{"id":12298,"date":"2022-04-20T23:20:47","date_gmt":"2022-04-20T20:20:47","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12298"},"modified":"2024-03-09T11:47:37","modified_gmt":"2024-03-09T08:47:37","slug":"configure-site-to-site-ipsec-vpn-on-pfsense-and-libreswan","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-site-to-site-ipsec-vpn-on-pfsense-and-libreswan\/","title":{"rendered":"Configure Site-to-Site IPSec VPN on pfSense and Libreswan"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to configure Site-to-Site IPSec VPN on pfSense and Libreswan. <a href=\"https:\/\/www.cloudflare.com\/learning\/network-layer\/what-is-ipsec\/\" target=\"_blank\" rel=\"noreferrer noopener\">IPSec<\/a> (Internet Protocol Security) is a secured network protocol commonly used on VPNs to create a secured and encrypted communication tunnel between the communicating endpoints through data packet authentication and encryption.<\/p>\n\n\n\n<p>Both pfSense and Libreswan can be configured to establish a site to site IPSec VPN tunnel to enable remote systems to communicate securely. They can be integrated with other commercial tools like Cisco ASA\/Fortinet devices to setup secured IPSec VPN tunnel between communicating sites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configure Site-to-Site IPSec VPN on pfSense and Libreswan<\/h2>\n\n\n\n<p>In order to demonstrate how to setup Site-to-Site IPSec VPN between pfSense and Libreswan, here is our deployment architecture.<\/p>\n\n\n\n<p><strong>NOTE that the IP addresses, 11.22.33.44 and 55.66.77.88<\/strong> used in this guide are just <strong>BOGUS<\/strong>! for the purposes of demonstration. Replace them accordingly!<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1320\" height=\"621\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-ipsec-libreswan-sample-architecture.png\" alt=\"Configure Site-to-Site IPSec VPN on pfSense and Libreswan\" class=\"wp-image-12299\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-ipsec-libreswan-sample-architecture.png?v=1650048986 1320w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-ipsec-libreswan-sample-architecture-768x361.png?v=1650048986 768w\" sizes=\"(max-width: 1320px) 100vw, 1320px\" \/><\/figure>\n\n\n\n<p>IPSec VPN configurations must match on both peers in order to the tunnel to be established successfully. In that case, below are the configuration settings were using in this particular setup;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>VPN device host information<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>VPN device version<\/td><td>pfSense 2.5.0<\/td><td>Libreswan<\/td><\/tr><tr><td>IP address<\/td><td>11.22.33.44 (<strong>bogus IP address<\/strong>)<\/td><td>55.66.77.88 (<strong>bogus IP address<\/strong>)<\/td><\/tr><tr><td><\/td><td><\/td><td><\/td><\/tr><tr><td><strong>IKE &#8211; Phase 1 properties<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>Authentication method<\/td><td>PSK (ChangeME)<\/td><td>PSK (ChangeME)<\/td><\/tr><tr><td>Encryption scheme<\/td><td>IKEv2<\/td><td>IKEv2<\/td><\/tr><tr><td>Perfect Forward Secrecy &#8211; IKE<\/td><td>DH Group 20<\/td><td>DH Group 20<\/td><\/tr><tr><td>Encryption algorithm &#8211; IKE<\/td><td>AES256<\/td><td>AES256<\/td><\/tr><tr><td>Hashing algorithm &#8211; IKE<\/td><td>SHA256<\/td><td>SHA256<\/td><\/tr><tr><td>IKE SA lifetime<\/td><td>86400 sec<\/td><td>86400 sec<\/td><\/tr><tr><td><\/td><td><\/td><td>&nbsp;<\/td><\/tr><tr><td><strong>IPSec &#8211; Phase 2 properties<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>Transform (IPSec protocol)<\/td><td>ESP<\/td><td>ESP<\/td><\/tr><tr><td>Perfect Forward Secrecy &#8211; IPSec<\/td><td>DH Group 20<\/td><td>DH Group 20<\/td><\/tr><tr><td>Encryption algorithm &#8211; IPSec<\/td><td>AES256<\/td><td>AES256<\/td><\/tr><tr><td>Hashing algorithm &#8211; IPSec<\/td><td>SHA256<\/td><td>SHA256<\/td><\/tr><tr><td>IPSec SA lifetime<\/td><td>3600 sec<\/td><td>3600 sec<\/td><\/tr><tr><td><\/td><td><\/td><td><\/td><\/tr><tr><td><strong>Encryption hosts<\/strong><\/td><td><strong>Side A<\/strong><\/td><td><strong>Side B<\/strong><\/td><\/tr><tr><td>Remote Networks<\/td><td>&nbsp;172.16.0.0\/24<\/td><td>192.168.0.0\/24<\/td><\/tr><tr><td>Hosts<\/td><td>172.16.0.20<\/td><td>192.168.0.200<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">IPSec VPN Tunnel between pfSense and Libreswan configurations<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Configure IPSec VPN on pfSense on Side A<\/h3>\n\n\n\n<p>You can start by configuring the IPSec VPN settings on pfSense on side A.