Setting up a secure VPN tunnel between a Mikrotik router and a pfSense firewall using IPsec can seem daunting, but it's totally achievable! This guide will walk you through the process, ensuring your network communication between these two devices is encrypted and secure. We'll break down each step, from configuring the IPsec policies and proposals to setting up the necessary firewall rules. Let's dive in and get this tunnel up and running!

    Understanding IPsec

    Before we jump into the configuration, let's quickly cover what IPsec is all about. IPsec (Internet Protocol Security) is a suite of protocols used to establish secure, authenticated, and encrypted connections over an IP network. It operates at the network layer, providing security for all traffic above it. This means that once IPsec is set up, all your data transmitted between the Mikrotik and pfSense devices will be protected.

    There are two main protocols within IPsec:

    • Authentication Header (AH): Provides data authentication and integrity but does not encrypt the data.
    • Encapsulating Security Payload (ESP): Provides both data authentication, integrity, and encryption.

    In most modern IPsec setups, ESP is preferred because it offers the best security by encrypting the data. IPsec uses a combination of cryptographic protocols to achieve its security goals, including:

    • IKE (Internet Key Exchange): Used to establish a secure channel and negotiate security associations (SAs).
    • SAs (Security Associations): Agreements between the two devices about the cryptographic algorithms and keys to use.

    When configuring IPsec, you'll need to define these parameters carefully to ensure compatibility between the Mikrotik and pfSense devices.

    Step 1: Mikrotik Configuration

    First, let's configure the Mikrotik router. Log into your Mikrotik device using Winbox or the command-line interface. We'll start by setting up the IPsec proposal, which defines the encryption and authentication algorithms.

    Create an IPsec Proposal

    An IPsec proposal dictates how the data will be encrypted and authenticated during the IPsec session. It's crucial that both the Mikrotik and pfSense have compatible proposals. Here’s how to create one on your Mikrotik:

    1. Go to IP > IPsec > Proposals.
    2. Click the + button to add a new proposal.
    3. Give it a name, like pfsense-proposal.
    4. Set the following parameters:
      • Auth. Algorithms: sha256
      • Encr. Algorithms: aes-256-cbc
      • Lifetime: 1h (or adjust as needed)
    5. Click Apply and OK.

    These settings specify that we'll use the SHA256 algorithm for authentication and AES-256-CBC for encryption. The lifetime parameter determines how long the security association will remain active before requiring a re-key. Feel free to adjust the lifetime based on your security policies.

    Create an IPsec Peer

    Next, we'll create an IPsec peer, which defines the remote endpoint (your pfSense firewall) and the authentication method.

    1. Go to IP > IPsec > Peers.
    2. Click the + button to add a new peer.
    3. Configure the following settings:
      • Address: The public IP address of your pfSense firewall.
      • Profile: default (or create a custom profile if needed).
      • Exchange Mode: ike2
      • Send Initial Contact: yes
      • NAT Traversal: yes
      • Secret: A pre-shared key (PSK) that you'll also configure on the pfSense side. Make it strong and complex!
      • Proposal Check: obey
      • Hash Algorithm: sha256
      • Encryption Algorithm: aes-256
      • DH Group: modp2048
    4. Click Apply and OK.

    Important Considerations:

    • The Address field should contain the public IP of your pfSense firewall. If your pfSense is behind NAT, make sure this is the public IP.
    • The Secret is your pre-shared key. Keep it safe and consistent on both devices.
    • Exchange Mode set to ike2 utilizes the more modern and secure IKEv2 protocol.
    • DH Group also known as Diffie-Hellman group determines the strength of the key exchange. modp2048 offers good security.

    Create an IPsec Policy

    Now, we'll define the IPsec policy that dictates which traffic should be encrypted using the tunnel. This policy specifies the source and destination networks that will be secured by the IPsec tunnel.

    1. Go to IP > IPsec > Policies.
    2. Click the + button to add a new policy.
    3. Configure the following settings:
      • Src. Address: The local network behind your Mikrotik (e.g., 192.168.1.0/24).
      • Dst. Address: The remote network behind your pfSense (e.g., 192.168.2.0/24).
      • Action: encrypt
      • IPsec Protocols: esp
      • Tunnel: yes
      • Sa Src. Address: An unused IP address on the Mikrotik (e.g., 10.10.10.1).
      • Sa Dst. Address: An unused IP address on the pfSense (e.g., 10.10.10.2).
      • Peer: Select the peer you created earlier.
      • Proposal: Select the proposal you created earlier.
    4. Click Apply and OK.

    Understanding the Policy Settings:

    • Src. Address and Dst. Address define which traffic will be encrypted. Make sure these are the correct internal networks.
    • Action set to encrypt means the traffic matching this policy will be encrypted.
    • Tunnel set to yes creates a tunnel mode IPsec connection.
    • Sa Src. Address and Sa Dst. Address are tunnel endpoints. These should be unique IP addresses not used elsewhere in your network. These IPs are only used for the tunnel itself and do not route other traffic.

    Step 2: pfSense Configuration

    Now, let's configure the pfSense firewall to match the Mikrotik settings. Log into your pfSense web interface and navigate to the IPsec settings.

    Configure IPsec Phase 1

    Phase 1 handles the initial negotiation and authentication of the IPsec connection. It establishes a secure channel for Phase 2 negotiations.

