pfSense Split Tunnel IPsec VPN - blake-anderson/SEC-440 GitHub Wiki

---pfSense Split-Tunnel IPsec VPN setup and configuration---

This wiki will go over the steps of creating a site-to-site VPN between two pfSense boxes on separate networks. The purpose of this solution is to encrypt data between the two pfSense nodes. This could be used in an application such as a remote employee to an office, or even office to office.

There are two major benefits of this solution -

The first is that the user does not need to do ANY configuration besides connecting to the pfSense machine. Tunneling and routing is handled by the pfSense box.

The second major benefit is the advantage of split tunneling. Split tunneling essentially means that the data that is sent from the user to the server can be routed based on destination, sending appropriate traffic through the VPN and anything else out through a separate connection. This greatly reduces congestion in the network and will help with overall speed.

Below is a diagram that highlights the architecture that this build is using-

---Setting Up pfSense---

On initial startup, you may be asked to define LAN and WAN interfaces. This should be automatically done, but properly assign each if required. Ignore VLAN stuff, that does not need to be touched for the sake of this lab.

To set the IP’s of the WAN/LAN interfaces, login using creds admin:pfsense by default. Enter option 2, “Set interface(s) IP address”. Go through the prompts you are given until the web address is given for the LAN interface (will be https://LAN.GW.ADDRESS).

On a GUI machine, go to the address in a web browser. Login using the same admin:pfsense credentials. Run through the setup wizard.

Make sure everything looks good and then test networking on the LAN to be sure. There are some helpful tools to troubleshoot in the Diagnostics tab.

---Some Initial Setup Tips for pfSense---

DNS Issues with Two pfSense Routers on the same WAN network

Change the zone for DNS forwarding or turn it off. If you do not and two pfSense machines are running at the same time with forwarding enabled on All interfaces, they will generate a never ending DNS loop. To prevent this, you must make sure the DNS forwarder is set to only LAN, not All interfaces.

In the pfSense web interface-

Navigate to- Services --> DNS Forwarder

Scroll down and change Interfaces from All to LAN

Scroll down a bit more and make sure to click Save. Then click apply at the top of the page when the prompt appears.

This should stop the never ending loop of DNS requests getting passed from pfSense to pfSense. Resolutions should now work as expected.

Extreme ICMP Spam from pfSense WAN to Gateway

If you are trying to do any sort of packet inspection on the traffic between the two pfSense routers, there is a good chance you will see 99.999% ICMP traffic and very little else. This is due to the extremely ambitious gateway keepalive checks pfSense performs.

To get this to stop, do the following in the pfSense web interface-

Navigate to-

System → Routing (I have no idea why it’s in here)

Click the little pencil next to your active gateway

Check “Disable Gateway Monitoring” and “Disable Gateway Monitoring Action”

Make sure to click save at the bottom!

---Creating the IPsec Phase 1 Instances---

In the web interface, navigate to VPN --> IPsec

In the Tunnels pane, click the green "+ Add P1" button

This will bring up the phase 1 configuration for the IPsec tunnel. For this architecture, the following settings worked well-

**General Information

Key Exchange version-IKEv2 (I used IKEv2 since it has better overall performance, IKEv1 will work, too)

Internet Protocol- IPv4

Interface- WAN

Remote Gateway- Public IP address of the other node (may not necessarily be the pfSense address!)

**Phase 1 Proposal (Authentication)

Authentication Method- Mutual PSK (I used a PSK, alternately a cert can be used in place of this if you like)

Negation mode- Main (good balance of speed and security)

My identifier- My IP address (these may need to be changed if pfSense is behind a FW!)

Peer identifier- Peer IP address (these may need to be changed if pfSense is behind a FW!)

Pre-Shared Key- Enter PSK if you used one. Make sure it's secure.

**Phase 1 Proposal

Use the defaults for everything in this section. It's secure as-is. Use AES 256 bit if you want, but it might slow things down.

Everything else in advanced options will be fine for a standard setup. Change as needed.

---Creating the IPsec Phase 2 Instances---

Return to the IPsec --> Tunnels page and click the green "+ Add P2" button.

**General Information

Mode- Tunnel IPv4

Local Network- LAN Subnet

NAT/BINAT translation- leave default unless needed (set this up if pfSense is behind a firewall)

Remote Network- Network, enter in the IP address block of the remote network here.

**Phase 2 Proposal (SA/Key Exchange)

Protocol- ESP (Use ESP for full packet encryption!)

Encryption Algorithms- Check AES (128 bits), AES128-GCM (128 bits)

Hash Algorithms- SHA256

PFS keygroup - 14

Lifetime- 3600

If you want to troubleshoot or generally ensure the tunnel is up, you can set the Automatically ping host to ping the other pfSense box. I left this off, however.

---Starting the Tunnel---

To start the tunnel and establish the tunnel, navigate to Status --> IPsec

Simply click the green connect button to get the tunnel up.

If the connection is successful, the status will indicate "ESTABLISHED" with the amount of time the tunnel has been up.

If this is all done, the VPN should now route all appropriate traffic through the VPN.

Any traffic that is not intended to be routed to the remote network will be sent out of pfSense normally.

If it is necessary for other traffic to go though the pfSense, outbound NAT must be set to Hybrid. This will enable the addition of new rules to create the proper traffic flows.