PfSense IPsec Site-to-Site VPN With FortiGate: A Comprehensive Guide

by Jhon Lennon 69 views
Iklan Headers

Setting up a secure connection between two networks is crucial for many businesses, and a site-to-site VPN is a reliable way to achieve this. In this guide, we'll walk you through configuring an IPsec site-to-site VPN between a pfSense firewall and a FortiGate firewall. This setup allows secure communication between networks located at different physical locations, ensuring data confidentiality and integrity.

Prerequisites

Before we dive into the configuration, let's make sure you have everything you need:

  • Two networks, each with its own internet connection.
  • A pfSense firewall installed and configured on one network.
  • A FortiGate firewall installed and configured on the other network.
  • Static public IP addresses for both firewalls (or dynamic DNS configured).
  • Basic understanding of networking concepts, including IP addressing, subnetting, and routing.

Step-by-Step Configuration

1. pfSense Configuration

First, we'll configure the IPsec settings on the pfSense firewall.

  • Navigate to VPN > IPsec > Tunnels in the pfSense web interface.
  • Click Add P1 to create a new Phase 1 entry.
  • General Information:
    • Key exchange version: IKEv2
    • Internet Protocol: IPv4
    • Interface: WAN (or the interface connected to the internet)
    • Remote Gateway: The public IP address of the FortiGate firewall.
    • Description: A descriptive name for the tunnel (e.g., FortiGate-VPN).
  • Phase 1 Proposal (Authentication):
    • Authentication method: Mutual PSK
    • Pre-Shared Key: A strong, randomly generated key. Make sure to use the same key on both pfSense and FortiGate.
    • My identifier: My IP address
    • Peer identifier: Peer IP address
  • Phase 1 Proposal (Encryption):
    • Encryption Algorithm: AES256
    • Hash Algorithm: SHA256
    • DH Key Group: 14 (2048 bit)
  • Click Save to save the Phase 1 configuration.

Next, we'll configure Phase 2.

  • Click Add P2 to create a new Phase 2 entry.
  • General Information:
    • Mode: Tunnel IPv4
    • Description: A descriptive name for Phase 2 (e.g., FortiGate-Phase2).
    • Protocol: ESP
  • Phase 2 Proposal (SA/Key Exchange):
    • Encryption Algorithms: AES256GCM16
    • Hash Algorithms: NULL
    • PFS Key Group: 14 (2048 bit)
  • Source:
    • Type: LAN Subnet (or the subnet you want to route through the VPN)
    • Address: The LAN subnet of the pfSense network (e.g., 192.168.1.0/24).
  • Destination:
    • Type: Network
    • Address: The LAN subnet of the FortiGate network (e.g., 192.168.2.0/24).
  • Click Save to save the Phase 2 configuration.
  • Apply the changes.

2. FortiGate Configuration

Now, let's configure the IPsec settings on the FortiGate firewall.

  • Navigate to VPN > IPsec Wizard in the FortiGate web interface.
  • Template type: Custom
  • VPN Creation Wizard:
    • Name: A descriptive name for the VPN (e.g., pfSense-VPN).
    • Remote Gateway:
      • IP Address: The public IP address of the pfSense firewall.
      • Interface: The WAN interface of the FortiGate.
    • Authentication:
      • Method: Pre-shared Key
      • Pre-shared Key: The same pre-shared key you configured on pfSense.
    • Phase 1 Proposal:
      • Encryption: AES256
      • Authentication: SHA256
      • DH Group: 14
    • Phase 2 Proposal:
      • Protocol: ESP
      • Encryption: AES256GCM16
      • Authentication: NULL
      • PFS: Enable, DH Group 14
    • Local Network: The LAN subnet of the FortiGate network (e.g., 192.168.2.0/24).
    • Remote Network: The LAN subnet of the pfSense network (e.g., 192.168.1.0/24).
  • Click Create to finish the wizard.

3. Firewall Rules and Routing

Firewall rules and routing are crucial for allowing traffic to pass through the VPN tunnel. Let's configure these on both pfSense and FortiGate.

pfSense Firewall Rules:

  • Navigate to Firewall > Rules > IPsec.
  • Create a new rule:
    • Action: Pass
    • Interface: IPsec
    • Protocol: Any
    • Source: LAN Subnet (or the subnet you want to route through the VPN)
    • Destination: Network, The LAN subnet of the FortiGate network (e.g., 192.168.2.0/24).
  • Click Save and Apply Changes.
  • Create another rule in Firewall > Rules > LAN to allow traffic from your LAN network to the Fortigate network.

pfSense Outbound NAT:

  • Navigate to Firewall > NAT > Outbound.
  • Mode: Manual Outbound NAT rule generation.
  • Add a new rule:
    • Interface: WAN
    • Source: LAN Subnet (e.g., 192.168.1.0/24)
    • Destination: Network, The LAN subnet of the FortiGate network (e.g., 192.168.2.0/24).
    • NAT Address: None.
  • Click Save and Apply Changes.

