Hey everyone! Today, we're diving into the nitty-gritty of setting up an OPNsense IPsec site-to-site VPN. This is super useful, especially if you're running multiple networks and need them to securely communicate with each other. Think of it like building a super-secure tunnel between your offices or home and office, allowing them to share data seamlessly. Don't worry, even if you're new to this, I'll walk you through everything step by step. We'll cover all the important parts, from the basics to the more technical aspects, so you can get your VPN up and running smoothly. So, let's get started and make sure your networks can securely connect and share resources.

Why Choose IPsec for Site-to-Site VPN?

So, why specifically IPsec for your site-to-site VPN? Well, IPsec offers some serious advantages. First off, it's known for its strong security. IPsec encrypts all the data that goes through the VPN tunnel, which means your communications are protected from eavesdropping and other nasty stuff. Secondly, IPsec is pretty versatile. It works with a variety of different network setups. Thirdly, IPsec is widely supported, meaning you can find it on almost any firewall or router that is worth its salt. This makes it easy to set up a site-to-site VPN, even if you have different types of devices at each end of the tunnel.

Prerequisites for OPNsense IPsec Configuration

Before you get started with the configuration, there are a few things you will need in place. First of all, you'll need two OPNsense firewalls (or one OPNsense and another device that supports IPsec). Each firewall must have a public IP address. This is the address that the firewalls will use to communicate with each other over the internet. You'll also need to have access to the web interfaces of both firewalls. Make sure you can log in to both firewalls using a web browser. Next, you need to know the local networks that you want to connect. For each site, you'll need the network address and subnet mask. You will also want to plan for your IPsec configuration. This includes things like the pre-shared key, the encryption algorithms, and the Diffie-Hellman groups you'll use. Make sure that you have a plan for how you are going to configure your VPN, and be sure to write everything down, so you can reproduce it on the other side. Finally, you will need to ensure that the firewall rules on both sides are properly configured to allow the IPsec traffic. Typically, this means allowing UDP traffic on port 500 (for IKE) and possibly ESP (protocol 50) and NAT-T on UDP 4500 if you're behind a NAT device.

Step-by-Step OPNsense IPsec Site-to-Site VPN Configuration

Let's get down to the nitty-gritty and configure the OPNsense IPsec site-to-site VPN. This will be a detailed guide, so follow along closely. We'll split this into different sections for ease of understanding, so stick with it! This configuration involves setting up both sides of the VPN tunnel.

Phase 1 Configuration (IKE)

Alright, first things first, let's configure Phase 1 or the IKE (Internet Key Exchange) part of the IPsec setup. Think of Phase 1 as the handshake where the two firewalls agree on how they're going to secure their communication. This involves setting up security associations. On your primary OPNsense firewall, navigate to VPN > IPsec > Tunnels. Then, click the 'Add' button to create a new tunnel. In the 'General Information' section:

• Disabled: Make sure this is unchecked. We want this to be active.
• Interface: Choose the WAN interface. This is how the VPN will connect to the internet.
• Address Family: Typically 'IPv4'.

Now, move on to the Phase 1 configuration:

• Key Exchange Method: Choose 'IKEv2'.
• My identifier: Select 'My IP address'.
• Peer identifier: Select 'Peer IP address'.
• Remote gateway: Enter the public IP address of the other firewall. This is super important.
• Authentication method: Select 'Pre-Shared Key'. This is where you will add your pre-shared key, also known as the PSK, and it is the shared secret. Enter the same pre-shared key on both firewalls.
• Encryption algorithm: Choose a strong encryption algorithm like 'AES'. Also select a strong hashing algorithm like 'SHA256'.
• DH Group: Select a strong Diffie-Hellman group like '14 (2048 bit)'.
• Lifetime: Set a reasonable lifetime (e.g., 28800 seconds - which is 8 hours). This is how long the security association will last before it is re-keyed.

Once that's done, click 'Save'. You've now configured Phase 1 on your first firewall. Now, duplicate this configuration on the other OPNsense firewall, making sure the remote and local IP addresses are switched.

Phase 2 Configuration (IPsec)

Now it's time for Phase 2, where we set up the actual IPsec tunnel that will carry your data. In the same OPNsense firewall interface, go to VPN > IPsec > Tunnels and find the tunnel you just created. Click on the 'Edit' button. Scroll down to the Phase 2 configuration section and click the 'Add Phase 2' button.

• Mode: Select 'Tunnel'.
• Local Network: Choose 'Network' and enter the local network details of your primary site (the network address and subnet mask). This is the network that the firewall protects.
• Remote Network: Choose 'Network' and enter the local network details of your remote site (the network address and subnet mask). This is the network that the firewall will connect to.
• Protocol: Select 'ESP'.
• Encryption algorithms: Choose the same encryption algorithm you used in Phase 1 (e.g., 'AES').
• Hash algorithms: Choose the same hash algorithm you used in Phase 1 (e.g., 'SHA256').
• DH Group: Select the same Diffie-Hellman group you used in Phase 1 (e.g., '14 (2048 bit)').
• Lifetime: Set a reasonable lifetime (e.g., 3600 seconds - which is one hour). Shorter lifetimes can improve security.

Click 'Save'. Repeat this process on the other OPNsense firewall. Make sure the Local Network and Remote Network are swapped to match the other site's configuration. Now, click 'Apply Changes' on both firewalls. This applies your configuration.

