Site-to-site IPSec VPN between VPNaaS (SIM-Cloud) and OPNsense router (remote office)¶
- Description
- Initial conditions
- Site A configuration (VPNaaS)
- Site B configuration (OPNsense)
- Tunnel function check
Description¶
Initial conditions¶
- Both nodes between which the VPN tunnel is to be built have real IP addresses.
- Site A is the cloud-based VPNaaS provided by SIM-Cloud
- Site B is the client’s infrastructure, based on OPNsense.
- Each site has its own private subnetwork:
- Site “A” - 10.5.4.0/24
- Site “B” - 192.168.255.0/24
- VPNaaS version: 12.0.5
- OPNsense version: 19.7-amd64
Warning
Depending on the OS version of the router or software, subsequent configuring may vary.
Note
To set up a VPN connection, the following required conditions must be satisfied:
Network availability between routers:
- Protocol: UDP, port 500 (for IKE, to manage encryption keys).
- Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode).
- Protocol: ESP, value 50 (for IPSEC).
- Protocol: AH, value 51 (for IPSEC).
The firewall rules must not block network traffic between the routers and the private subnetworks.
Private subnetworks that will be connected by means of IPSec must be different and must not include each other.
| VPN Router | VPN Peer IP | Private Network | Private Network GW IP | Private Network Host IP |
|---|---|---|---|---|
| Site “A” (VPNaaS) | 156.67.54.218 | 10.5.4.0/24 | 10.5.4.1/32 | 10.5.4.7 |
| Site “B” (OPNsense) | 156.67.53.137 | 192.168.255.0/24 | 192.168.255.21/32 | 192.168.255.29 |
In this example the initial configuration of the secure IPsec site-to-site VPN connection is carried out. To do this, we link the private networks 10.5.4.0/24 and 192.168.255.0/24, situated behind the routers.
Site A configuration (VPNaaS)¶
The VPNaaS is configured in accordance with the instructions given in the documentation:
A1. Configure IKE Policy. For this step the following parameters are used:
| Name | ikepolicy |
| Authorization algorithm | sha1 |
| Encryption algorithm | 3des |
| IKE version | v2 |
| Lifetime value for IKE keys | 86400 |
| Perfect Forward Secrecy | group5 |
| IKE Phase1 negotiation mode | main |
A2. Configure IPSec Policy. For this step the following parameters are used:
| Name | ipsecpolicy |
| Authorization algorithm | sha1 |
| Encapsulation mode | tunnel |
| Encryption algorithm | 3des |
| Lifetime value for IKE keys | 3600 |
| Perfect Forward Secrecy | group5 |
| Transform Protocol | esp |
A3. Configure VPN service. For this step the following parameters are used:
| Name | VPNservice |
| Router | Select from list of cloud project routers |
A4. Configure Endpoint Groups. For this step the following parameters are used:
| Endpoint group name | Type | Value |
|---|---|---|
| local_epg | SUBNET | 10.5.4.0/24 |
| remote_epg | CIDR | 192.168.255.0/24 |
A5. Configure IPsec site connection. For this step the following parameters are used:
| Name | ipsecsiteconn |
| VPN service associated with this connection | VPNservice |
| Endpoint group for local subnet(s) | local_epg |
| IKE policy associated with this connection | ikepolicy |
| IPsec policy associated with this connection | ipsecpolicy |
| Peer gateway public IPv4/IPv6 Address or FQDN | 156.67.53.137 |
| Peer router identity for authentication (Peer ID) | 156.67.53.137 |
| Endpoint group for remote peer CIDR(s) | remote_epg |
| Pre-Shared Key (PSK) string | Baejii9ahwoo |
| MTU | 1500 |
A6. Once all these changes have been made, it can be seen that the IPsec site connection has been successfully created and has the status ‘Down’. When the tunnel is configured at the other end and successfully established, this status changes to ‘Active’.
Site B configuration (OPNsense)¶
Guidance for configuring the VPN on the OPNsense software is taken from the original chapter from the software manufacturer: “Setup IPsec site to site tunnel”.
B0-1. Before directly configuring the VPN tunnel, ensure that the routing of traffic from the private networks (defined in RFC1918) via the WAN interface is permitted.