FortiGate Firewall Policies:

  • Navigate to Policy & Objects > Firewall Policy.
  • Create a new policy:
    • Name: A descriptive name for the policy (e.g., pfSense-to-FortiGate).
    • Incoming Interface: The IPsec tunnel interface you created.
    • Outgoing Interface: The LAN interface of the FortiGate.
    • Source: The LAN subnet of the pfSense network (e.g., 192.168.1.0/24).
    • Destination: The LAN subnet of the FortiGate network (e.g., 192.168.2.0/24).
    • Schedule: Always
    • Service: ALL
    • Action: ACCEPT
  • Click OK to save the policy.
  • Create another policy for traffic originating from the FortiGate network going to the pfSense network, reversing the source and destination.

FortiGate Static Routes:

  • Navigate to Network > Static Routes.
  • Create a new static route:
    • Destination: The LAN subnet of the pfSense network (e.g., 192.168.1.0/24).
    • Gateway: The IP address of the pfSense firewall's LAN interface (or the next hop IP address).
    • Interface: The IPsec tunnel interface.
  • Click OK to save the route.

4. Verification and Troubleshooting

After completing the configuration, it's essential to verify that the VPN tunnel is working correctly. Here's how you can do it:

  • Check IPsec Status:
    • pfSense: Navigate to Status > IPsec. You should see the tunnel established.
    • FortiGate: Navigate to Monitor > IPsec Monitor. You should see the tunnel up.
  • Ping Test:
    • From a host on the pfSense network, ping a host on the FortiGate network.
    • From a host on the FortiGate network, ping a host on the pfSense network.
  • Troubleshooting:
    • If the tunnel isn't establishing, check the logs on both firewalls for errors.
    • Double-check the pre-shared key and IP addresses.
    • Ensure that the firewall rules and static routes are configured correctly.

Additional Considerations

  • Dynamic DNS: If you don't have static IP addresses, use Dynamic DNS (DDNS) and configure the firewalls to use the DDNS hostnames.
  • Security: Regularly review and update your firewall rules and IPsec settings to maintain a strong security posture.
  • Monitoring: Implement monitoring tools to track the VPN tunnel's performance and uptime.

pfSense Configuration Deep Dive

To ensure a robust and reliable pfSense IPsec site-to-site VPN connection with your FortiGate, let's delve deeper into some crucial configuration aspects. We'll cover advanced settings, optimization tips, and common pitfalls to avoid. Remember, a well-configured VPN not only provides secure connectivity but also maintains optimal network performance.

Phase 1 Configuration: Beyond the Basics

While the basic Phase 1 setup involves selecting encryption and hash algorithms, there's more to it. Understanding the nuances can significantly improve your VPN's security and stability.

  • Key Exchange Version (IKEv2): Sticking with IKEv2 is generally recommended due to its enhanced security features and better handling of NAT traversal compared to IKEv1. IKEv2 offers improved efficiency and reliability.
  • My Identifier and Peer Identifier: Using IP addresses as identifiers is straightforward but can be problematic with dynamic IP addresses. Consider using Fully Qualified Domain Names (FQDN) if you have dynamic DNS set up. Ensure that the My Identifier on pfSense matches the Peer Identifier on FortiGate, and vice versa.
  • Advanced Options: Explore the advanced options like fragmentation and NAT traversal. Enabling NAT-T (NAT Traversal) is essential if either firewall is behind a NAT device. Adjust fragmentation settings if you encounter issues with large packet sizes.

Phase 2 Configuration: Fine-Tuning for Performance

Phase 2 determines how data is encrypted and transmitted through the tunnel. Choosing the right settings here can impact performance.

