pfSense: VPN configuration example

This page provides more detailed information for configuring a VPN in Skytap for use with a pfSense endpoint on an external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as the sample configuration values to enter in the web interface of your pfSense device.

For general information, see Creating a VPN connection to your Skytap account.

Contents

Skytap VPN configuration

Parameters to enter on your Skytap VPN page:

Parameter Name

Value to enter

Name

Name for your Skytap VPN

Example: CorporateVPN

Remote Peer IP

The public IP address of the pfSense server.

This must match the value in the My identifier field of the pfSense web interface.

Region

N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).

Example: US-West

Skytap peer IP

An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.

Example: 76.32.14.101

This value is entered Remote Gateway field of the pfSense web interface.

Skytap subnet

This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnets defined below.

This must match the value in the Remote Network field of the pfSense web interface.

You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.

Apply NAT for Connected Networks

NO

Topology

Route-based

Internet key exchange

IKEv2

Phase 1 Encryption Algorithm

aes 256

Phase 1 Hash Algorithm

sha256

Phase 1 pre-shared Key

[SHARED SECRET KEY]

This must match the value in the Pre-Shared Key field of the pfSense web interface.

Phase 1 SA lifetime

28800

Phase 1 DH group

modp2048 (14)

Phase 2 encryption algorithm

aes 256

Phase 2 authentication algorithm

hmac_sha256

Phase 2 perfect forward secrecy (PFS)

NO

Phase 2 PFS group

N/A

Phase 2 SA lifetime

3600

SA policy level

unique

Specify maximum segment size

NO

Maximum segment size

N/A

Dead peer detection

ON

Included remote subnets

Enter the IP addresses and subnets on your external network that send and receive traffic through this VPN.

Example: 10.1.15.0/24

The subnets should be based on the traffic allowed in the Local Network field of the pfSense web interface.

You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.

Excluded remote subnets

Subset of IP addresses and subnets on the external network that should be excluded from using the VPN tunnel. This is used only to define exclusions for VPN traffic from larger included remote subnets (defined above).

Example: 10.1.15.17/32

Sample pfSense device configuration

These are the parameters to enter in the VPN IPsec tunnel section of the web interface of your pfSense device. These values were tested on v2.3.5 and v2.4.2.

Replace [VARIABLES] with specific values from Skytap or your corporate policy.

For best results when using a pfSense Firewall/VPN/Router from the AWS marketplace as a remote endpoint to a Skytap VPN:

  • Use the pfSense guest operating system to reset the device to factory defaults.
  • Delete the default VPN IPsec Tunnel configuration included with the device, and create a new VPN IPsec Tunnel configuration using the settings below.

Phase 1

General Information

Parameter Name

Value to enter

Key Exchange version

IKEv2

Internet Protocol

IPv4

Interface

WAN

Remote Gateway

The [SKYTAP PEER IP] value from the Skytap VPN configuration settings above.

Phase 1 proposal (Authentication)

Parameter Name

Value to enter

Authentication Method

Mutual PSK

Negotiation mode

Main

My identifier

[PUBLIC IP ADDRESS OF PFSENSE SERVER]

This is entered in the Remote Peer IP field of the Skytap VPN configuration settings above.

Peer identifier

Peer IP address

Pre-Shared Key

[SHARED SECRET KEY]

This must match the value of the Phase 1 pre-shared Key field in the Skytap VPN configuration settings above.

Phase 1 Proposal (Algorithms)

Parameter Name

Value to enter

Encryption Algorithm

AES

Key length

256 bits

Hash Algorithm

SHA256

DH group

14 (2048 bits)

Lifetime (seconds)

28800

Advanced Options

Parameter Name

Value to enter

Disable rekey

Don’t select this option

Responder Only

Don’t select this option

NAT Traversal

Auto

Dead Peer Detection

Select this option

Phase 2

General Information

Parameter Name

Value to enter

Mode

Tunnel IPv4

Local Network

Type: LAN subnet

Optionally, select the range of IP addresses on the local network that can send and receive traffic from Skytap VMs.

NAT/BINAT translation

None

Remote Network

Type: Network

This must match the [SKYTAP VM IP RANGE] defined in the [SKYTAP subnet] field from the Skytap VPN configuration settings above.

Phase 2 Proposal (SA/Key Exchange)

Parameter Name

Value to enter

Protocol

ESP

Encryption Algorithm

AES: 256 bits

Hash Algorithm

SHA256

PFS key group

Off

Lifetime

3600

Copyright © 2024 Skytap, Inc. | Privacy Policy | Terms of Service | Support