Justinaquino: Imported from Netgate pfSense training PDF via bot

2026-04-23T07:07:12Z

Imported from Netgate pfSense training PDF via bot

New page

__NOTOC__

<div style="background-color: #fff3cd; border-left: 6px solid #ffc107; padding: 10px; margin-bottom: 15px;">
<strong>Netgate pfSense Plus Fundamentals — Lab 5: IPsec VPN</strong><br/>
Hands-on lab covering site-to-site IPsec with pre-shared key and mobile IPsec remote access configuration.
</div>

= Lab 5: IPsec =

In this lab, we connect the '''HQ''' and '''branch''' networks with a site-to-site IPsec VPN, then configure mobile IPsec to offer a remote access option for mobile clients.

'''Lab topology references:'''
* HQ WAN IP: '''192.0.2.2'''
* Branch WAN IP: '''203.0.113.10'''
* HQ network: 172.17.0.0/16
* Branch network: 172.18.0.0/16

= Part 1: IPsec Pre-Shared Key Site-to-Site VPN =

== Enable fw1-HQ IPsec ==

On '''fw1-HQ''', browse to '''VPN > IPsec'''. Click '''+Add P1''' to add a new Phase 1 configuration.

=== HQ Phase 1 Configuration ===

At the resulting Edit Phase 1 screen:
* '''Remote Gateway:''' Branch WAN IP (203.0.113.10)
* '''Interface:''' WAN
* '''Description:''' (your choice)

=== Phase 1 Proposal Configuration ===

Scroll down to the Phase 1 proposal configuration.

'''Generating Pre-Shared Key:'''
* Click the yellow button to generate your pre-shared key automatically
* Make note of it — it will be needed to configure the other end of the VPN

'''Advanced Options:'''
* Leave '''NAT Traversal''' to '''Auto'''
* The underlying strongSwan service will determine if NAT-T is required and automatically enable it if so

Leave the other settings at their defaults, then click '''Save'''.

== Adding HQ Phase 2 ==

Back at the IPsec Tunnels tab, click the '''+''' under the newly-created Phase 1 to expose the Phase 2 configuration, then click '''+Add P2'''.

=== Configuring HQ Phase 2 ===

For local and remote networks, use the /16 network summarizing all available IP subnets for each location:
* '''Local Network:''' Type: Network, '''172.17.0.0/16'''
* '''Remote Network:''' Type: Network, '''172.18.0.0/16'''

=== Phase 2 Proposal Configuration ===

Choose specific parameters for each area rather than having multiple options enabled. This is always best for site-to-site VPNs.

{| class="wikitable"
! Setting !! Recommendation
|-
| Encryption || AES-256 (single option)
|-
| Hash || SHA256 (single option)
|-
| PFS || On (match group)
|}

Having multiple options enabled could lead to a less secure, slower algorithm like 3DES being chosen over a faster, more secure option like AES-256.

=== Automatically Ping Host ===

Enter an IP address within the remote subnet to keep the VPN alive:
* Use '''fw1-branch LAN IP''' (e.g., 172.18.1.1)
* IPsec is "dial-on-demand" — it doesn't try to connect unless traffic is trying to traverse the VPN
* The IP doesn't have to reply; it's the initiation of the request that triggers the VPN to come up

Then click '''Save''', and at the main IPsec Tunnels screen click '''Apply Changes'''.

== Configure HQ IPsec Firewall Rules ==

Traffic coming in via IPsec is filtered by the firewall rules on the '''IPsec tab'''. By default, this contains no rules, so all VPN traffic will be blocked.

Browse to '''Firewall > Rules''', IPsec tab. Click '''Add''' and configure:

{| class="wikitable"
! Field !! Value
|-
| Action || Pass
|-
| Interface || IPsec
|-
| Protocol || any
|-
| Source || 172.18.0.0/16
|-
| Destination || any
|-
| Description || allow branch network in via IPsec
|}

Click '''Save''', and '''Apply Changes'''.