<\/p>\n\n\n\n<p>We extensively explained how to configure IPSec VPN on pfSense in our previous guide. You can check the link below on how to go about this configuration;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-site-to-site-vpn-tunnel-on-pfsense\/#pfsense-ipsec-side-a\" target=\"_blank\" rel=\"noreferrer noopener\">Configuring IPSec on pfSense on Side A<\/a><\/p>\n\n\n\n<p>This is how our configurations are like;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-ipsec-vpn-configuration.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1399\" height=\"656\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-ipsec-vpn-configuration.png\" alt=\"Configure Site-to-Site IPSec VPN on pfSense and Libreswan\" class=\"wp-image-12331\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-ipsec-vpn-configuration.png?v=1650485062 1399w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-ipsec-vpn-configuration-768x360.png?v=1650485062 768w\" sizes=\"(max-width: 1399px) 100vw, 1399px\" \/><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Libreswa IPSec VPN<\/h3>\n\n\n\n<p>On the remote end, we are using a Rocky Linux server which acts as a Linux router for the Side B LAN.<\/p>\n\n\n\n<p>Thus, to setup Libreswan for IPSec VPN on Rocky Linux;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run system update;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf update<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Libreswan on Rocky Linux<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf install libreswan<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Initialize IPSec NSS database;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ipsec initnss<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start IPSec;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now ipsec<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open Libreswan ipsec service Firewall<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl disable --now firewalld<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf install iptables-services<\/code><\/pre>\n\n\n\n<p>for ISAKMP (handling of security associations)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p udp --dport 500 --j ACCEPT<\/code><\/pre>\n\n\n\n<p>for NAT-T (handling of IPsec between natted devices)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p udp --dport 4500 --j ACCEPT<\/code><\/pre>\n\n\n\n<p>for ESP payload (the encrypted data packets)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -A INPUT -p esp -j ACCEPT<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable IP masquerading on firewalld.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ipset create ipsecvpn hash:net\nipset add ipsecvpn 192.168.0.0\/24\nipset add ipsecvpn 172.16.0\/24<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -j MASQUERADE -m set ! --match-set ipsecvpn dst<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables-save &gt; \/etc\/sysconfig\/iptables<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart iptables<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable redirects for XFRM\/IPsec;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/sysctl.d\/50-libreswan.conf{,.old}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/sysctl.d\/50-libreswan.conf << 'EOL'\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.rp_filter = 0\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sysctl --system<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create Libreswan IPSec VPN Configuration. <strong>The configurations here must match exactly as what is configured on the remote peer!<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Create a backup of the default IPSec configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv \/etc\/ipsec.conf{,.old}<\/code><\/pre>\n\n\n\n<p>Run the command below to paste our sample configurations into the <strong><code>\/etc\/ipsec.conf<\/code><\/strong> file;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/ipsec.conf << 'EOL'\nconfig setup\n        logfile=\/var\/log\/pluto.log\n\nconn libreswan-pfsense\n        type=tunnel\n        authby=secret\n        left=55.66.77.88\n        leftid=55.66.77.88\n        leftsubnet=192.168.0.0\/24\n        right=11.22.33.44\n        rightid=11.22.33.44\n        rightsubnet=172.16.0.0\/24\n        ike=aes256-sha256-ecp384\n        esp=aes256-sha256-ecp384\n        pfs=yes\n        keyingtries=5\n        ikev2=insist\n        ikelifetime=24h\n        salifetime=1h\n        dpddelay=30\n        dpdtimeout=120\n        dpdaction=restart\n        auto=start\ninclude \/etc\/crypto-policies\/back-ends\/libreswan.config\nEOL\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install pfSense-Libreswan IPSec secrets. This is the PresShared Key (PSK);<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>echo '55.66.77.88 : PSK \"ChangeME\"\n11.22.33.44 : PSK \"ChangeME\"' &gt; \/etc\/ipsec.secrets<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next, verify the Libreswan IPSec configuration syntax;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ipsec verify<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Verifying installed system and configuration files\n\nVersion check and ipsec on-path                   \t[OK]\nLibreswan 4.4 (netkey) on 4.18.0-348.20.1.el8_5.x86_64\nChecking for IPsec support in kernel              \t[OK]\n NETKEY: Testing XFRM related proc values\n         ICMP default\/send_redirects              \t[OK]\n         ICMP default\/accept_redirects            \t[OK]\n         XFRM larval drop                         \t[OK]\nPluto ipsec.conf syntax                           \t[OK]\nChecking rp_filter                                \t[OK]\nChecking that pluto is running                    \t[OK]\n Pluto listening for IKE on udp 500               \t[OK]\n Pluto listening for IKE\/NAT-T on udp 4500        \t[OK]\n Pluto ipsec.secret syntax                        \t[OK]\nChecking 'ip' command                             \t[OK]\nChecking 'iptables' command                       \t[OK]\nChecking 'prelink' command does not interfere with FIPS\t[OK]\nChecking for obsolete ipsec.conf options          \t[OK]\n<\/code><\/pre>\n\n\n\n<p>Restart IPSec service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart ipsec<\/code><\/pre>\n\n\n\n<p>Check status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status ipsec<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/ipsec.service; enabled; vendor preset: disabled)\n   Active: active (running) since Sat 2022-04-16 00:45:15 EAT; 3min 3s ago\n     Docs: man:ipsec(8)\n           man:pluto(8)\n           man:ipsec.conf(5)\n  Process: 6181 ExecStopPost=\/usr\/sbin\/ipsec --stopnflog (code=exited, status=0\/SUCCESS)\n  Process: 6177 ExecStopPost=\/bin\/bash -c if test \"$EXIT_STATUS\" != \"12\"; then \/sbin\/ip xfrm policy flush; \/sbin\/ip xfrm state flush; fi (code=exited, status=0\/SUCCESS)\n  Process: 6174 ExecStop=\/usr\/libexec\/ipsec\/whack --shutdown (code=exited, status=0\/SUCCESS)\n  Process: 6435 ExecStartPre=\/usr\/sbin\/ipsec --checknflog (code=exited, status=0\/SUCCESS)\n  Process: 6433 ExecStartPre=\/usr\/sbin\/ipsec --checknss (code=exited, status=0\/SUCCESS)\n  Process: 6190 ExecStartPre=\/usr\/libexec\/ipsec\/_stackmanager start (code=exited, status=0\/SUCCESS)\n  Process: 6188 ExecStartPre=\/usr\/libexec\/ipsec\/addconn --config \/etc\/ipsec.conf --checkconfig (code=exited, status=0\/SUCCESS)\n Main PID: 6447 (pluto)\n   Status: \"Startup completed.\"\n    Tasks: 4 (limit: 17837)\n   Memory: 3.8M\n   CGroup: \/system.slice\/ipsec.service\n           \u2514\u25006447 \/usr\/libexec\/ipsec\/pluto --leak-detective --config \/etc\/ipsec.conf --nofork\n\nApr 16 00:45:15 vpn.kifarunix-demo.com systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...\nApr 16 00:45:15 vpn.kifarunix-demo.com ipsec[6435]: nflog ipsec capture disabled\nApr 16 00:45:15 vpn.kifarunix-demo.com systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.\n<\/code><\/pre>\n\n\n\n<p>Or use the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipsec status<\/code><\/pre>\n\n\n\n<p>Sample output (pay attention to the line <strong>Total IPsec connections:<\/strong>);<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>000 using kernel interface: xfrm\n000  \n000 interface lo UDP [::1]:500\n000 interface lo UDP 127.0.0.1:4500\n000 interface lo UDP 127.0.0.1:500\n000 interface enp0s3 UDP 55.66.77.88:4500\n000 interface enp0s3 UDP 55.66.77.88:500\n000 interface enp0s8 UDP 192.168.0.1:4500\n000 interface enp0s8 UDP 192.168.0.1:500\n000  \n000 fips mode=disabled;\n000 SElinux=enabled\n000 seccomp=disabled\n000  \n000 config setup options:\n000  \n000 configdir=\/etc, configfile=\/etc\/ipsec.conf, secrets=\/etc\/ipsec.secrets, ipsecdir=\/etc\/ipsec.d\n000 nssdir=\/etc\/ipsec.d, dumpdir=\/run\/pluto, statsbin=unset\n000 dnssec-rootkey-file=\/var\/lib\/unbound\/root.key, dnssec-trusted=&lt;unset&gt;\n000 sbindir=\/usr\/sbin, libexecdir=\/usr\/libexec\/ipsec\n000 pluto_version=4.4, pluto_vendorid=OE-Libreswan-4.4, audit-log=yes\n000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s\n000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept\n000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=&lt;any&gt;, nflog-all=0\n000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=&lt;unset&gt;\n000 ocsp-trust-name=&lt;unset&gt;\n000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get\n000 global-redirect=no, global-redirect-to=&lt;unset&gt;\n000 