Site-to-Site Pfsense

Site-to-Site VPN tunneli paigaldamine Pfsense Netgear ruuterisse.  Antud seadistamisel kasutasin kahte pfsense ruuterit ning seadistasin IPsec VPN tunneli kahe wan linkide vahel.  

SITE-LINK 2

Navigeeru hari-wan01.hariduse.net ruuterisse ning logi sisse Administraatori kontoga. Tee lahti VPN ja IPsec. Vajuta "Add P1". 

Key Exchange Version: "IKEv2"

Internet Protocol: "IPv4"

Interface: "WAN"

Remote Gateway: "hari-wan01.hariduse.net(IP-aadress)"

Phase 1 Autentimiseks kasutame Mutual PSK, hiljem saab lisada sertifikaadi autentimisest, mis on soovitatav.

Authentication Method: "Mutual PSK"

Pre-Shared Key: "Genereeri uus pre-shared võti".

Encryption Alorithm "AES 256 bits 2048"

Navigeeru Phase 2 Entries ning loo uus P2 lõpp-punkt.

Networks:

Local Network: "LAN subnet"

NAT : None

Remote Network: "10.70.30.0/24" (Lisame Remote LAN IP-aadressi)

Protocol: ESP

Encryption Alogrithms "AES" ning lisa AES256-GCM ja 128bits.

SITE-LINK A

Remote gateway vastavalt ruuteri seadistustele WAN IP

Protokollid ja krüpteerimis algoritmid peavad olema samad nagu Site-LINK B'l.

Lõpp-punkt 2 (P2) on seadistatud Site-Link B LAN IP-aadress.

Navigeeru Firewall > Rules > IPsec > New Rule

Action: Pass

Address Family: IPv4

Protocol: Any

Source: LAN subnet

Destination: Network > 10.77.2.0/24

Description: IPsec Firewall Rule to Branche1

Navigeeru Firewall > Rules > IPsec > New Rule

Action: Pass

Address Family: IPv4

Protocol: Any

Source: Network > 10.77.2.0/24

Destination: LAN Subnet

Description: IPsec Firewall Rule from Branche1

Navigeeru Firewall > Rules > IPsec > New Rule

Action: Pass

Address Family: IPv4

Protocol: Any

Source: Network > LAN Subnet

Destination: 10.7.30.0/24

Description: IPsec Firewall Rule to Branche2

Navigeeru Firewall > Rules > IPsec > New Rule

Action: Pass

Address Family: IPv4

Protocol: Any

Source: Network > 10.7.30.0/24

Destination: LAN Subnet

Description: IPsec Firewall Rule from Branche2

Sertifikaadi Site-to-Site VPN tunnel

hari-wan01.hariduse.net Ruuter

Pre-shared key on seadistatud. Nüüd seadistame sertifikaadi autentimist.

Selleks navigeeru Systems > Certificates > Authorities > + Add

Lisa hari-wan01.hariduse.net sertifikaad

hari-wan02.hariduse.net Ruuter

Loo uus CA sertifikaat ning nimeks lisa: "hari-wan02.hariduse.net"

Navigeeru tagasi hari-wan01.hariduse.net ning lisa uus CA ning import certificate. Lisa sertifikaadi andmed, mida saab leida hari-wan02.hariduse ruuterist. Sertifikaadi nimetada: "hari-wan02.hariduse.net"

Hari-wan02.hariduse.net sertifikaadid

Hari-wan01.hariduse.net Ruuter

Navigeeru tagasi IPsec konfiguratsioonide juurde ning muuda "Mutual PSK" > "Mutual Certificate".

My Certificate: "hari-wan01.hariduse.net"

Peer Certificate: "hari-wan02.hariduse.net"

Hari-wan02.hariduse.net Ruuter

My Certificate: "hari-wan02.hariduse.net"

Peer Certificate: "hari-wan01.hariduse.net"

Lõpp-tulemused:

On võimalik pingida endpoint 1 ja endpoint 2

On võimalik ligipääseda ruuteri1 ja ruuter2 web mgmt.