Support Downloads Community

UniFi Video is an obsolete product line.

This application and its related devices will no longer receive any manner of technical support, including functional and security updates. Additionally, there will be no further updates to Help Center content pertaining to UniFi Video.

EdgeRouter - Site-to-Site IPsec VPN to pfSense

Overview

Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an Edgerouter and a pfSense router.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Devices used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Setting up a Policy-Based VPN
  3. Related Articles

Frequently Asked Questions (FAQ)

Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN

Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.

GUI: Access the EdgeRouter Web UI.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: ipsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 192.168.1.0/24
Remote subnet: 172.16.1.0/24

2. Apply the changes.

GUI: Access the pfSense Router Web UI.

1. Add the firewall rules for IPsec.

Firewall > Rules > WAN > Add

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From ISAKMP (500) to ISAKMP (500)
Description: ike

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: ESP
Source: any
Destination: any
Description: esp

Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: UDP
Source: any
Destination: any
Destination Port Range: From IPsec NAT-T (4500) to IPsec NAT-T (4500)
Description: nat-t

Firewall > Rules > IPsec > Add

Action: Pass
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Network 192.168.1.0/24
Destination: Network 172.16.1.0/24

2. Define and save the IKE settings.

VPN > IPsec > Tunnels > + Add P1

Key Exchange Version: IKEv1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: 203.0.113.1
Description: ipsec

Authentication Method: Mutual PSK
Negotiation Mode: Main
My Identifier: My IP address
Peer Identifier: Peer IP address
Pre-Shared Key: <secret>

Encryption Algorithm: AES 128 bits
Hash Algorithm: SHA128
DH Group: 14 (2048 bit)
Lifetime (Seconds): 28800

Dead Peer Detection: Uncheck / disabled
NAT Traversal: Auto

3. Define and save the ESP settings.

VPN > IPsec > Tunnels > Show Phase 2 Entries > +Add P2

Mode: Tunnel IPv4
Local Network: Network 172.16.1.0/24
NAT/BINAT Translation: None
Remote Network: Network 192.168.1.0/24

Protocol: ESP
Encryption Algorithms: AES 128 bits
Hash Algorithms: SHA1
PFS Key Group: 14
Lifetime (Seconds): 3600

Related Articles

Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
14 out of 19 found this helpful