How to build ipse site-to-site VPN with vyos and pfsense
Vyos VS pfsense
For build all kinds of network functions like nat,firewall, site-to-site vpn , dial in vpn with pfsense.It works well. But it has some Crons:
- Hard to upgrade version, it manybe crashed
- Didn’t support API.
- Heavy loading and low performance.
After try to replace pfsense to build all functions with vyos. It has a lot of pros:
- Easy upgrade and rollback
- Support http and python api
- Support ansible deploy
- Command line operation,just like juniper and cisco.
Today I will show you how to build ipsec site-to-site vpn with vyos and pfsense
Prerequest
|
SITE A |
SITE B |
| WAN ADDRESS |
1.1.1.1 |
2.2.2.2 |
| WAN Interface |
eth0 |
eth0 |
| LAN ADDRESS |
192.168.1.1/24 |
192.168.2.1/24 |
| LAN NETWORK |
192.168.1.0/24 |
192.168.2.0/24 |
| LAN Interface |
eth1 |
eth1 |
| OS |
Vyos |
pfsense |
| Pre-Shared Key |
*#JCenaoewaoi0298J299*8&^(%9))_&& |
*#JCenaoewaoi0298J299*8&^(%9))_&& |
Configure Site A
configure
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'hold'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev2'
set vpn ipsec ike-group IKE-Default lifetime '10800'
set vpn ipsec ike-group IKE-Default mobike 'disable'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group14'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256'
set vpn ipsec site-to-site peer 2.2.2.2 authentication id '1.1.1.1'
set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret '*#JCenaoewaoi0298J299*8&^(%9))_&&'
set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id '2.2.2.2'
set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKE-Default'
set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'ESP-Default'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '192.168.2.0/24'
Configure Site B
- After login pfsense click
VPN | IPsec;
- Then click ‘Add P1` button.
- configuraton as show below
Add P1
| Key |
Value |
Disabled |
uncheck |
Key Exchange version |
IKEv2 |
| Internet Protocol |
IPv4 |
| Interfae |
WAN |
| Remote Gateway |
1.1.1.1 |
| Description |
SITE-A-VPN |
Phase 1 Proposal (Authentication)
| Key |
Value |
| Authentication Method |
Mutual PSK |
| My identifier |
My IP address |
| Peer identifier |
Peer IP address |
| Pre-Shared Key |
*#JCenaoewaoi0298J299*8&^(%9))_&& |
Phase 1 Proposal(Encryption Algorithm)
| Key |
Algorithm |
Key length |
Hash |
DH Group |
| Encryption Algorithm |
AES256-GCM |
128 bits |
SHA256 |
14(2048bit) |
| Key |
Value |
| Lifetime(Seconds) |
28800 |
Advanced Options
| KEY |
VALUE |
| Disable rekey |
uncheck |
| Margintime(Seconds |
black |
| Disable Reauth |
uncheck |
| Responder Only |
Uncheck |
| MOBIKE |
Disable |
| Split connections |
uncheck |
| Dead Peer Dection |
‘Check on’ Enable DPD |
| Delay |
120 |
| Max failures |
30 |
Add P2
| Key |
Value |
| Disable |
unchecked |
| Mode |
Tunnel IPv4 |
| Local network |
Network 192.168.2.0/24 |
| NAT/BINAT translation |
None |
| Remote Network |
Network 192.168.1.0/24 |
| Description |
Site A |
Phase 2 Proposal(SA/Key Exchange)
| Key |
Value |
| Protocol |
ESP |
| Encryption Algorithms |
AES256-GCM 128 bit |
| Hash Algorithms |
SHA256 |
| PFS key group |
14(2048 bit) |
| Lifttime |
3600 |
Advanced Configuration
| Key |
Value |
| Automatically ping host |
192.168.1.1 |
Change firewall to allow ipsec vpn connection
| Protocol |
Source |
Port |
Destination |
Port |
| Ipv4 UDP |
1.1.1.1 |
* |
WAN address |
500(ISAKMP) |
| IPv4 UDP |
1.1.1.1 |
* |
WAN address |
4500(IPsec NAT-T) |
| Ipv4 ESP |
1.1.1.1 |
* |
WAN address |
* |
—The End—