secctx-attr-type=32001\n000 debug:\n000  \n000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500\n000 virtual-private (%priv):\n000  \n000 Kernel algorithms supported:\n000  \n000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192\n000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256\n000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256\n000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0\n000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256\n000 algorithm AH\/ESP auth: name=AES_CMAC_96, key-length=128\n000 algorithm AH\/ESP auth: name=AES_XCBC_96, key-length=128\n000 algorithm AH\/ESP auth: name=HMAC_MD5_96, key-length=128\n000 algorithm AH\/ESP auth: name=HMAC_SHA1_96, key-length=160\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_256_128, key-length=256\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_384_192, key-length=384\n000 algorithm AH\/ESP auth: name=HMAC_SHA2_512_256, key-length=512\n000 algorithm AH\/ESP auth: name=NONE, key-length=0\n000  \n000 IKE algorithms supported:\n000  \n000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192\n000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128\n000 algorithm IKE encrypt: v1id=-1, v1name=n\/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256\n000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16\n000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20\n000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32\n000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48\n000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64\n000 algorithm IKE PRF: name=AES_XCBC, hashlen=16\n000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024\n000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536\n000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048\n000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072\n000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096\n000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144\n000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192\n000 algorithm IKE DH Key Exchange: name=DH19, bits=512\n000 algorithm IKE DH Key Exchange: name=DH20, bits=768\n000 algorithm IKE DH Key Exchange: name=DH21, bits=1056\n000 algorithm IKE DH Key Exchange: name=DH31, bits=256\n000  \n000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} \n000  \n000 Connection list:\n000  \n000 \"libreswan-pfsense\": 192.168.0.0\/24===55.66.77.88&lt;55.66.77.88&gt;...11.22.33.44&lt;11.22.33.44&gt;===172.16.0.0\/24; erouted; eroute owner: #2\n000 \"libreswan-pfsense\":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;\n000 \"libreswan-pfsense\":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]\n000 \"libreswan-pfsense\":   our auth:secret, their auth:secret\n000 \"libreswan-pfsense\":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;\n000 \"libreswan-pfsense\":   sec_label:unset;\n000 \"libreswan-pfsense\":   ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;\n000 \"libreswan-pfsense\":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;\n000 \"libreswan-pfsense\":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;\n000 \"libreswan-pfsense\":   policy: IKEv2+PSK+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO;\n000 \"libreswan-pfsense\":   v2-auth-hash-policy: none;\n000 \"libreswan-pfsense\":   conn_prio: 24,24; interface: enp0s3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;\n000 \"libreswan-pfsense\":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;\n000 \"libreswan-pfsense\":   our idtype: ID_IPV4_ADDR; our id=55.66.77.88; their idtype: ID_IPV4_ADDR; their id=11.22.33.44\n000 \"libreswan-pfsense\":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both\n000 \"libreswan-pfsense\":   newest ISAKMP SA: #1; newest IPsec SA: #2; conn serial: $1;\n000 \"libreswan-pfsense\":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-DH20\n000 \"libreswan-pfsense\":   IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_256-DH20\n000 \"libreswan-pfsense\":   ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128-DH20\n000 \"libreswan-pfsense\":   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_256_128; pfsgroup=&lt;Phase1&gt;\n000  \n<strong>000 Total IPsec connections: loaded 1, active 1<\/strong>\n000  \n000 State Information: DDoS cookies not required, Accepting new IKE connections\n000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)\n000 IPsec SAs: total(1), authenticated(1), anonymous(0)\n000  \n000 #1: \"libreswan-pfsense\":500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 85347s; newest ISAKMP; idle;\n000 #2: \"libreswan-pfsense\":500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 2788s; newest IPSEC; eroute owner; isakmp#1; idle;\n000 #2: \"libreswan-pfsense\" esp.c134ccd6@11.22.33.44 esp.456895d1@55.66.77.88 tun.0@11.22.33.44 tun.0@55.66.77.88 Traffic: ESPin=0B ESPout=0B! ESPmax=0B \n000  \n000 Bare Shunt list:\n000\n<\/code><\/pre>\n\n\n\n<p>Check Status on pfSense As well;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-libreswan-connection-status.