To do this, go to the ‘Interfaces ‣ [WAN]’ menu and untick the checkbox ‘Block private networks’.Save your changes by clicking ‘Save’ and adopt them by clicking ‘Apply changes’.
B0-2. To permit IPsec tunnel connections, configure protocol rules for the firewall:
- Protocol ESP
- UDP Traffic on Port 500 (ISAKMP)
- UDP Traffic on Port 4500 (NAT-T)
To do this, go to the ‘Firewall ‣ Rules ‣ WAN’ menu and create the rules according to the table:
| Action | Interface | TCP/IP Version | Protocol | Destination | Destination port range | Description |
|---|---|---|---|---|---|---|
| Pass | WAN | IPv4 | ESP | WAN address | Any | IPsec ESP |
| Pass | WAN | IPv4 | TCP/UDP | WAN address | ISAKMP | IPsec ISAKMP |
| Pass | WAN | IPv4 | TCP/UDP | WAN address | IPsec NAT-T | IPsec NAT-T |
Note
For extra security, the IP address of the VPNaaS router can be defined in the ‘Source’ rules field (in this example this is 156.67.54.218)
After creating the rules, press the ‘Apply changes’ button.
B1. Configuring the VPN IPsec tunnel. Phase 1
| Connection method | default | |
| Key Exchange version | V2 | Must match the version specified in the VPNaaS |
| Internet Protocol | IPv4 | |
| Interface | WAN | An interface facing the Internet network must be selected |
| Remote gateway | 156.67.54.218 | In this case the public IP address of the VPNaaS |
| Description | VPNaaS | Description |
| Authentication method | Mutual PSK | Use Pre-shared Key |
| My identifier | My IP address | Simple identification if using a fixed IP |
| Peer identifier | Peer IP address | Simple identification if using a fixed IP |
| Pre-Shared Key | Baejii9ahwoo | Random characters must be same as the sequence entered at the other end |
| Encryption algorithm | 3DES | Must match the version specified in the VPNaaS |
| Hash algoritm | SHA1 | Must match the version specified in the VPNaaS |
| DH key group | 5 | Must match the version specified in the VPNaaS |
| Lifetime | 86400 | Must match the version specified in the VPNaaS |
| Disable Rekey | Unchecked | Re-request key if action times out |
| Disable Reauth | Unchecked | For IKEv2 only re-authenticate peer on rekeying |
| NAT Traversal | Disabled | Always enabled for IKEv2 NAT traversal |
| Dead Peer Detection | Unchecked |
Save changes by clicking the ‘Save‘ button
B2. Configuring the VPN IPsec tunnel. Phase 2
| Mode | Tunnel IPv4 | Select Tunnel mode |
| Description | Local network on VPNaaS | Description |
| Type | LAN subnet | Route the local LAN subnet |
| Type | Network | Route a remote network |
| Address | 10.5.4.0/24 | The remote LAN subnet |
| Protocol | ESP | Select ESP for encryption |
| Encryption algorithms | 3DES | Must match the version specified in the VPNaaS |
| Hash algortihms | SHA1 | Must match the version specified in the VPNaaS |
| PFS Key group | 5(1536bits) | Must match the version specified in the VPNaaS |
| Lifetime | 3600 | Must match the version specified in the VPNaaS |
Save your changes by clicking ‘Save’ and adopt them by clicking ‘Apply changes’.
B3. Enabling the VPN IPsec tunnel.
B4. Add rules to the firewall to allow traffic to pass through the IPsec tunnel to the local network.
To do this, go to the ‘Firewall ‣ Rules ‣ IPsec’ menu and add the rule according to the table:
| Action | Interface | TCP/IP Version | Protocol | Destination | Destination port range | Description |
|---|---|---|---|---|---|---|
| Pass | IPsec | IPv4 | any | LAN net | any | Allow IPsec traffic to LAN net |
After creating the rules, press the ‘Apply changes’ button.
Tunnel function check¶
Note
If the tunnel is not established, restart the VPN service from both sides.
- To check the tunnel status in OPNsense, go to the ‘VPN ‣ IPsec ‣ Status Overview’ menu. There you can also click the pictogram with the ‘(i)’ symbol to see the details for ‘phase 2’.
- The “IPsec site connection” status in VPNaaS has changed to “Active”.