Netgate Store

Author Topic: Configure pfSense as a VPN Concentrator?  (Read 409 times)

0 Members and 1 Guest are viewing this topic.

Offline giovantus

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Configure pfSense as a VPN Concentrator?
« on: January 16, 2018, 08:20:15 am »
Dear All,

I am new to the pfSense world and I was checking since I need, among the other needs involving the potential use this solution,
to setup a VPN concentrator.
I did not find any specific thread on this topic (pfSense as a VPN concentrator), apart of something about connecting pfSense to
already existing, commercial VPN Concentrators.

Probably I was just unable to find the right thread, I apologise if this is the case.

Anyway: is it possible to configure pfSense as a VPN concentrator for creating VPN tunnels through different sites and connect them?
Could you please forward me to the right thread / discussion on this matter, if it exists?

Thank you very much.

Giovanni


Offline NogBadTheBad

  • Hero Member
  • *****
  • Posts: 639
  • Karma: +51/-0
    • View Profile
Re: Configure pfSense as a VPN Concentrator?
« Reply #1 on: January 16, 2018, 11:51:11 am »
Are you talking about customers connecting to your equipment via a VPN client to access resources on your network like a Cisco 3000 ?

Something like this is your best bet IMO combined with FreeRadius, then firewall rules based on IP addresses handed out via FreeRadius :-

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

https://forum.pfsense.org/index.php?topic=130715.0

https://forum.pfsense.org/index.php?topic=141928.msg774115#msg774115

https://forum.pfsense.org/index.php?topic=129443.0

Offline giovantus

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Configure pfSense as a VPN Concentrator?
« Reply #2 on: January 16, 2018, 02:14:58 pm »
Are you talking about customers connecting to your equipment via a VPN client to access resources on your network like a Cisco 3000 ?

Something like this is your best bet IMO combined with FreeRadius, then firewall rules based on IP addresses handed out via FreeRadius :-

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

https://forum.pfsense.org/index.php?topic=130715.0

https://forum.pfsense.org/index.php?topic=141928.msg774115#msg774115

https://forum.pfsense.org/index.php?topic=129443.0

Hi,
first of all, many thanks for the answer.
What I am actually looking at, is the possibility to configure the pfSense server itself as the VPN Concentrator, rather than using an external one.
Like e.g. in a typical  Hub & Spoke scenario, see for example this configuration: https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015538&lang=EN
So the pfSense server would be the Hub and different clients from different sites, say A and B, can connect to the Hub (pfSense) or with each other through the central Hub,
always using VPN tunnels.
Is that possible to realise such a configuration in pfSense?

Actually this is something like what you suggested here: https://forum.pfsense.org/index.php?topic=141928.msg774115#msg774115 , but further to the possibility to connect to my equipment or to the Internet through my VPN, I want also to allow client on site A to communicate with client on site B passing through my pfSense concentrator.

Thank you!

Offline NogBadTheBad

  • Hero Member
  • *****
  • Posts: 639
  • Karma: +51/-0
    • View Profile
Re: Configure pfSense as a VPN Concentrator?
« Reply #3 on: January 17, 2018, 04:35:43 am »
Might be best to set up a few hosts using VMWare and have a play.

As well as my previous suggestions you can create IPsec tunnels between various devices and route traffic across those tunnels in a hub & spoke style.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Configure pfSense as a VPN Concentrator?
« Reply #4 on: January 17, 2018, 05:25:47 am »
Yes pfsense can be a vpn server for road warriors, or a client to different vpn services.  Or sure you can setup site to site vpn services between your locations.

Normally you would not setup hub and spoke sort of setup for multiple sites but a full mesh... With all sites having vpn connections to each other.. Its rather pointless for traffic to say flow through HQ just to go to branch B from A... Why would the traffic not just flow direct from branch A to B via the vpn between them.

But sure if you really want you can have the traffic flow through HQ to get to B from A, etc.

You can have your road warrior connect into any of the sites and be able to get to any of the other sites, etc.. Any of that can be done - just need to configure it.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline giovantus

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Configure pfSense as a VPN Concentrator?
« Reply #5 on: January 17, 2018, 07:41:39 am »
Thank you all. These answers clarify many things.
I wanted to be sure but in principle, as far as I can understand, they confirm I can configure pfSense in whatever VPN topology I want.

I'll start studying and configuring.

Giovanni
 

Offline NogBadTheBad

  • Hero Member
  • *****
  • Posts: 639
  • Karma: +51/-0
    • View Profile
Re: Configure pfSense as a VPN Concentrator?
« Reply #6 on: January 17, 2018, 09:15:20 am »
Thank you all. These answers clarify many things.
I wanted to be sure but in principle, as far as I can understand, they confirm I can configure pfSense in whatever VPN topology I want.

I'll start studying and configuring.

Giovanni
 

Enjoy :D

Offline giovantus

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Configure pfSense for VPN - configuration behind a router and NAT
« Reply #7 on: January 20, 2018, 01:20:42 pm »
Hi All,

now  I was able to configure a VPN IPSec tunnel between local and remote sites with pfSense.
From the VPN point of view everything seems to be fine, since I managed to have the "connected" status of the configured VPN
But I have a couple of questions to get the actual site-to-site communication working (I still have some troubles).

In the attached picture is my network setup: Local LAN -> PfSense -> Zywall Router -> Remote Site

Remote VPN clients LAN: 172.16.16.0/24.
Local VPN clients LAN: 10.0.0.0/24.
IP of the pfSense LAN Interface: 10.0.0.1 (default GW of the local LAN)
IP of the pfSense WAN interface: 192.168.0.51

Local and Remote subnets described above are properly configured in the IKE Phase 2 settings.
The remote LAN is served by the a remote endpoint with public IP e.g. 80.80.80.80, configured as the Remote Gateway in the IKE Phase 1 settings.

The pfSense WAN interface with IP 192.168.0.51 is connected to a Zywall USG50 router(IP 192.168.0.254), configured as the WAN Gateway of the pfSense.
The WAN IP of the pfSense is NATTED to a public IP e.g 220.220.220.220 by the Zywall.

Despite to the fact that the VPN IPSec seems to be configured properly as I said, I think there are still some bits missing from the networking point of view,
for being able to ping the remote clients

Thank you in advance, any help will be highly appreciated.
« Last Edit: January 21, 2018, 04:30:26 am by giovantus »

Offline giovantus

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Configure pfSense as a VPN Concentrator?
« Reply #8 on: January 21, 2018, 09:08:38 am »
Just to provide some more detailed information.

After the VPN is connected as described, both from the pfSense server console and from any client in the LAN 10.0.0.0/24 I can access the Internet, being able to ping both the Zywall interface to which the pfSense WAN belongs (192.168.0.254) and any other site, such as google.it.

But when I try to ping one IP of the remote VPN side (172.16.16.122 for example), this does not work.

I managed to have this ping to the remove VPN client working only from within the pfSense console, after changing the "Local Network" settings in the IKE Phase 2 configuration, from "Local subnet" to "Network" with address "0.0.0.0/0".

It looks like there are still some kind of firewall issues preventing an IP in the subnet 10.0.0.0/24 to properly communicate throught he VPN.
I've already firewall rules completely open for WAN, LAN and IPSec. I've also noticed that there is an Automatic Outbound NAT generated, from the LAN subnet to the WAN IP of the pfSense (192.168.0.51).

What am I missing to have client-to-client VPN communication in place? Maybe some kind of port forwarding from the WAN to the LAN, for the IPSec ports?