Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

How to set up IPsec VPN Connection with pfSense on Firewalla MSP

Avatar
Firewalla CM
  • Updated
Follow

This article is in draft/beta; if you have any questions, please email us at help@firewalla.com

This is a brief introduction to a Site-to-Site IPsec VPN connection between Firewalla Gold Box and pSense using Firewalla MSP.

To follow this guide, ensure that you have:

  • pfSense with an IPsec VPN tunnel created
  • Firewalla MSP version 2.8.0 or later
  • Firewalla Gold series box on your Firewalla MSP instance

In this guide, we use Firewalla Gold and pfSense as the 2 sites of the IPsec VPN connection. We use a Firewalla Gold as the client, and a pfSense as the server. Both sites have public (WAN) IP addresses. Subnets on both sites can access each other, and devices on the Firewalla Gold can access the internet via the server site.

The following settings are assumed by this example:

  Firewalla Gold pfSense 
WAN IP 203.0.113.15 192.0.2.19
LAN Subnet 192.168.213.0/24  192.168.80.0/24

 

STEP 1: pfSense Server Configuration

If you need help setting up VPN connections on pfSense, please consult their guide: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html 

In this guide, we assume you already have an existing pfSense IPsec VPN tunnel created using Pre-Shared Keys, with the corresponding Firewall and NAT rules created. 

 

To help follow this guide, note that we modified the following pfSense VPN configuration:

Phase 1 (P1):

  • Remote Gateway: Firewalla Gold’s WAN IP (203.0.113.15)
  • Encryption Algorithm: AES, 128, hash SHA1, and DH group 14

Phase 2 (P2):

  • Local Network: 0.0.0.0/0 (to access internet on all devices under VPN)
  • Remote Network: Firewalla Gold’s LAN subnet (192.168.213.0/24)
  • Key Exchange: AES, 128 bits, hash SHA1, and PFS group 14

Firewall Rules (IPsec):

  • Action: Pass
  • Source Network: Firewalla Gold’s LAN subnet (192.168.213.0/24)
  • Destination: Any

Firewall Outbound NAT (Hybrid mode) Mappings:

  • Source: Network or Alias, Firewalla Gold’s LAN subnet (192.168.213.0/24)
  • Destination: Any
  • Translation Address: WAN address

The rest of the configurations unmentioned are left as the default values.

 

STEP 2: MSP VPN Client Configuration

In Firewalla MSP, go to your Firewalla Gold’s box view, then create a new VPN Client.

Go to VPN Client (left navigation panel) > Create VPN Connection > select IPsec > Next. The MSP UI will look like this:

Enter a name for the VPN Connection. For the Configuration file, follow the template below. The sections in red should be modified for your VPN setup.

conn tunnTemplate
   keyexchange=ikev2
   auto=start
   type=tunnel

   leftid=<WAN IP of Firewalla>
   leftsubnet=<LAN Subnet CIDR of Firewalla>(separate with commas)
   right=<WAN IP of pfSense Server>
   rightsubnet=<LAN Subnet CIDR of pfSense>(separate with commas)

   authby=psk
   ike=aes128-sha1-modp2048
   esp=aes128-sha1-modp2048
   ikelifetime=28800s
   lifetime=3600s

Use 0.0.0.0/0 for the rightsubnet to access the Internet using any device on the VPN connection. In this example, we change the following lines to:

  leftid=203.0.113.15
  leftsubnet=192.168.213.0/24
  right=192.0.2.19
  rightsubnet=0.0.0.0/0

Note that the Configuration file should reflect the same encryption methods set in the pfSense IPsec VPN. If you used different encryption methods, use this reference to use the correct keywords.

 

For Secrets, follow the template below. Copy and paste the Pre-Shared Key from the pfSense IPsec VPN configuration for P1.

: PSK "<Pre-Shared Key value>"

 

After entering your Configuration and Secrets files (no Additional files needed), click Save in the top right corner to finish creating your 3rd-party VPN Connection.

On your new VPN connection, click Apply To to select the devices you'd like to apply the VPN and toggle on the VPN switch to establish the new connection. Once established, devices under your Firewalla Gold box can access devices behind the pfSense and access the Internet. 

 

STEP 3: Verify Connection

After establishing the connection, verify the connection status on Firewalla MSP. 

On pfSense GUI, you can also see the “Established” status if you navigate to Status > IPsec.

When it is successfully connected and applied to a specific device, you can test if the device can access the subnet of pfSense.

Additionally, try accessing the internet using the VPN-connected devices. Then on Firewalla MSP, go to Flows and locate the flows generated. The flows should go through VPN and the outbound interface should be your pfSense IPsec VPN.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.