VPN configuration example: pfSense

This page provides more detailed information for configuring a VPN in Skytap for use with a pfSense endpoint on an external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as the sample configuration values to enter in the web interface of your pfSense device.

For general information, see Creating a VPN connection to your Skytap account.

Contents

Skytap VPN configuration

Parameters to enter on your Skytap VPN page:

Parameter Name

Value to enter

Name

Name for your Skytap VPN

Example: CorporateVPN

Remote Peer IP

The public IP address of the pfSense server.

This must match the value in the My identifier field of the pfSense web interface.

Region

N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).

Example: US-West

Skytap peer IP

An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.

Example: 76.32.14.101

This value is entered Remote Gateway field of the pfSense web interface.

Skytap subnet

This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This cannot overlap with the included remote subnet(s) defined below.

This must match the value in the Remote Network field of the pfSense web interface.

Apply NAT for Connected Networks

YES

Topology

Policy-based

Phase 1 Encryption Algorithm

aes 256

Phase 1 Hash Algorithm

sha1

Phase 1 pre-shared Key

[SHARED SECRET KEY]

This must match the value in the Pre-Shared Key field of the pfSense web interface.

Phase 1 SA lifetime

28800

Phase 1 DH group

modp1536 (5)

Phase 2 encryption algorithm

3des

Phase 2 authentication algorithm

hmac_sha1

Phase 2 perfect forward secrecy (PFS)

On

Phase 2 PFS group

modp1536 (5)

Phase 2 SA lifetime

3600

SA policy level

require

Specify maximum segment size

No

Maximum segment size

N/A

Dead peer detection

Off

Included remote subnets

Enter the IP addresses and subnets on your external network that send and receive traffic through this VPN.

Example: 10.1.15.0/24

The subnet(s) should be based on the traffic allowed in the Local Network field of the pfSense web interface.

Excluded remote subnets

Subset of IP addresses and subnets on the external network that should be excluded from using the VPN tunnel. This is used only to define exclusions for VPN traffic from larger included remote subnets (defined above).

Example: 10.1.15.17/32

Sample pfSense device configuration

These are the parameters to enter in the VPN IPsec tunnel section of the web interface of your pfSense device. These values were tested on v2.3.5 and v2.4.2.

Replace [VARIABLES] with specific values from Skytap or your corporate policy.

For best results when using a pfSense Firewall/VPN/Router from the AWS marketplace as a remote endpoint to a Skytap Cloud VPN:

  • Use the pfSense guest operating system to reset the device to factory defaults.
  • Delete the default VPN IPsec Tunnel configuration included with the device, and create a new VPN IPsec Tunnel configuration using the settings below.

Phase 1

General Information

Parameter Name

Value to enter

Key Exchange version

IKEv1

Internet Protocol

IPv4

Interface

WAN

Remote Gateway

The [SKYTAP PEER IP] value from the Skytap VPN configuration settings above.

Phase 1 proposal (Authentication)

Parameter Name

Value to enter

Authentication Method

Mutual PSK

Negotiation mode

Main

My identifier

[PUBLIC IP ADDRESS OF PFSENSE SERVER]

This is entered in the Remote Peer IP field of the Skytap VPN configuration settings above.

Peer identifier

Peer IP address

Pre-Shared Key

[SHARED SECRET KEY]

This must match the value of the Phase 1 pre-shared Key field in the Skytap VPN configuration settings above.

Phase 1 Proposal (Algorithms)

Parameter Name

Value to enter

Encryption Algorithm

AES

Hash Algorithm

SHA1

DH group

5 (1536 bit)

Lifetime (seconds)

28800

Advanced Options

Parameter Name

Value to enter

Disable rekey

√ Select this option

Responder Only

Do not select this option

NAT Traversal

Auto

Dead Peer Detection

Do not select this option

Phase 2

General Information

Parameter Name

Value to enter

Mode

Tunnel IPv4

Local Network

Type: LAN subnet

Optionally, select the range of IP addresses on the local network that can send and receive traffic from Skytap VMs.

NAT/BINAT translation

None

Remote Network

Type: Network

This must match the [SKYTAP VM IP RANGE] defined in the [SKYTAP subnet] field from the Skytap VPN configuration settings above.

Phase 2 Proposal (SA/Key Exchange)

Parameter Name

Value to enter

Protocol

ESP

Encryption Algorithm

3DES

Hash Algorithm

SHA1

PFS key group

5(1536 bit)

Lifetime

3600