  • Encryption Algorithms: AES256GCM16 is a strong and efficient choice, providing excellent security with good performance. However, consider the CPU capabilities of your firewalls. Older hardware might benefit from using AES128 for slightly better performance.
  • PFS (Perfect Forward Secrecy): Enabling PFS is highly recommended. It ensures that even if the pre-shared key is compromised, past sessions remain secure. Using DH Group 14 (2048-bit) offers a good balance between security and performance. If your hardware supports it, consider using a higher DH group for enhanced security.
  • Traffic Selectors: Double-check your source and destination networks. Incorrectly configured traffic selectors are a common cause of VPN connectivity issues. Ensure that the subnets you specify accurately reflect the networks you want to connect.

Firewall Rules: Allowing the Right Traffic

Firewall rules are the gatekeepers of your network. Incorrect rules can block legitimate traffic and compromise the functionality of your VPN.

  • IPsec Interface Rules: The rules on the IPsec interface must allow traffic from the remote network to reach your local network. Be specific with your source and destination addresses to minimize the attack surface.
  • LAN Interface Rules: Don't forget to create rules on your LAN interface to allow traffic originating from your local network to reach the remote network via the VPN tunnel. Without these rules, devices on your LAN won't be able to communicate with devices on the other side of the VPN.
  • Outbound NAT: Configure outbound NAT rules to prevent traffic from being NATted when it's destined for the remote network. This ensures that the remote network sees the actual IP addresses of devices on your local network.

Routing: Guiding Traffic Through the Tunnel

Proper routing is essential for directing traffic through the VPN tunnel. Without the correct routes, traffic won't know where to go.

  • Static Routes: Ensure that you have static routes configured on both firewalls, pointing to the remote network via the IPsec tunnel interface. These routes tell the firewalls how to reach the remote network.
  • Gateway Monitoring: Consider enabling gateway monitoring for your static routes. This allows the firewall to automatically detect if the VPN tunnel is down and disable the route, preventing traffic from being routed incorrectly.

Common Pitfalls and Troubleshooting Tips

Even with careful configuration, issues can arise. Here are some common pitfalls and troubleshooting tips to help you resolve them.

  • Pre-Shared Key Mismatch: This is a classic mistake. Double-check that the pre-shared key is identical on both firewalls. Even a single character difference can prevent the tunnel from establishing.
  • Incorrect IP Addresses: Verify that you've entered the correct public IP addresses for both firewalls. A typo can lead to connectivity issues.
  • MTU Issues: Maximum Transmission Unit (MTU) problems can cause fragmentation and slow performance. Try reducing the MTU size on both firewalls to see if it resolves the issue.
  • Firewall Log Analysis: When troubleshooting, the firewall logs are your best friend. Examine the logs on both firewalls to identify any errors or warnings that might indicate the cause of the problem.

By understanding these advanced configuration aspects and avoiding common pitfalls, you can create a pfSense IPsec site-to-site VPN with FortiGate that is both secure and performant. Regularly review your configuration and monitor your VPN's performance to ensure it continues to meet your needs.

FortiGate Configuration Deep Dive

Let's take a closer look at the FortiGate configuration involved in establishing a robust and reliable IPsec site-to-site VPN with a pfSense firewall. Properly configuring your FortiGate is just as crucial as setting up your pfSense, and understanding the intricacies of the FortiGate settings can significantly improve your VPN's performance, security, and stability. We'll explore advanced settings, best practices, and troubleshooting techniques to help you optimize your FortiGate configuration.

IPsec VPN Configuration on FortiGate

VPN Creation Wizard vs. Manual Configuration:

While the IPsec VPN Wizard provides a convenient way to set up a basic VPN, understanding the manual configuration options gives you greater control and flexibility.

  • VPN Creation Wizard: This is a good starting point for simple setups, but it may not expose all the advanced options you need for more complex scenarios.
  • Manual Configuration: Allows you to fine-tune every aspect of the VPN, including advanced encryption settings, traffic selectors, and security policies. To access manual configuration, go to VPN > IPsec Tunnels and create a Custom Tunnel.

Phase 1 Settings:

Phase 1 establishes the initial secure connection between the two firewalls.

  • Key Exchange Version: As with pfSense, using IKEv2 is highly recommended for improved security and NAT traversal capabilities.
  • Authentication Method: Pre-shared Key is the simplest method, but for enhanced security, consider using Digital Certificates. If you opt for pre-shared keys, ensure you use a strong, randomly generated key and keep it secret.
  • Encryption and Authentication Algorithms: Choose strong encryption algorithms like AES256 and authentication algorithms like SHA256. Ensure the algorithms match on both the FortiGate and pfSense firewalls.
  • DH Group: Select a Diffie-Hellman (DH) group that provides a good balance between security and performance. DH Group 14 (2048-bit) is a common choice, but if your hardware supports it, consider using a higher DH group for enhanced security.

