How to build ipse site-to-site VPN with vyos and pfsense
Vyos VS pfsense
For build all kinds of network functions like nat,firewall, site-to-site vpn , dial in vpn with pfsense.It works well. But it has some Crons:
- Hard to upgrade version, it manybe crashed
- Didn’t support API.
- Heavy loading and low performance.
After try to replace pfsense to build all functions with vyos. It has a lot of pros:
- Easy upgrade and rollback
- Support http and python api
- Support ansible deploy
- Command line operation,just like juniper and cisco.
Today I will show you how to build ipsec site-to-site vpn with vyos and pfsense
Prerequest
| SITE A | SITE B |
|---|
| WAN ADDRESS | 1.1.1.1 | 2.2.2.2 |
| WAN Interface | eth0 | eth0 |
| LAN ADDRESS | 192.168.1.1/24 | 192.168.2.1/24 |
| LAN NETWORK | 192.168.1.0/24 | 192.168.2.0/24 |
| LAN Interface | eth1 | eth1 |
| OS | Vyos | pfsense |
| Pre-Shared Key | *#JCenaoewaoi0298J299*8&^(%9))_&& | *#JCenaoewaoi0298J299*8&^(%9))_&& |
Configure Site A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| configure
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'hold'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev2'
set vpn ipsec ike-group IKE-Default lifetime '10800'
set vpn ipsec ike-group IKE-Default mobike 'disable'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group14'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256'
set vpn ipsec site-to-site peer 2.2.2.2 authentication id '1.1.1.1'
set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret '*#JCenaoewaoi0298J299*8&^(%9))_&&'
set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id '2.2.2.2'
set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKE-Default'
set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'ESP-Default'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '192.168.2.0/24'
|
Configure Site B
- After login pfsense click
VPN | IPsec; - Then click ‘Add P1` button.
- configuraton as show below
Add P1
| Key | Value |
|---|
Disabled | uncheck |
Key Exchange version | IKEv2 |
| Internet Protocol | IPv4 |
| Interfae | WAN |
| Remote Gateway | 1.1.1.1 |
| Description | SITE-A-VPN |
Phase 1 Proposal (Authentication)
| Key | Value |
|---|
| Authentication Method | Mutual PSK |
| My identifier | My IP address |
| Peer identifier | Peer IP address |
| Pre-Shared Key | *#JCenaoewaoi0298J299*8&^(%9))_&& |
Phase 1 Proposal(Encryption Algorithm)
| Key | Algorithm | Key length | Hash | DH Group |
|---|
| Encryption Algorithm | AES256-GCM | 128 bits | SHA256 | 14(2048bit) |
| Key | Value |
|---|
| Lifetime(Seconds) | 28800 |
Advanced Options
| KEY | VALUE |
|---|
| Disable rekey | uncheck |
| Margintime(Seconds | black |
| Disable Reauth | uncheck |
| Responder Only | Uncheck |
| MOBIKE | Disable |
| Split connections | uncheck |
| Dead Peer Dection | ‘Check on’ Enable DPD |
| Delay | 120 |
| Max failures | 30 |
Add P2
| Key | Value |
|---|
| Disable | unchecked |
| Mode | Tunnel IPv4 |
| Local network | Network 192.168.2.0/24 |
| NAT/BINAT translation | None |
| Remote Network | Network 192.168.1.0/24 |
| Description | Site A |
Phase 2 Proposal(SA/Key Exchange)
| Key | Value |
|---|
| Protocol | ESP |
| Encryption Algorithms | AES256-GCM 128 bit |
| Hash Algorithms | SHA256 |
| PFS key group | 14(2048 bit) |
| Lifttime | 3600 |
Advanced Configuration
| Key | Value |
|---|
| Automatically ping host | 192.168.1.1 |
Change firewall to allow ipsec vpn connection
| Protocol | Source | Port | Destination | Port |
|---|
| Ipv4 UDP | 1.1.1.1 | * | WAN address | 500(ISAKMP) |
| IPv4 UDP | 1.1.1.1 | * | WAN address | 4500(IPsec NAT-T) |
| Ipv4 ESP | 1.1.1.1 | * | WAN address | * |
—The End—