Como Configurar o Túnel VPN IPSec Site-to-Site PFSense para Acesso Remoto - TI. DESCOMPLICADO PDF

3/6/2018 Como configurar o Túnel VPN IPSec Site-to-Site PFSense para acesso remoto | TI.
DESCOMPLICADO
Como configurar o Túnel VPN

31st May 2017
IPSec Site-to-Site PFSense para
acesso remoto
[https://2.bp.blogspot.com/-0_P2Vn_XbdQ/VsNZZAxC77I/AAAAAAAABSs/gTsmD9fkSvA
WNrn3U3aZDnoHo4m2f6QWQCPcB/s1600/721px-Pfs-logo-vector.svg.png]
I work from a small office/home

office and I need to set up an
IPSec site-to-site VPN between a
Cisco/OpeNBSD IPSec-enabled [https://www.cyberciti.biz/faq/category/freebsd/]
gateway and firewall running PFSense. How do I configure the VPN tunnel so
that I can access remote subnet and servers behiend a Cisco firewall/router
securely? How do I setup a tunnel mode configuration which will provide you
with an encrypted site-to-site network, allowing networks at multiple remote
locations to be able to securely communicate using my PFSense located in my
SOHO?
Internet Protocol security (IPsec) uses cryptographic security mechanism to

protect communications over Internet Protocol (IP) networks. IPSec protocol
allows you to authenticate and encrypt all IP traffic between your local
office/datacenter/SOHO and remote location. You can pass all traffic over the
Internet or through networks which would otherwise be considered insecure.
In this faq, you will set up the VPN using PFSense in tunnel mode (network-to-
network VPNs) and use the ESP protocol in order to encrypt the VPN traffic as it
traverses the Internet.
Our sample setup
https://tisemestresse.blogspot.com/2017/05/como-configurar-o-tunel-vpn-ipsec-site.html 1/13
3/6/2018 Como configurar o Túnel VPN IPSec Site-to-Site PFSense para acesso remoto | TI. DESCOMPLICADO
Fig.01: A simple site-to-site VPN setup
Above is a very simple site-to-site VPN, with a security gateway (SOHO and
Remote IDC) linking two remote private networks 192.168.1.0/24 and
10.10.29.64/26. Remote IDC VPN is powered by either a Cisco/OpenBSD
based system and local SOHO vpn (PFSense) gateways are already
configured. From the above, you can see the IPSec config on is as follows:
VPN config provided by a CISCO/OpenBSD

gateway located in remote IDC
Phase 1:
Phase 1 config Savings
Your peer IPv4 address 122.16.7.42
Cisco/OpenBSD gateway IPv4 address 173.191.1.42
Preshared Key YOUR-super-secret-password-key
Encryption 3DES
Authentication MD5
Phase 1 config Savings
Diffie-Hellman Group 2
Keylife 14400
Phase 2:
Phase 2 config Values
Encryption 3DES
Authentication MD5
Perfect Forward Secrecy (PFS) Yes
Diffie-Hellman Group 2
Keylife 3600
SOHO Subnets 192.168.1.0/24
Remote Subnets 10.10.29.64/26 and 10.12.249.192/26
PFSense appliance VPN IPSec configuration
pfSense must be setup and working properly for the existing local network
environment. Both locations must be using non-overlapping LAN IP subnets.
For demo purpose my PFSense appliance located at https://192.168.1.254/.
Step #1: Login to admin webui
Fire a browser and type the following url:
https://192.168.1.254/
Sample outputs:
[https://www.cyberciti.biz/faq/howto-site-to-site-ipsec-vpn-between-cisco-
openbsd-router-pfsense/pfsense-login-1/]
Fig.02: PFSense admin Login Username and Password
Step #2: Setup the VPN Tunnel
Click on VPN > IPSec:
Fig.03: PFSense configure

the vpn
You will see screen as follows. Make sure you check Enable IPsec and click
Save to enable IPsec:
Fig.04: Enable PFSense
Step #3: Configure a new tunnel
Click on + button (see fig.04) to add a new IPsec tunnel Phase 1 configuration.
Make sure Interface set to “WAN”, Remote Gateway to “173.191.1.42”,
Authentication Method to Pre-Shared key to “YOUR-super-secret-password-
key”, Encryption to “3DES”, Authentication to “MD5”, Diffie-Hellman Group to
“2”, Keylife to “14400”, and finally press the Save button.
[https://www.cyberciti.biz/faq/howto-site-to-site-ipsec-vpn-between-cisco-openbsd-router-
pfsense/add-phase-1-config-4/]
Fig.05: PFSense New IPsec VPN Tunnel Phase 1 Configuration
You will see the message as follows on screen:
The IPsec tunnel configuration has been changed. You must apply
the changes in order for them to take effect.
Click on the Apply changes button:
Fig.06: Saving Phase 1 Config
Step #4: Create a new Phase 2 config
To create a new Phase 2, click the large + inside the Phase 1 entry in the list, on
the left-hand side. This expands the list to display all Phase 2 entries for this
Phase 1. Click the + button on the right to add a new entry:
Gif 01: Create a new Phase 2 to build the VPN
The Phase 2 information must be set as described in Phase 2 config table (see
above):
pfsense/phase-2-vpn-7/]
Fig. 07: PFSense IPSec VPN Phase 2 Configuration
You must set remote network as “10.10.29.64/26”, Protcol to “ESP”, Encrption

