Setup a routed IPSec Tunnel

Most Site-to-Site VPNs are policy-based, which means you define a local and a remote network (or group of networks). Only traffic matching the defined policy is pushed into the VPN tunnel. As the demands for more complex and fault tolerant VPN scenarios growed over the years, most major router vendors implemented a kind of VPN, the route-based IPSec.

The difference is that local and remote network is just 0.0.0.0/0, so anything can travel through the tunnel, it just needs a route. A new Virtual Tunnel Interface (VTI) has to be used for this.

There are two benefits for this kind of VPN:

First, you can set up two tunnels to the same gateway and failover when one line goes down. Second, you can run dynamic routing protocols over the tunnel to create more redundant, or software-defined networks.

Note

For a stable setup, we highly advise using standard IPv4 / IPv6 addresses, although the web interface allows the use of fully qualified domain names (e.g. my.own.domain.xyz), this will have side affects (the tunnel device won’t react on name changes for example).

Before you start

Before starting with the configuration of an IPsec tunnel you need to have a working OPNsense installation wit a unique LAN IP subnet for each side of your connection (your local network needs a different one than the remote network).

Sample Setup

For the sample configuration we use two OPNsense boxes to simulate a site to site tunnel, with the following configuration:

Site A

Hostname

fw1

WAN IP

1.2.3.4/24

LAN IP

192.168.1.1/24

LAN DHCP Range

192.168.1.100-192.168.1.200






Site B

Hostname

fw2

WAN IP

4.3.2.1/24

LAN Net

192.168.2.0/24

LAN DHCP Range

192.168.2.100-192.168.2.200






Full Network Diagram Including IPsec Tunnel

IPsec Site-to-Site tunnel network

Firewall Rules Site A & Site B (part 1)

To allow IPsec tunnel connections, the following should be allowed on WAN for on sites (under Firewall ‣ Rules ‣ WAN):

  • Protocol ESP

  • UDP Traffic on port 500 (ISAKMP)

  • UDP Traffic on port 4500 (NAT-T)

../../_images/ipsec_wan_rules.png

Note

You can further limit the traffic by the source IP of the remote host.

Step 1 - Phase 1 Site A

(Under VPN ‣ IPsec ‣ Tunnel Settings Press +) We will use the following settings:

General information

Connection method

default

Default is “Start on traffic”

Key Exchange version

V2

Internet Protocol

IPv4

Interface

WAN

Choose the interface connected to the internet

Remote gateway

4.3.2.1

The public IP address of your remote OPNsense

Description

Site B

Freely chosen description

Phase 1 proposal (Authentication)

Authentication method

Mutual PSK

Using a Pre-shared Key

My identifier

My IP address

Simple identification for fixed IP

Peer identifier

Peer IP address

Simple identification for fixed IP

Pre-Shared Key

At4aDMOAOub2NwT6gMHA

Random key. CREATE YOUR OWN!

Phase 1 proposal (Algorithms)

Encryption algorithm

AES

For our sample we will use AES/256 bits

Hash algoritm

SHA512

Use a strong hash like SHA512

DH key group

14 (2048 bit)

2048 bit should be sufficient

Lifetime

28800 sec

Lifetime before renegotiation

Advanced Options

Install Policy

Unchecked

This has to be unchecked since we want plain routing

Disable Rekey

Unchecked

Renegotiate when connection is about to expire

Disable Reauth

Unchecked

For IKEv2 only re-authenticate peer on rekeying

NAT Traversal

Disabled

For IKEv2 NAT traversal is always enabled

Dead Peer Detection

Unchecked

Save your setting by pressing:

../../_images/btn_save.png

Step 2 - Phase 2 Site A

Press the button that says ‘+ Show 0 Phase-2 entries’

../../_images/ipsec_s2s_vpn_p1a_show_p2.png

You will see an empty list:

../../_images/ipsec_s2s_vpn_p1a_p2_empty.png

Now press the + at the right of this list to add a Phase 2 entry. As we do not define a local and remote network, we just use tunnel addresses, you might already know from OpenVPN. In this example we use 10.111.1.1 and 10.111.1.2. These will be the gateway addresses used for routing

General information

Mode

Route-based

Select Route-based

Description

Local LAN Site B

Freely chosen description

Tunnel Network

Local Address

Local Tunnel IP

Set IP 10.111.1.1

Remote Address

Remote Tunnel IP

Set IP 10.111.1.2

Phase 2 proposal (SA/Key Exchange)

Protocol

ESP

Choose ESP for encryption

Encryption algorithms

AES / 256

For the sample we use AES 256

Hash algortihms

SHA512

Choose a strong hash like SHA512

PFS Key group

14 (2048 bit)

Not required but enhanced security

Lifetime

3600 sec

Save your settings by pressing:

../../_images/btn_save.png

Enable IPsec for Site A, select:

../../_images/ipsec_s2s_vpn_p1a_enable.png

Save:

../../_images/btn_save.png

And apply changes:

../../_images/ipsec_s2s_vpn_p1a_apply.png
../../_images/ipsec_s2s_vpn_p1a_success.png

You are almost done configuring Site A (only some firewall settings remain, which will be addressed later). We will now proceed setting up Site B.