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1451\" height=\"690\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-libreswan-connection-status.png\" alt=\"Configure Site-to-Site IPSec VPN on pfSense and Libreswan\" class=\"wp-image-12332\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-libreswan-connection-status.png?v=1650485103 1451w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/pfsense-libreswan-connection-status-768x365.png?v=1650485103 768w\" sizes=\"(max-width: 1451px) 100vw, 1451px\" \/><\/figure><\/a><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Test the connection between Local LANs<\/h2>\n\n\n\n<p>The tunnel is now established and you need to find out what the two remote LANS can communicate.<\/p>\n\n\n\n<p>Considering that you have correct firewall rules in place, everything should work just fine now.<\/p>\n\n\n\n<p>On Side A, let check connectivity to from the system <strong>172.16.0.20<\/strong> to Side B local system, <strong>192.168.0.200<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip a<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host \n       valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 08:00:27:80:75:65 brd ff:ff:ff:ff:ff:ff\n    inet 172.16.0.20\/24 brd 172.16.0.255 scope global enp0s3\n       valid_lft forever preferred_lft forever\n    inet6 fe80::a00:27ff:fe80:7565\/64 scope link \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ip r<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>default via 172.16.0.1 dev enp0s3 onlink \n172.16.0.0\/24 dev enp0s3 proto kernel scope link src 172.16.0.20<\/code><\/pre>\n\n\n\n<p>Check connectivity to remote system;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ping -c 4 192.16.0.200<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>PING 192.16.0.200 (192.16.0.200) 56(84) bytes of data.\n64 bytes from 192.16.0.200: icmp_seq=1 ttl=48 time=251 ms\n64 bytes from 192.16.0.200: icmp_seq=2 ttl=48 time=274 ms\n64 bytes from 192.16.0.200: icmp_seq=3 ttl=48 time=296 ms\n64 bytes from 192.16.0.200: icmp_seq=4 ttl=48 time=196 ms\n\n--- 192.16.0.200 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3006ms\nrtt min\/avg\/max\/mdev = 195.909\/254.192\/296.481\/37.353 ms\n<\/code><\/pre>\n\n\n\n<p>Check connection to SSH;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>telnet 192.168.0.200 22<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Trying 192.168.0.200...\nConnected to 192.168.0.200.\nEscape character is '^]'.\nSSH-2.0-OpenSSH_8.4p1 Debian-5\n^]\n\ntelnet&gt; quit\nConnection closed.\n<\/code><\/pre>\n\n\n\n<p>On Side B, let check connectivity to from the system <strong>192.168.0.200<\/strong> to Side A local system, <strong>172.16.0.20<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip a<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host \n       valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 08:00:27:88:1b:ae brd ff:ff:ff:ff:ff:ff\n    inet 192.168.0.200\/24 brd 192.168.0.255 scope global enp0s3\n       valid_lft forever preferred_lft forever\n    inet6 fe80::a00:27ff:fe88:1bae\/64 scope link \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ip r<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>default via 192.168.0.1 dev enp0s3 onlink \n192.168.0.0\/24 dev enp0s3 proto kernel scope link src 192.168.0.200<\/code><\/pre>\n\n\n\n<p>Check connectivity to remote system;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ping -c 4 172.16.0.20<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>PING 172.16.0.20 (172.16.0.20) 56(84) bytes of data.\n64 bytes from 172.16.0.20: icmp_seq=1 ttl=62 time=0.685 ms\n64 bytes from 172.16.0.20: icmp_seq=2 ttl=62 time=1.12 ms\n64 bytes from 172.16.0.20: icmp_seq=3 ttl=62 time=1.12 ms\n64 bytes from 172.16.0.20: icmp_seq=4 ttl=62 time=1.31 ms\n\n--- 172.16.0.20 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3015ms\nrtt min\/avg\/max\/mdev = 0.685\/1.058\/1.314\/0.230 ms\n<\/code><\/pre>\n\n\n\n<p>Check connection to SSH;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>telnet 172.16.0.20 22<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Trying 172.16.0.20...\nConnected to 172.16.0.20.\nEscape character is '^]'.\nSSH-2.0-OpenSSH_8.4p1 Debian-5\n^]\n\ntelnet&gt; quit\nConnection closed.