'''Notes:'''
* The outer portion of the VPN requires UDP port 500 and ESP protocol on WAN — these rules are handled automatically
* Traffic is allowed out from HQ to branch by the default LAN rule
* The HQ DMZ subnet will not be able to initiate connections to the remote branch network because of the DMZ rule rejecting private network destinations

== Configure fw1-branch IPsec ==

Browse to '''https://172.18.1.1''' to reach fw1-branch.

=== Add Phase 1 Entry ===

Add a new Phase 1 entry for the HQ VPN:
* '''Remote Gateway:''' fw1-HQ's WAN IP — '''192.0.2.2'''
* Match all other parameters exactly with fw1-HQ

=== Phase 1 Proposal and Advanced ===

All Phase 1 proposal settings must match exactly to fw1-HQ. After matching up everything, click '''Save'''.

=== Branch Phase 2 Configuration ===

Add a new Phase 2 entry under the Phase 1 just added. Everything is identical to HQ's Phase 2, except flip local and remote networks:
* '''Local Network:''' 172.18.0.0/16
* '''Remote Network:''' 172.17.0.0/16

Leave '''Automatically ping host''' blank on this side (the other end will keep the tunnel active).

Then click '''Save''', and '''Apply Changes'''.

=== Add IPsec Firewall Rule ===

Browse to '''Firewall > Rules''', IPsec tab, and add an allow-all rule:

{| class="wikitable"
! Field !! Value
|-
| Action || Pass
|-
| Interface || IPsec
|-
| Protocol || any
|-
| Source || Network, 172.17.0.0/16
|-
| Destination || any
|-
| Description || allow HQ in via VPN
|}

Save and Apply Changes.

== Testing the VPN ==

Browse to '''Status > IPsec''' on the branch firewall. If the status shows "Disconnected", click the '''Connect VPN''' button.

Once something attempts to bring up the VPN, it should change status to '''ESTABLISHED'''.

=== Troubleshooting ===

If the VPN does not come up:
* Closely review all settings in Phase 1 and Phase 2 on both sides
* Check for typos in IP addresses
* Verify the pre-shared key was pasted correctly
* Ensure no inadvertently mismatched settings

=== Passing Traffic Across VPN ===

On '''HQ-client''', test connectivity:
<pre>
training@hq-client:~$ ping -c 3 172.18.1.1
training@hq-client:~$ ping -c 3 172.18.1.100
</pre>

On '''branch-client''', ping back:
<pre>
training@branch-client:~$ ping -c 3 172.17.1.1
training@branch-client:~$ ping -c 3 172.17.1.100
training@branch-client:~$ ping -c 3 172.17.2.10
</pre>

You should also be able to browse to web servers in the HQ DMZ network from branch-client.

= Part 2: IPsec Remote Access VPN =

Next, configure IPsec for mobile clients. This works with any standard IPsec clients, specifically focused towards the Cisco IPsec clients built into Mac OS X and Apple iOS. The Shrew Soft client is used in this lab.

== User and Group Setup ==

IPsec remote-access users require the '''"IPsec xauth Dialin"''' privilege.

=== Add IPsec Mobile Group ===

On '''fw1-HQ''', browse to '''System > User Manager''', Groups tab. Click '''+Add''':
* Give the group a name (e.g., "Mobile_IPsec") and description
* Save
* Edit the group and under '''Assigned Privileges''', click '''Add'''
* Choose only the '''"VPN - IPsec xauth Dialin"''' privilege
* Save again

=== Creating User for VPN ===

Go to the Users tab, click '''+Add''':
* '''Username:''' vpntest
* '''Password:''' password
* '''Group:''' Mobile_IPsec
* Save

== Server Configuration ==

On '''fw1-HQ''', browse to '''VPN > IPsec''', click the '''Mobile clients''' tab:

{| class="wikitable"
! Setting !! Value
|-
| Enable IPsec Mobile Client Support || Checked
|-
| User Authentication || Local Database
|-
| Group Authentication || Checked
|-
| Authentication Groups || Rights for Mobile IPsec (Mobile_IPsec)
|-
| Virtual Address Pool || 172.17.5.0/24
|-
| Network List || Checked — "Provide a list of accessible networks to clients"
|-
| DNS Default Domain || example.com
|-
| DNS Servers || 172.17.1.1
|}

Leave all other fields at defaults and click '''Save'''.

