: Tunnel IPv4
      2. Local Network: Select Network and enter local network address 192.168.252.0/24
      3. Remote Network: Select Network and enter 0.0.0.0/0
      4. Description: AcretoVPN_P2

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Phase 2 Proposal (SA/Key Exchange)
      1. Protocol: ESP
      2. Encryption Algorithm: AES 128
      3. Hash Algorithm: SHA256
      4. PFS key group: 15 (3072)

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Expiration and Replacement
      1. Lifetime: 3600 `
  7. Click on Save.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  8. Click on Apply Changes to save the configuration.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Task 3. Configure Policy to allow traffic from LAN to VPN

  1. Go to Firewall > Rules and select LAN

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. Click on Add button to add a new rule.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. In the next window, configure policy as below:

    • Edit Firewall Rules
      1. Action: Pass
      2. Interface: LAN
      3. Address Family: IPv4
      4. Protocol: Any

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Source
      1. Source: Select Network and enter local lan address i.e., 192.168.252.0/24
    • Destination
      1. Destination: Any
    • Click on Save

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    • Click on Apply Changes to save the configuration.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Task 4. Disable NAT for traffic over VPN

  1. Go to Firewall > NAT.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. Select Outbound, and in the Mapping section click on the Add button.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. In the next window, configure the rule as below:

    • Edit Advanced Outbound NAT Entry
      1. Do not NAT: Enable
      2. Interface: IPsec
      3. Address Family: IPv4
      4. Protocol: Any
      5. Source: Select Network and enter local lan address i.e., 192.168.252.0/24
      6. Destination: Any
  4. Click on Save

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  5. Click on Apply Changes to save the NAT rule.

  6. In the same window, select mode Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below) in Outbound NAT Mode.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  7. Click on Apply Changes to save settings.

Task 5. Verify Tunnel Status

  1. Go to Status > IPsec.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. The following window will show the status of the VPN as below. Click on Connect VPN if the tunnel is down.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Task 6. Check the connectivity using the LAN interface

  1. Go to Diagnostics » Ping.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. In the next windows, check ping as below:

    • Hostname: 8.8.8.8
    • Source address: LAN

    pfSense - ipsec - configuration pfSense - ipsec - configuration

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  3. Ping should be successful, and logs on the Wedge dashboard should show the same record.

Task 7. Optional: Configure the local source and destination to bypass from IPsec

  1. Go to VPN > IPsec and click on Advanced Setting.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

  2. In IPsec bypass rules, enter the source and destinations of your local traffic, which doesn’t need to go through Acreto VPN.

    pfSense - ipsec - configuration pfSense - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internet traffic will be routed through the Acreto.