\n<\/code><\/pre>\n\n\n\n<p>So what Firewall rules we have in place?<\/p>\n\n\n\n<p>on Side A, pfSense Firewall rules;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-LAN.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-LAN.png\" alt=\"Configure Site-to-Site IPSec VPN on pfSense and Libreswan\" class=\"wp-image-12328\" width=\"1068\" height=\"462\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-LAN.png?v=1650484662 1468w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-LAN-768x333.png?v=1650484662 768w\" sizes=\"(max-width: 1068px) 100vw, 1068px\" \/><figcaption>LAN Rules<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-IPSec.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-IPSec.png\" alt=\"Configure Site-to-Site IPSec VPN on pfSense and Libreswan\" class=\"wp-image-12329\" width=\"1068\" height=\"311\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-IPSec.png?v=1650484696 1462w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/ipsec-firewall-rules-side-a-IPSec-768x224.png?v=1650484696 768w\" sizes=\"(max-width: 1068px) 100vw, 1068px\" \/><figcaption>IPSec Rules<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<p>On Libreswan CentOS Linux Router firewall rules;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -L -nv<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Chain INPUT (policy DROP 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n  273 39388 ACCEPT     esp  --  *      *       0.0.0.0\/0            0.0.0.0\/0           \n    0     0 ACCEPT     udp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpt:4500\n  101 10908 ACCEPT     udp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpt:500\n    1    84 ACCEPT     icmp --  *      *       0.0.0.0\/0            0.0.0.0\/0           \n    0     0 ACCEPT     all  --  lo     *       0.0.0.0\/0            0.0.0.0\/0           \n  246 16940 ACCEPT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpt:22\n  119 18126 REJECT     all  --  *      *       0.0.0.0\/0            0.0.0.0\/0            reject-with icmp-host-prohibited\n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n  280 20726 ACCEPT     all  --  enp0s3 enp0s8  0.0.0.0\/0            0.0.0.0\/0           \n  211 23856 ACCEPT     all  --  enp0s8 enp0s3  0.0.0.0\/0            0.0.0.0\/0           \n    0     0 REJECT     all  --  *      *       0.0.0.0\/0            0.0.0.0\/0            reject-with icmp-host-prohibited\n\nChain OUTPUT (policy ACCEPT 746 packets, 101K bytes)\n pkts bytes target     prot opt in     out     source               destination\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -L -nv<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Chain PREROUTING (policy ACCEPT 18 packets, 1319 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain POSTROUTING (policy ACCEPT 10 packets, 672 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n   31  2265 MASQUERADE  all  --  *      *       0.0.0.0\/0            0.0.0.0\/0            ! match-set ipsecvpn dst\n\nChain OUTPUT (policy ACCEPT 30 packets, 2172 bytes)\n pkts bytes target     prot opt in     out     source               destination\n<\/code><\/pre>\n\n\n\n<p>And that is it on how to setup Site-to-Site IPSec VPN between pfSense and Libreswan.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-vpn-server-with-libreswan-on-rocky-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup IPSec VPN server with Libreswan on Rocky Linux<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-site-to-site-vpn-tunnel-on-pfsense\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup IPSec Site-to-Site VPN Tunnel on pfSense<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to configure Site-to-Site IPSec VPN on pfSense and Libreswan. IPSec (Internet Protocol Security) is a secured network protocol<\/p>\n","protected":false},"author":3,"featured_media":12476,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,44,1454,34,321],"tags":[4930,1716,4929,4927,4928,323],"class_list":["post-12298","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-firewall","category-pfsense","category-security","category-vpn","tag-ipsec-vpn-tunnel","tag-libreswan","tag-libreswan-site-to-site-ipsec-vpn","tag-pfsense-and-libreswan-ipsec-vpn","tag-site-to-site-ipsec-vpn-pfsense","tag-vpn","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12298"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12298"}],"version-history":[{"count":13,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12298\/revisions"}],"predecessor-version":[{"id":20462,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12298\/revisions\/20462"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12476"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}