== Phase 1 Creation ==

After saving, you will see a prompt to create a Phase 1 definition for mobile clients. Click '''Create Phase 1'''.

{| class="wikitable"
! Parameter !! Value
|-
| Key Exchange Version || IKEv1
|-
| Description || Mobile clients
|-
| Authentication Method || Mutual PSK + Xauth
|-
| My Identifier || My IP address
|-
| Peer Identifier || User distinguished name, vpn@example.com
|-
| Pre-Shared Key || Generate new (make note)
|-
| Encryption Algorithm || AES 128 bit
|-
| Hash Algorithm || SHA1
|-
| DH Group || 2
|-
| Lifetime || 86400
|-
| NAT Traversal || Force
|}

Leave all else at defaults, and click '''Save'''.

== Configure Phase 2 ==

Back at the IPsec Tunnels screen, expand the mobile Phase 1 and click '''+Add P2''':

{| class="wikitable"
! Parameter !! Value
|-
| Mode || Tunnel IPv4
|-
| Local Network || Type: Network, 0.0.0.0/0
|-
| Encryption || AES 128
|-
| Hash || SHA1
|-
| PFS || off
|-
| Lifetime || 28800
|}

'''Note:''' The Phase 2 "Local Network" determines what networks are sent to the client. '''0.0.0.0/0''' sends all traffic across the VPN. To send only internal traffic, use '''172.17.0.0/16''' or '''172.16.0.0/12'''.

Then click '''Save''', and '''Apply Changes'''. The server-side IPsec configuration is now complete.

== Firewall Rule Configuration ==

Browse to '''Firewall > Rules''', IPsec tab. Add a new rule:

{| class="wikitable"
! Field !! Value
|-
| Action || Pass
|-
| Interface || IPsec
|-
| Protocol || Any
|-
| Source || Network 172.17.5.0/24
|-
| Destination || any
|-
| Description || allow in mobile client IPsec
|}

Then Save and Apply Changes.

== Client Configuration ==

On '''remote-host''', launch '''Shrew Soft VPN Access Manager'''. Click '''Add''' to create a new configuration.

=== General Tab ===
* Fill in the WAN IP of fw1-HQ: '''192.0.2.2'''
* Leave all else at defaults

=== Authentication Tab ===
* '''Authentication Method:''' Mutual PSK + XAuth
* '''Local Identity:''' User Fully Qualified Domain Name — '''vpn@example.com'''

=== Remote Identity Tab ===
* Choose '''Identification type:''' IP address

=== Credentials Tab ===
* Enter or paste the PSK generated during Phase 1 creation

=== Phase 1 Tab ===
* Change '''DH Exchange''' to '''group 2'''
* Leave all else at defaults

=== Phase 2 Tab ===
* Set '''Lifetime''' to '''28800''' seconds
* Leave everything else at defaults

Then click '''Save'''. You can rename the connection (e.g., "HQ VPN").

== Testing ==

Select the connection and click '''Connect'''. Fill in:
* '''Username:''' vpntest
* '''Password:''' password

Then click '''Connect'''. If you see "tunnel enabled" as the last line in the status, it's connected successfully.

Try to ping across to HQ-client (172.17.1.100) and server1 (172.17.2.10).

This concludes the IPsec lab.

= Next Module =

* [[Training:_IPsec_VPN|Section 5: IPsec VPN Concepts]] (review)

= Source Attribution =

* '''Document:''' FUND001-LIVE-Lab5-IPsec.pdf
* '''Course:''' pfSense Plus Fundamentals and Practical Application
* '''Copyright:''' © 2021 Rubicon Communications, LLC (Netgate)
* '''Extracted:''' 2026-04-23 via pdftotext

Training Lab 5: IPsec VPN - Revision history

Justinaquino: Imported from Netgate pfSense training PDF via bot