IPsec Site-to-Site VPN Setup (pfSense)

This guide will explain how to configure IPsec site-to-site VPN for connecting remote sites to the OpenStack environment. Make sure you have followed the Prepare VPN-appliance  guide before proceeding with this guide.


Remote site

We'll start with deciding what settings we want to have for encryption, in this case I have a pre-configured Vyatta based firewall that I want to connect with the network in MyELITS.
Here's the config on my VyOS router on the Stockholm side:

  • External:
  • Internal:
  • Subnet:
IKE Group (phase 1)
  • Lifetime 28800
  • Encryption: AES256
  • Hash: SHA1
  • DH-Group: 2
ESP Group (phase 2)
  • Lifetime 3600
  • PFS: disabled
  • Encryption: AES256
  • Hash: SHA1

Now that we know the settings we want to use we can move on to the pfSense and adding our IPsec configuration.


IPsec Phase 1

We need to start with enabling IPsec and defining a Phase 1 config for the VPN tunnel.
Go to VPN - IPsec. Click on the green Add P1 button to add a new Phase 1.
In this guide we'll assume that we are going to use a IKEv1 tunnel, this is usually what you want unless you are read into IKEv2 and know what you are doing.

Below is an example configuration based on the "Remote site" security settings, we just need to make sure to match the settings in our end with the settings from OpenStack STO, because we are behind NAT we specify the "My Identifier" and "Peer Identifier" manually to make sure that we don't get a mismatch there.

This is an example configuration

The picture attached is a example configuration. You should not copy the configuration to the letter.



IPsec Phase 2

In the pfSense web UI, go to VPN - IPsec.
You should see the Phase 1 that we created in the last step, now expand the "Phase 2" settings and click the green "Add P2" button.

This is an example configuration

The picture attached is a example configuration. You should not copy the configuration to the letter.


Now press Save, we are done with the IPsec setup so we can continue to add the necessary firewall rules.

Firewall configuration

Go to Firewall Rules - IPsec. Add new rule. Now we need to allow the traffic over the IPsec interface.


Hit save and then apply. We still have one firewall left to configure, the one in Openstack.
In the MyELITS portal, go to Infrastructure - Servers Access & Security -> Create Security Group, give the security group the name ipsec and a good description (if you already have a ipsec rule you can go ahead and verify all rules mentioned below are there, then attach the rule to the VPN server).

Click on Add Rule, add the rules one-by-one according to the table below.

Rule Direction Open Port Value Remote CIDR
Other protocol Ingress - 50 CIDR
Other protocol Ingress - 51 CIDR
UDP Ingress Port 500 CIDR
UDP Ingress Port 4500 CIDR

Once you have added the rules you can go back to  Infrastructure Servers List Servers.
Click the arrow to the right of your VPN Server and select Edit Security Groups.
Add the new security group to your server and hit Save.


Right now, the other servers in your project do not know where to go if they get traffic from your virtual network. We can solve that by adding a new route in MyELITS Portal.

Go to Infrastructure Network Routers.
Click on default-router and then Static Routes.

Here you want to add a new Static Route. Specify the subnet (Destination CIDR) of the remote site and specify the VPN servers local IP as "Next Hop".





Now we can move on to testing the IPsec tunnel inside pfSense by navigating to Diagnostics Ping, enter the internal IP of the remote gateway and click Ping.



Was this article helpful?
1 out of 1 found this helpful



Article is closed for comments.