Step 3 - Phase 1 Site B

(Under VPN ‣ IPsec ‣ Tunnel Settings Press +) We will use the following settings:

General information

Connection method

Default

Default is ‘Start on traffic’

Key Exchange version

V2

Internet Protocol

IPv4

Interface

WAN

Choose the interface connected to the internet

Remote gateway

1.2.3.4

The public IP address of your remote OPNsense

Description

Site A

Freely chosen description

Phase 1 proposal (Authentication)

Authentication method

Mutual PSK

Using a Pre-shared Key

My identifier

My IP address

Simple identification for fixed ip

Peer identifier

Peer IP address

Simple identification for fixed ip

Pre-Shared Key

At4aDMOAOub2NwT6gMHA

Random key. CREATE YOUR OWN!

Phase 1 proposal (Algorithms)

Encryption algorithm

AES

For our sample we will use AES/256 bits

Hash algoritm

SHA512

Use a strong hash like SHA512

DH key group

14 (2048 bit)

2048 bit should be sufficient

Lifetime

28800 sec

Lifetime before renegotiation

Advanced Options

Install Policy

Unchecked

This has to be unchecked since we want plain routing

Disable Rekey

Unchecked

Renegotiate when connection is about to expire

Disable Reauth

Unchecked

For IKEv2 only re-authenticate peer on rekeying

NAT Traversal

Disabled

For IKEv2 NAT traversal is always enabled

Dead Peer Detection

Unchecked

Save your setting by pressing:

../../_images/btn_save.png

Step 4 - Phase 2 Site B

Press the button that says ‘+ Show 0 Phase-2 entries’

../../_images/ipsec_s2s_vpn_p1a_show_p2.png

You will see an empty list:

../../_images/ipsec_s2s_vpn_p1a_p2_empty.png

Now press the + at the right of this list to add a Phase 2 entry.

General information

Mode

Route-based

Select Route-based

Description

Local LAN Site A

Freely chosen description

Tunnel Network

Local Address

Local Tunnel IP

Set IP 10.111.1.2

Remote Address

Remote Tunnel IP

Set IP 10.111.1.1

Phase 2 proposal (SA/Key Exchange)

Protocol

ESP

Choose ESP for encryption

Encryption algorithms

AES / 256

For the sample we use AES 256

Hash algortihms

SHA512

Choose a strong hash like SHA512

PFS Key group

14 (2048 bit)

Not required but enhanced security

Lifetime

3600 sec

Save your setting by pressing:

../../_images/btn_save.png

Enable IPsec for Site B, Select:

../../_images/ipsec_s2s_vpn_p1a_enable.png

Save:

../../_images/btn_save.png

And apply changes:

../../_images/ipsec_s2s_vpn_p1a_apply.png
../../_images/ipsec_s2s_vpn_p1a_success.png

Firewall Rules Site A & Site B (part 2)

To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface (under Firewall ‣ Rules ‣ IPsec).

../../_images/ipsec_ipsec_lan_rule.png

IPsec Tunnel Ready

The tunnel should now be up and routing the both networks. Go to VPN ‣ IPsec ‣ Status Overview to see current status.

Step 5 - Define Gateways

Now that you have the VPN up and running you have to set up a gateway. Go to System ‣ Gateways ‣ Single and add a new gateway.

Gateway Site-A

Name

VPNGW

Set a name for your gateway

Interface

IPSEC1000

Choose the IPsec interface

IP Address

10.111.1.2

Set the peer IP address

Far Gateway

Checked

This has to be checked as it is a point-to-point connection

Gateway Site-B

Name

VPNGW

Set a name for your gateway

Interface

IPSEC1000

Choose the IPsec interface

IP Address

10.111.1.1

Set the peer IP address

Far Gateway

checked

This has to be checked as it is a point-to-point connection

Step 5 - Add Static Routes

When gateways are set up you can add a route for the remote network pointing to the new gateway. On Site-A add a route to Site-B and vice versa. Go to System ‣ Routes ‣ Configuration.

Route Site-A

Network Address

192.168.2.0/24

Set the network of Site-B

Gateway

VPNGW

Select the VPN gateway

Gateway Site-B

Network Address

192.168.1.0/24

Set the network of Site-A

Gateway

VPNGW

Select the VPN gateway

Now you are all set!