    1. Go to VPN > IPsec > Tunnels.
    2. Click Add P1 to add a new Phase 1 configuration.
    3. Configure the following settings:
      • Key Exchange version: IKEv2
      • Internet Protocol: IPv4
      • Interface: WAN (or the interface connected to the internet)
      • Remote Gateway: The public IP address of your Mikrotik router.
      • Authentication Method: Pre-shared Key
      • Pre-Shared Key: The same PSK you configured on the Mikrotik.
      • My identifier: My IP Address
      • Peer identifier: Peer IP Address
      • Encryption Algorithm:
        • Algorithm: AES256-GCM
        • Hash Algorithm: SHA256
        • DH Group: 20 (or 14 if 20 is not available)
      • Lifetime: 28800 seconds (8 hours)
    4. Click Save.

    Key Points for Phase 1:

    • Remote Gateway is the public IP of the Mikrotik.
    • Pre-Shared Key must match the Mikrotik's secret.
    • The Encryption and Hash Algorithms should match the Mikrotik's proposal.
    • DH Group 20 is generally recommended for better security. If your hardware does not support this, Group 14 is a viable alternative.

    Configure IPsec Phase 2

    Phase 2 handles the negotiation of the security associations for the actual data transfer. This is where you define the traffic that will be encrypted and the encryption methods.

    1. In the same VPN > IPsec > Tunnels section, click Add P2 next to the Phase 1 entry you just created.
    2. Configure the following settings:
      • Mode: Tunnel IPv4
      • Local Network: The network behind your pfSense firewall (e.g., 192.168.2.0/24).
      • NAT/BINAT translation: None
      • Remote Network: The network behind your Mikrotik (e.g., 192.168.1.0/24).
      • Protocol: ESP
      • Encryption Algorithms:
        • Algorithm: AES256-GCM
        • Hash Algorithm: SHA256
        • PFS Key Group: 20 (or 14 if 20 is not available)
      • Lifetime: 3600 seconds (1 hour)
    3. Click Save.

    Understanding Phase 2 Settings:

    • Local Network and Remote Network define the networks that will be encrypted by the tunnel.
    • Protocol should be set to ESP for encryption and authentication.
    • Encryption and PFS Key Group settings should match the capabilities of both devices and align with modern security standards.

    Step 3: Firewall Rules

    With the IPsec tunnel configured, you need to create firewall rules to allow traffic to pass through the tunnel. Without these rules, the traffic will be blocked.

    Mikrotik Firewall Rules

    1. Go to Firewall > Filter Rules.
    2. Add a new rule to allow traffic from your local network to the remote network through the IPsec tunnel:
      • Chain: forward
      • Src. Address: Your local network (e.g., 192.168.1.0/24).
      • Dst. Address: The remote network (e.g., 192.168.2.0/24).
      • Action: accept
      • IPsec Policy: require
      • Protocol: all
    3. Add another rule to allow traffic from the remote network to your local network:
      • Chain: forward
      • Src. Address: The remote network (e.g., 192.168.2.0/24).
      • Dst. Address: Your local network (e.g., 192.168.1.0/24).
      • Action: accept
      • IPsec Policy: require
      • Protocol: all

    pfSense Firewall Rules

    1. Go to Firewall > Rules > IPsec.
    2. Add a new rule to allow traffic from your local network to the remote network:
      • Action: Pass
      • Interface: IPsec
      • Address Family: IPv4
      • Protocol: Any
      • Source: Your local network (e.g., 192.168.2.0/24).
      • Destination: The remote network (e.g., 192.168.1.0/24).
    3. Click Save.

    Step 4: Testing the Connection

    After configuring both devices and setting up the firewall rules, it's time to test the connection. The easiest way to do this is to ping a device on the remote network from a device on your local network.

    1. From a computer on the Mikrotik's network (e.g., 192.168.1.0/24), ping a device on the pfSense's network (e.g., 192.168.2.0/24).
    2. If the ping is successful, the IPsec tunnel is working correctly.

    If the ping fails, double-check your configurations and firewall rules. Look at the IPsec logs on both devices for any error messages.

    Troubleshooting Tips

    • Check IPsec Logs: Both Mikrotik and pfSense have detailed IPsec logs that can help you identify issues. On Mikrotik, you can view logs using the command-line interface. On pfSense, you can view logs in the web interface under Status > System Logs > IPsec.
    • Verify Pre-Shared Keys: Ensure that the pre-shared keys match exactly on both devices. Even a small typo can prevent the tunnel from establishing.
    • Firewall Rules: Make sure your firewall rules are correctly configured to allow traffic to pass through the IPsec tunnel.
    • NAT Issues: If either device is behind NAT, ensure that NAT traversal is enabled and correctly configured.
    • Phase 1 and Phase 2 Settings: Double-check that the encryption algorithms, hash algorithms, and DH groups match on both devices.

    Conclusion

    Setting up an IPsec VPN tunnel between a Mikrotik router and a pfSense firewall can be a bit tricky, but with careful configuration and attention to detail, you can create a secure and reliable connection between your networks. By following this guide, you should now have a fully functional IPsec tunnel, ensuring secure communication between your Mikrotik and pfSense devices. Remember to always monitor your logs and keep your configurations updated for optimal security. Good luck, and happy networking!

Lastest News