This article is about securing IP layer using Virtual Private Network (VPN) also known as IPsec (Internet Protocol security) on well-known open source firewall PfSense. Two components of IPsec protocol are Authentication Header (AH) and Encapsulating Security Payload (ESP) to provide packet integrity, authentication and confidentiality security features. Cryptographic security mechanism are used in IPsec to protect communications over IP layer. IPSec protocol allows to encrypt and authenticate all IP layer traffic between local and remote location.
PfSense firewall uses an open source tool Strongswan which provides the IPsec VPN functionality. Both phases of IPsec (Key sharing and encryption) is implemented by Strongswan tool on Linux/Unix platforms. It provides the internet key exchange (IKE) or automatic sharing of keys among nodes or gateways of IPsec VPN and then uses the Linux/Unix kernel implementation of authentication (AH) and encryption ( ESP). Stongswan uses the OpenSSL implementation of cryptographics algorithms ( such as AES128/256, MD5/SHA1 etc) in the first phase (IKE phase) of IPsec VPN. Encapsulated security payload (ESP) of IPsec VPN is available in Linux / Unix kernels which is uses by Strongswan in the second phase of VPN.
To proceed this article , I assume you have already installed PfSense on VM. In this setup, each VM have two interfaces (WAN & LAN) and also ip addresses configured. Following figures show the assignment of interfaces and ip address for device-a and device-b VM's.
device-a interface and ip setting
device-b interface and ip setting
Strongswan package is already installed on the fresh installation of PfSense and available on web interface under VPN menu. However, installation of Strongswan on Linux platform is also available on previous article.
Configuration of IPsec VPN
By default everything is blocked on WAN interface of PFsense so first of all allow UDP 4500 ((IPsec NAT-T) & 500 (ISAKMP) ports for IPsec VPN. However, we allowed every thing (it is not recommended for production environment) to established IPsec between two VM's.
As shown below, a rule is configured for WAN interface of PfSense under firewall menu.
IPsec rule is also configured in firewall to pass traffic through the established VPN.
It is also important to make sure that remote device is available for IPsec VPN. Following snapshot shows that, remote device is up and replying back.
After ensuring gateway to gateway connectivity, next step is to configure VPN (both phase 1 and phase 2) on VM's. In the first phase, IKE is configured and encryption/authentication algorithm are selected. Second phase of IPsec is setting ESP parameters such as encryption/authentication on both VM. Setting such as local/remote ip, local/remote networks, encryption/authentication algorithms ) of IPsec VPN on both VM's should be correct to establish tunnel between VM.
PfSense firewall is configured using web interface so following window open after clicking on IPsec sub-menu under VPN.
Check Enable IPsec option to create tunnel on PfSense. Click on plus button to add new policy of IPsec tunnel on local side (side-a in this case). Following snapshots show the setting for IKE phase (1st phase) of IPsec.
Two modes of IKE phase or key exchange version are v1 & v2. However, auto is selected in key exchange version. WAN interface is selected to establish tunnel and IP address of remote device (side-b in this case) is given in remote gateway field.
Phase 1 setting on side-a
Phase 1 setting on side-b
The following snapshot shows the selection of authentication mechanism for 1st phase. In this tutorial, mutual PSK or shared secret is selected for mutual authentication of both VM's. The Main mode is selected because it is more secure than aggressive mode. The Pre shared key or shared secret for both devices is "test12345" . The following snapshot also shows the encryption setting for first phase. Default selection of encryption algorithm is AES256 and SHA1 for hashing algorithm.
The NAT Traversal option is also set auto for clients which are behind the firewalls. Another feature of IPsec is dead peer detection (DPD) which is also enabled.
Following screenshot shows that above setting of phase 1 saved on device-a.
Click on plus button to add phase 2 policy on PfSense firewall. In the following snapshot, local and remote network are included in the policy.
The selected parameters for phase 2 (ESP proposal) are shown below.
The following snapshot shows that VPN policy is successfully created on the PfSense device -a.
More setting (such as enable/disable log levels) of Strongswan IPsec are given in the Advanced Settings tab.
Click on IPsec under Status menu to get more details about the configured VPN.
The following screenshot shows the overview of VPN configured on device-a. As shown below, current status of VPN is disconnected. Click on connect button to start negotiation with remote device.
Successful negotiation between two devices is shown in following figures.
device-a VPN status
device-b VPN status
Security association database (SAD) and security policy database (SPD) is shown below.
SAD for device-a
SPD for device-a
Click on the Logs to view IPsec detailed logs for troubleshooting purpose.
Status of VPN is also checked using command line utility such as setkey and ipsec status command.
setkey -D output
ipsec statusall output
This article is about the usage of IPsec VPN on PfSense firewall to secure network layer from attackers. Strongswan is open source implementation of IPsec which is available in mostly open source firewalls. A shared secret based IPsec VPN is established between two VM's to secure communication.