algorithmes to “3DES”, Hash algothrithms to “MD5”, PFS key group to “2”,
lifetime to “3600” and finally click on the Save button and Apply
changes button to activate the tunnel.
Step #5: Add IPSec firewall rules
By default firewall rules are automatically added to the WAN to allow the tunnel
to connect, but if the option to disable automatic VPN rules is checked, then
manual rules may be required. The following rules added by the firewall (you
can see them by typing the pfctl -sr | grep -i ipsec command at
PFSense console)
anchor "ipsec/*" all

pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass out route-to (rl0 192.168.0.1) inet proto udp from any to 173.191.1.42 p
pass in on rl0 reply-to (rl0 192.168.0.1) inet proto udp from 173.191.1.42 to
pass out route-to (rl0 192.168.0.1) inet proto udp from any to 173.191.1.42 p
pass in on rl0 reply-to (rl0 192.168.0.1) inet proto udp from 173.191.1.42 to
pass out route-to (rl0 192.168.0.1) inet proto esp from any to 173.191.1.42 k
pass in on rl0 reply-to (rl0 192.168.0.1) inet proto esp from 173.191.1.42 to
To setup IPSec firewall rules as per your needs, click on

the Firewall > Rules and IPsec tab. Setup rules as per your needs.
How do I see the current status of the IPSec vpn?
Click on the Status > IPSec:
pfsense/vpn-status-8/]
Fig.08: PFSense IPSec Status: Connect or Disconnect VPN Tunnel
You will see the screen as follows:
Fig 09: Current IPSec Status
Give it a few seconds to connect to the remote side. Once connected you will
see the status as follows:
[https://www.cyberciti.biz/faq/howto-site-to-
site-ipsec-vpn-between-cisco-openbsd-
router-pfsense/status-overview-1/]
System logs: IPsec VPN
router-pfsense/status-sad-2/]
IPsec: SAD
router-pfsense/status-spd-3/]
IPsec: SPD
router-pfsense/status-log-4/]
System logs: IPsec VPN
How do I test my vpn setup?
Try to ping or ssh into one of the remote server:
$ ping -c2 10.10.29.68

PING 10.10.29.68 (10.10.29.68): 56 data bytes
64 bytes from 10.10.29.68: icmp_seq=0 ttl=60
time=267.420 ms
64 bytes from 10.10.29.68: icmp_seq=1 ttl=60
time=271.900 ms
--- 10.10.29.68 ping statistics ---

2 packets transmitted, 2 packets received, 0.0%
packet loss
round-trip min/avg/max/stddev =
267.420/269.660/271.900/2.240 ms
$ ssh root@10.10.29.68
And, there you have it, VPN up and running from your SOHO.
fonte: https://www.cyberciti.biz
Postado há 31st May 2017 por CARVALHO LOP

Como Configurar o Túnel VPN IPSec Site-to-Site PFSense para Acesso Remoto - TI. DESCOMPLICADO PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Como Configurar o Túnel VPN IPSec Site-to-Site PFSense para Acesso Remoto - TI. DESCOMPLICADO PDF

Încărcat de

Drepturi de autor:

Formate disponibile

3/6/2018 Como configurar o Túnel VPN IPSec Site-to-Site PFSense para acesso remoto | TI.

Como configurar o Túnel VPN

I work from a small office/home

Internet Protocol security (IPsec) uses cryptographic security mechanism to

Our sample setup

Fig.01: A simple site-to-site VPN setup

VPN config provided by a CISCO/OpenBSD

Phase 1 config Savings

Your peer IPv4 address 122.16.7.42

Cisco/OpenBSD gateway IPv4 address 173.191.1.42

Preshared Key YOUR-super-secret-password-key

Phase 1 config Savings

Phase 2 config Values

Perfect Forward Secrecy (PFS) Yes

SOHO Subnets 192.168.1.0/24

Remote Subnets 10.10.29.64/26 and 10.12.249.192/26

PFSense appliance VPN IPSec configuration

Step #1: Login to admin webui

Fire a browser and type the following url:

Fig.02: PFSense admin Login Username and Password

Step #2: Setup the VPN Tunnel

Click on VPN > IPSec:

Fig.03: PFSense configure

Fig.04: Enable PFSense

Step #3: Configure a new tunnel

Fig.05: PFSense New IPsec VPN Tunnel Phase 1 Configuration

You will see the message as follows on screen:

Click on the Apply changes button:

Fig.06: Saving Phase 1 Config

Step #4: Create a new Phase 2 config

Gif 01: Create a new Phase 2 to build the VPN

Fig. 07: PFSense IPSec VPN Phase 2 Configuration

You must set remote network as “10.10.29.64/26”, Protcol to “ESP”, Encrption

Step #5: Add IPSec firewall rules

anchor "ipsec/*" all

To setup IPSec firewall rules as per your needs, click on

How do I see the current status of the IPSec vpn?

Click on the Status > IPSec:

Fig.08: PFSense IPSec Status: Connect or Disconnect VPN Tunnel

You will see the screen as follows:

Fig 09: Current IPSec Status

System logs: IPsec VPN

System logs: IPsec VPN

How do I test my vpn setup?

Try to ping or ssh into one of the remote server:

$ ping -c2 10.10.29.68

--- 10.10.29.68 ping statistics ---

Postado há 31st May 2017 por CARVALHO LOP

S-ar putea să vă placă și