Firewall Rules Configuration

Next up, you have to configure the firewall rules to allow the traffic through the VPN. This is crucial; otherwise, your VPN won't work! On both firewalls, you'll need to create firewall rules that permit traffic between the local and remote networks. Go to Firewall > Rules > IPsec. Click 'Add' to create a new rule.

• Action: 'Pass'.
• Interface: The VPN tunnel interface (the one you've just configured). It will often be something like IPsec. You should see the IPsec interface listed.
• Direction: 'In'.
• Protocol: 'Any'. Although you could specify protocols if you wish, 'Any' is generally fine for starters.
• Source: 'Network' and enter the local network of the other site. For instance, if you're on site A and you want to allow traffic from site B, enter site B's network here.
• Destination: 'Network' and enter the local network of the current firewall's site. For instance, if you're on site A, enter site A's network here.

Click 'Save' and 'Apply Changes'. Repeat this process on the other firewall, but remember to reverse the source and destination networks to match that firewall's configuration. In short, on each firewall, you're allowing traffic from the other site's network to the local network.

Testing the OPNsense IPsec VPN Connection

Alright, you've configured everything. It's time to check if everything works as expected. The first thing you can do is to check the IPsec status. Go to VPN > IPsec > Status and check the status of your tunnels. They should ideally show as 'ESTABLISHED'. If it shows an error, check the logs for clues. You can also troubleshoot your VPN using the OPNsense's built-in tools. Go to Diagnostics > Ping and try pinging a device on the remote network from a device on the local network. If you can't ping, double-check your firewall rules and make sure they're allowing the traffic. You can also use the Diagnostics > Packet Capture tool to capture traffic on the VPN interface to see if packets are being transmitted and received.

Common Issues and Troubleshooting Tips

Sometimes, things don't go according to plan, and that is fine! Here are a few common issues and tips to troubleshoot your IPsec site-to-site VPN:

• Connectivity Issues: If you can't ping devices across the VPN, the firewall rules are often the culprit. Double-check your rules, making sure they allow traffic on the correct interfaces and between the correct networks. Also, ensure your local network settings on your devices are correct, and they know to route traffic to the OPNsense firewall.
• Pre-Shared Key Mismatch: Make sure the pre-shared key is identical on both firewalls. A mismatch is a very common cause of failures. The IPsec tunnel won't establish if the keys don't match.
• NAT Traversal: If your firewalls are behind NAT devices, you need to enable NAT Traversal (NAT-T) in the Phase 1 settings. This allows IPsec traffic to traverse NAT devices. If this is not enabled, the IPsec tunnel will likely fail to establish.
• Incorrect Subnets: Verify that your local and remote network settings are correct. An incorrect subnet mask can prevent traffic from routing properly. Make sure the local and remote networks are correct.
• Firewall Blocking: Make sure your firewall isn't blocking IPsec traffic. Specifically, ensure that UDP port 500 (IKE) and UDP port 4500 (NAT-T) are allowed. Also check for protocol 50 (ESP).
• Logs: Check the OPNsense logs (System > Logs > IPsec) for error messages. The logs can give you valuable hints about what's going wrong. They will show you details about why the tunnel is failing.
• Phase 1 and Phase 2 Mismatches: Ensure that Phase 1 and Phase 2 settings match on both firewalls. This includes the encryption algorithms, hash algorithms, and DH groups. If these do not match, the tunnel will not establish.

Advanced OPNsense IPsec Configuration

For those of you who are looking to take your configuration to the next level, here are a few advanced configuration options:

• Dynamic DNS: If your public IP addresses are dynamic, consider using Dynamic DNS (DDNS). This allows the firewalls to automatically update their IP addresses. Configure this in Services > Dynamic DNS. This is helpful when your ISP assigns you a dynamic IP address.
• Multiple Subnets: If you need to connect multiple subnets at each site, configure multiple Phase 2 entries, one for each subnet. Be sure to use different local and remote networks. This allows for routing between multiple networks at each site.
• Monitoring: Use the built-in monitoring tools to monitor the VPN's health. You can set up alerts to notify you if the VPN goes down. This lets you know right away if something happens.
• High Availability: For critical environments, consider implementing high availability. This can be achieved using a second OPNsense firewall. Configure it as a backup in case the primary firewall fails. If the primary firewall goes down, the backup will take over automatically.
• Certificate Authentication: Instead of using a pre-shared key, you can use certificate-based authentication. This provides enhanced security but requires a Public Key Infrastructure (PKI) to manage certificates.

Conclusion

And there you have it! You've successfully configured an OPNsense IPsec site-to-site VPN. This can seem a little complicated, but with these steps, you should have no issues. This setup offers a secure and reliable way to connect your networks. Remember to regularly review your configuration and security settings to ensure your VPN remains secure. Always make sure to test your configuration to ensure that the setup will work as expected. And if you face any issues, don't hesitate to refer to the troubleshooting tips provided. Feel free to ask any questions if you run into any trouble, and happy networking, guys! Keep your networks secure, and enjoy the benefits of having a VPN! The information provided in this guide is for informational purposes only. It is recommended to have a good understanding of networking concepts and security before implementing a VPN. Always follow the best practices and security guidelines.