Difference between revisions of "User:Mauirixxx/pfSense IPSec VPN"
From FreeNAS using Active Directory Wiki
m (→Requirements: updated AES-NI) |
m (→Configuration: saving current progress) |
||
| Line 14: | Line 14: | ||
Both locations must NOT have the same internal LAN address - meaning both can't be running 192.168.1.x addresses, one can run 192.168.1.x while the other can run 192.168.2.x. | Both locations must NOT have the same internal LAN address - meaning both can't be running 192.168.1.x addresses, one can run 192.168.1.x while the other can run 192.168.2.x. | ||
| + | |||
| + | Final note - the VPN configuration on both firewalls will be exactly the same, save for parts that require IP addresses or hostnames. | ||
| + | |||
| + | Let's get started: | ||
| + | * Click on VPN -> IPsec, and on the bottom right, click on +Add P1 | ||
| + | === Phase 1 === | ||
| + | ==== General Info ==== | ||
| + | * Key exchange version: IKEv2 | ||
| + | * Internet Protocol: IPv4 (IPv6/Dual stack will work if you're running IPv6 at both sites) | ||
| + | * Interface: WAN (or whatever you named the interface with the public IP address) | ||
| + | * Remote Gateway: this is where you need either your own domain, or a free Dynaimc DNS provider - or manually entering the IP addresses works, users with dynamic IP addresses the "work" location will have to update your IP address manually every time it changes. | ||
| + | ** Remote Gateway (home): work.piracyforjesus.xyz | ||
| + | ** Remote Gateway (work): home.piracyforjesus.xyz | ||
| + | * Description: put whatever you like or leave blank | ||
| + | ==== Phase 1 Proposal (Authentication) ==== | ||
| + | * Authentication Method: Mutual PSK | ||
| + | * My Identifier: Distinguished name: | ||
| + | ** Home: home.piracyforjesus.xyz | ||
| + | ** Work: work.piracyforjesus.xyz | ||
| + | * Peer identifier: Peer IP address | ||
| + | * Pre-Shared Key: On one firewall, click generate key, then copy & paste that key to the other firewall | ||
| + | ==== Phase 1 Proposal (Encryption Algorithm) ==== | ||
| + | * Encryption Algorithm: | ||
| + | ** Algorithm: AES128-GCM | ||
| + | ** Key Length: 128 bits | ||
| + | ** Hash: SHA256 | ||
| + | ** DH Group: 14 (2048) | ||
| + | * Lifetime (Seconds): 28800 | ||
Revision as of 01:28, 20 July 2019
Contents
About
How to setup an ipsec vpn between 2 instances of pfsense using both a static (work) and dynamic ip address (home office). However, a static IP is NOT a requirement.
Software used
- pfSense: https://www.pfsense.org
Requirements
- Dynamic OR static IP address
- A domain name or a free dynamic DNS provider.
- CPU with AES-NI (if your uplink is 20Mbps or faster)
Configuration
I'm going to assume that if you're at this point, you already have a working pfSense configuration at both locations.
Both locations must NOT have the same internal LAN address - meaning both can't be running 192.168.1.x addresses, one can run 192.168.1.x while the other can run 192.168.2.x.
Final note - the VPN configuration on both firewalls will be exactly the same, save for parts that require IP addresses or hostnames.
Let's get started:
- Click on VPN -> IPsec, and on the bottom right, click on +Add P1
Phase 1
General Info
- Key exchange version: IKEv2
- Internet Protocol: IPv4 (IPv6/Dual stack will work if you're running IPv6 at both sites)
- Interface: WAN (or whatever you named the interface with the public IP address)
- Remote Gateway: this is where you need either your own domain, or a free Dynaimc DNS provider - or manually entering the IP addresses works, users with dynamic IP addresses the "work" location will have to update your IP address manually every time it changes.
- Remote Gateway (home): work.piracyforjesus.xyz
- Remote Gateway (work): home.piracyforjesus.xyz
- Description: put whatever you like or leave blank
Phase 1 Proposal (Authentication)
- Authentication Method: Mutual PSK
- My Identifier: Distinguished name:
- Home: home.piracyforjesus.xyz
- Work: work.piracyforjesus.xyz
- Peer identifier: Peer IP address
- Pre-Shared Key: On one firewall, click generate key, then copy & paste that key to the other firewall
Phase 1 Proposal (Encryption Algorithm)
- Encryption Algorithm:
- Algorithm: AES128-GCM
- Key Length: 128 bits
- Hash: SHA256
- DH Group: 14 (2048)
- Lifetime (Seconds): 28800
