pfSense installation in Skytap
Install pfSense from .iso image
- Upload the current version ISO of pfSense to Skytap assets
- Insert the ISO into a running Empty Linux VM
- A VM configured 2 GB RAM, 2 CPU, 20 GB HD should be sufficient
- Follow default install prompts/process
Configure pfSense WAN and LAN NIC(s) via the pfSense console
- Add a public IP to the NIC that will be the WAN NIC
- In the Skytap UI, note the MAC address of the public and private NICs
- In the PF console, set IP and subnet of the NICs (other NIC settings should be default)
- Reboot
Check pfSense NICs
From the pfSense console, test if the following IPs can be pinged:
- WAN subnet gateway
- LAN subnet gateway
- 8.8.8.8 (public internet)
Adding VM to Skytap Environment for pfSense web UI access
It is possible to configure pfsense from the command line, but it is highly recommended to access the pfSense web UI with a browser. By default, the web UI can only be accessed via the pfSense inside/LAN NIC.
- Add a VM in Skytap with browser to the LAN subnet
- Run the VM, open the browser, navigate to the pfSense LAN IP (default: admin/pfsense)
- The default user/pass should immediately be changed to something more secure
Example pfSense policy-based VPN configuration
Phase 1
pfSense UI Location: VPN / IPsec / Tunnels / Edit Phase 1
Phase 1: General Information
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: {PUBLIC IP OF THE OTHER VPN DEVICE}
UDP Port: {LEAVE BLANK}
Remote NAT-T Port: {LEAVE BLANK}
Description: Skytap to Customer
Phase 1: Phase 1 Proposal (Authentication)
Authentication Method: Mutual PSK
My Identifier, IP Address: {SKYTAP PUBLIC IP}
Peer identifier: {PUBLIC IP OF THE OTHER VPN DEVICE}
Pre-shared Key: {LONG SECURE PASSWORD FOR BOTH SIDES}
Phase 1: Proposal (Encryption Algorithms)
Algorithm: AES
Key length: 256 bits
Hash: SHA256
DH Group: 14(2048)
Phase 1: Expiration and Replacement
Life Time: 28800
Rekey Time: {default/25920}
Reauth Time: {default/0}
Rand Time: {default/2880}
Phase 1: Advanced Options
Responder Only: No
SA Close Action: Default
NAT Traversal: Auto
MOBIKE: Disable
Gateway duplicates: No
Split connections: Yes (Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA.)
PRF Selection: No
Dead Peer Detection: Enable
Delay: 10
Max failures: 5
Phase 2
pfSense UI Location: VPN / IPsec / Tunnels / Edit Phase 2
Phase 2: General Information
Mode: Tunnel IPv4
Local Network: Network: {Subnet of LAN behind the pfSense}
NAT/BINAT translation: None
Remote Network
Type: Network
Address: {Non-pfSense side subnet}
Phase 2: Proposal (SA/Key Exchange)
Protocol: ESP
Encryption Algorithms: AES 256 bits
Hash Algorithms: SHA256
PFS key group: off
Phase 2: Expiration and Replacement
Lifetime: 3600
Rekey Time: {default/3240}
Rand Time: {default/360}
Phase 2: Advanced Configuration
Automatically ping host: {blank}
Example pfSense VPN firewall configuration
Add new IPsec rule
pfSense UI Location: Firewall / Rules / IPsec
Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: any
Destination: any
Add new LAN rule
pfSense UI Location: Firewall / Rules / LAN
Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: Any
Source: LAN net
Destination: any
(repeat this if additional lan subnets AKA Firewall / Rules / LAN2)
Routing within VMs behind the pfSense
For VMs behind the pfSense to reach the subnets on the WAN side of the pfSense, they will need either a static route or the default gateway pointed to the inside/LAN NIC of the pfSense.
Linux VMs:
For most Linux operating systems, a static route can be set using the following syntax:
{target subnet} via {pfsense inside ip} dev {guest os nic name}
Example: 192.168.0.0/24 via 172.16.0.1 dev ens160
Windows VMs:
- In the Win Network Control Panel for the NICs:
- Set the NIC on the pfSense network with a manual metric loer then any others (AKA 10)
- If there are other NICs, set them with a manual metric higher than the pfSense network NIC (AKA 20+)
- In CMD prompt, get the interface number (IF) of the NIC on the pfSense network:
- route print | more
- In CMD prompt, add a persistance DEFAULT route pointing to the pfSense with a metric of 1:
- route -p add 0.0.0.0 MASK 0.0.0.0 {pfSense inside NIC} METRIC 1 IF {interface number from step 2}
- route -p add 0.0.0.0 MASK 0.0.0.0 192.168.1.3 METRIC 1 IF 6
- In CMD prompt, add persistant route pointing to the non-Skytap side network with a metric of 2:
- route -p add {customer subnet} MASK {subnet size} {pfSense inside NIC} METRIC 2 IF {interface number from step 2}
- route -p add 10.0.0.0 MASK 255.255.255.240 192.168.120.3 METRIC 2 IF 6
Checking pfSense VPN Status
VPN Status
pfSense UI Location: Status / IPsec / Overview
From this page:
- The IPsec status can be seen
- Phase 1 or phase 2 to can be disconnected/connected
VPN Log
pfSense UI Location: Status / System Logs / IPsec
From this page:
- View the detailed IPsec logs
Comments
0 comments
Article is closed for comments.