Connecting pfSense via Route-Based VPN with BGP

This article describes how to connect and configure a pfSense connection.


Prerequisites

Before connecting to pfSense, you must have a Pureport Policy-Based VPN Connection See "Connecting to a Site VPN - Policy-Based" for details.

Note: pfSense supports a maximum Encryption Key length of 256 bits. Ensure that your Pureport VPN Site Connection uses AES-CBC 128,192 or 256 bits. 


You must also gather the following information:

  • IKE Version
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Pre-shared Key
  • Secondary Pre-shared Key
  • The Local Network in CIDR (the Customer VTI IP in CIDR format in the Pureport Console)
  • The Remote Network (the Customer VTI IP address in the Pureport Console)
  • The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
    Note: Due to pfSense limits, the Encryption Algorithm and Key Length must be AES-CBC 128,192 or 256 bits.



Connecting to pfSense

Use the information from the VPN Site Connection you created in the Pureport Console.


Adding pfSense IPSec Phase 1

  1. From the navbar, select VPN > IPSec.

  2. Click the Add P1 button.



  3. Enter the following information in each field on the page:

    General Information

    • Key Exchange version: choose the IKE version you used to create your Pureport Site Connection. In this case it would be IKEv2. 
    • Interface: WAN
    • Remote Gateway: Copy the Pureport Gateway IP from the Primary Gateway in the Pureport Console

    Authentication
    • Pre-Shared Key: Copy the Pre-shared Key from the Pureport Primary Gateway in the Pureport Console.
      Click the Show link to display the key; click the Copy icon to copy the key to your clipboard.

    Encryption Algorithm:
    • Algorithm / Key Length: Choose the Encryption Algorithm used in the Pureport Console
    • Key Length: This also comes from the Encryption method you chose in the Pureport Console. pfSense supports a maximum AES Key Length of 256 bits.
    • Hash: Select the Integrity value you selected for your Site VPN Connection.
    • DH Group: Select the same value you used for your Site VPN Connection.


  4. Select Save at the bottom of the page, then click Apply Changes at the top of the pfSense VPN Console.


Adding pfSense IPSec Phase2

  1. Select the Show Phase 2 Entries button under the IPsec Tunnel we just created, then select Add P2

  2. Refer to the Primary Gateway settings for the Site VPN Connection in the Pureport Console.

    You will need this information to create the Phase 2 tunnel:


  3. Enter the following information in each field on the page:

    General Information
    • Mode: Routed (VTI)
    • Local Network: The Customer VTI IP.
    • Remote Network: The Pureport VTI IP.

    SA/Key Exchange
    • Encryption / Hash Algorithm: Use the same Encryption and Integrity (Hash) values you used in Phase 1.

  4. Select Save at the bottom of the page, then click  Apply Changes at the top of the pfSense VPN Console.



Initiate IPSec Connection

Navigate to Status > IPSec, then click Connect next to the connection. 


The status should be ESTABLISHED. If not, review the logs (Status > System Logs > IPSec) to troubleshoot the connection.



Add/Enable VTI Interface

After configuring IPSec Phase2 to use VTI, you must add and enable the VTI interface.

  1. Select Interfaces > Assignments from top navbar, then click Add next to the VTI IPSec network port. This adds an interface called OPT1.

  2. Click Save.

  3. After adding the new interface, then select it and mark it Enabled. Leave all other settings as default, and select Save.

  4. Select Apply Changes.


Install the OpenBGPD package in pfSense

Go to System > Package Manager > Available Packages and install the OpenBGPD package.


pfSense will download and install the OpenBGP package and notify you when complete.



Configure OpenBGPD

Using the information you used to create your Site VPN Connection in the Pureport Console. 

  1. From the pfSense navbar, select Services > OpenBGPD.

  2. Enter the following information in each field on the page:
    • Autonomous Systems (AS) Number: The Customer ASN from the Primary Gateway in the Pureport Console (default is 390351)
    • Listen on IP: The Customer IP from the Primary Gateway in the Pureport Console (for example: 169.254.1.1).
    • Router IP: The Customer IP from the Primary Gateway in the Pureport Console (for example: 169.254.1.1).
    • Networks: The networks you wish to advertise via BGP. Use the Add button to enter multiple networks
      You can enter the Customer Site network here (for example 10.0.1.0/24) or set to (inet|inet6)connected to announce inet or inet6 routes to directly attached networks. If set to (inet|inet6) static, all inet or inet6 static routes will be announced. Refer to the BGPD documentation for options to configure this field.

  3. Click Save when done.


Configure OpenBGPD Groups

  1. From the pfSense navbar, select Services > OpenBGPD > Groups  then click Add.


  2. Enter the following information in each field on the page:
    • Name: Pureport
    • Remote AS: The Pureport ASN from the Primary Gateway in the Pureport Console (for example: 394351)

  3. Click Save.


Configure OpenBGPD Neighbors

  1. From the pfSense navbar, select Services > OpenBGPD > Neighbors, then click Add

  2. Enter the following information in each field on the page:
    • Description: Pureport
    • Neighbor: The Pureport IP from the BGP Config in the Pureport Console (for example: 169.254.1.2).
    • Group: Choose the Pureport group you created in "Configure OpenBGPD Groups."



Verify OpenBGPD Routing


From the pfSense navbar, select Services > OpenBGPD > Status


In the OpenBGP Routing section, your destination networks their corresponding ASNs are listed:


In the example above, network 10.100.0.0/16 has an ASN of 12076. This is another Pureport connection that exists on this network.