Connecting pfSense via Route-Based Static VPN


This article describes how to connect and configure a pfSense connection. 


Note: Purport recommends using Route-Based VPN with BGP for site VPN configurations, since Pureport manages the BGP peering for you. This makes future network growth and changes much easier. See "Connecting pfSense via Route-Based VPN with BGP" for details.


Prerequisites:

Before connecting to pfSense, you must have a Pureport Policy-Based VPN Connection See "Connecting to a Site VPN - Policy-Based" for details.

Note: pfSense supports a maximum Encryption Key length of 256 bits. Ensure that your Pureport VPN Site Connection uses AES-CBC 128,192 or 256 bits. 


You must also gather the following information: 

  • IKE Version
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Pre-shared Key
  • Secondary Pre-shared Key
  • The Local Network in CIDR (the Customer VTI IP in CIDR format in the Pureport Console)
  • The Remote Network (the Customer VTI IP address in the Pureport Console)
  • The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
    Note: Due to pfSense limits, the Encryption Algorithm and Key Length must be AES-CBC 128,192 or 256 bits. 


Connecting to pfSense

Use the information from the VPN Site Connection you created in the Pureport Console.


Adding pfSense IPSec Phase1

  1. From the navbar, select VPN > IPSec.

  2. Click the Add P1 button.



  3. Enter the following information in each field on the page:

    General Information

    • Key Exchange version: choose the IKE version you used to create your Pureport Site Connection. In this case it would be IKEv2. 
    • Interface: WAN
    • Remote Gateway: Copy the Pureport Gateway IP from the Primary Gateway in the Pureport Console

    Authentication
    • Pre-Shared Key: Copy the Pre-shared Key from the Pureport Primary Gateway in the Pureport Console.
      Click the Show link to display the key; click the Copy icon to copy the key to your clipboard.

    Encryption Algorithm:
    • Algorithm / Key Length: Choose the Encryption Algorithm used in the Pureport Console
    • Key Length: This also comes from the Encryption method you chose in the Pureport Console. pfSense supports a maximum AES Key Length of 256 bits.
    • Hash: Select the Integrity value you selected for your Site VPN Connection.
    • DH Group: Select the same value you used for your Site VPN Connection.


  4. Select Save at the bottom of the page, then click Apply Changes at the top of the pfSense VPN Console. 


Adding pfSense IPSec Phase2

  1. Select the Show Phase 2 Entries button under the IPsec Tunnel we just created, then select Add P2

  2. Referring back to the Primary Gateway for the Site VPN Connection in the Pureport Console.
    You will refer the above fields when creating the Phase 2 tunnel.

  3. Enter the following information in each field on the page:

    General Information
    • Mode: Routed (VTI)
    • Local Network: The Customer VTI IP.
    • Remote Network: The Pureport VTI IP.

    SA/Key Exchange
    • Encryption / Hash Algorithm: Use the same Encryption and Integrity (Hash) values you used in Phase 1.

  4. Select Save at the bottom of the page, then click  Apply Changes at the top of the pfSense VPN Console. 


Initiate IPSec Connection


Navigate to Status > IPSec, then click Connect next to the connection. 


The status should be ESTABLISHED. If not, review the logs (Status > System Logs > IPSec) to troubleshoot the connection.

 



Add/Enable VTI Interface

After configuring IPSec Phase2 to use VTI, you must add and enable the VTI interface. 


  1. Select Interfaces > Assignments from top navbar, then click Add next to the VTI IPSec network port. This adds an interface called OPT1.

  2. Click Save.

  3. After adding the new interface, then select it and mark it Enabled. Leave all other settings as default, and select Save.
  4. Select Apply Changes.


Add pfSense Static Route

  1. From the pfSense navbar, select System > Routing > Satic Routes.

  2. Click Add to add a static route to each of your remote networks via the VTI interface.

  3. Enter the following information in each field on the page:
    • Destination Network: The remote network you wish to route to.
    • Gateway: Select the interface you created earlier.

  4. Click Save.

Repeat for each destination network.


After adding all routes, click Apply Changes.