Phase 2 Settings:

Phase 2 defines the security parameters for the actual data transmission through the VPN tunnel.

  • Protocol: ESP (Encapsulating Security Payload) is the most common protocol for IPsec VPNs, providing encryption and authentication for data packets.
  • Encryption and Authentication Algorithms: As with Phase 1, choose strong encryption and authentication algorithms. AES256GCM16 is a good choice for modern hardware, providing both encryption and authentication in a single algorithm. If you choose a separate authentication algorithm, SHA256 is a good option.
  • PFS (Perfect Forward Secrecy): Enabling PFS is crucial for ensuring that past sessions remain secure even if the pre-shared key is compromised. Use a strong DH group for PFS, such as DH Group 14 or higher.
  • Traffic Selectors: These define the source and destination networks that are allowed to pass through the VPN tunnel. Ensure that the traffic selectors accurately reflect the networks you want to connect. Mismatched traffic selectors are a common cause of VPN connectivity issues.

Firewall Policies and Routing on FortiGate

Firewall Policies:

Firewall policies control the traffic that is allowed to pass through the VPN tunnel.

  • Create Separate Policies for Each Direction: It's best practice to create separate firewall policies for traffic originating from the pfSense network and traffic originating from the FortiGate network. This allows you to have more granular control over the traffic flow.
  • Use Specific Source and Destination Addresses: Avoid using all as the source or destination address in your firewall policies. Instead, specify the exact subnets that you want to allow through the VPN tunnel. This improves security by limiting the attack surface.
  • Enable Logging: Enable logging on your firewall policies to track the traffic that is passing through the VPN tunnel. This can be helpful for troubleshooting and security analysis.

Static Routes:

Static routes tell the FortiGate how to reach the remote network via the VPN tunnel.

  • Create a Static Route for the Remote Network: You need to create a static route that points to the pfSense network via the IPsec tunnel interface. This tells the FortiGate that traffic destined for the pfSense network should be sent through the VPN tunnel.
  • Set the Distance and Priority: The distance and priority settings determine which route is preferred if there are multiple routes to the same destination. Make sure the static route for the VPN tunnel has a lower distance (higher priority) than any other routes to the same network.
  • Monitor the Route: Use the execute ping command to verify that the FortiGate can reach the pfSense network via the VPN tunnel. If the ping fails, check your static route configuration and ensure that the VPN tunnel is up.

Advanced FortiGate Configuration Tips

NAT Traversal (NAT-T):

If either the FortiGate or the pfSense firewall is behind a NAT device, you need to enable NAT traversal (NAT-T) to allow the VPN tunnel to establish successfully. NAT-T encapsulates the IPsec traffic in UDP packets, which can pass through NAT devices more easily.

  • Enable NAT-T on Both Firewalls: Ensure that NAT-T is enabled on both the FortiGate and the pfSense firewall.
  • Check for NAT Overload: If you are using NAT, ensure that you are not overloading the NAT device with too many connections. This can cause performance issues and prevent the VPN tunnel from establishing.

Dead Peer Detection (DPD):

Dead Peer Detection (DPD) allows the FortiGate to detect when the pfSense firewall is no longer reachable. This can be helpful for automatically re-establishing the VPN tunnel if the pfSense firewall goes down.

  • Enable DPD on Both Firewalls: Ensure that DPD is enabled on both the FortiGate and the pfSense firewall.
  • Configure DPD Intervals: Adjust the DPD intervals to suit your network conditions. Shorter intervals will detect failures more quickly but may also generate more traffic.

Policy-Based vs. Route-Based VPNs:

FortiGate supports both policy-based and route-based VPNs.

  • Policy-Based VPNs: These are simpler to configure but less flexible. Traffic is matched to a firewall policy, and if the policy specifies an IPsec tunnel as the outgoing interface, the traffic is sent through the tunnel.
  • Route-Based VPNs: These are more complex to configure but offer greater flexibility. A virtual tunnel interface (VTI) is created, and traffic is routed through the VTI based on static routes.

By mastering these advanced FortiGate configuration techniques, you can build a highly secure, reliable, and performant IPsec site-to-site VPN with your pfSense firewall. Regularly review your configuration, monitor your VPN's performance, and stay up-to-date with the latest security best practices to ensure your VPN remains a valuable asset to your network.