IPsec VPN Configuration in pfSense: Part One

IPsec VPN

Phase 1 IPsec configuration in pfSense 2.2.4.

In the previous article, we covered how to set up a PPTP VPN connection in pfSense, and how to connect to it in Mint Linux. Since PPTP relies on MS-CHAPv2, which has been compromised, we probably want to use another method if security is paramount. In this article, we will cover setting up an IPsec tunnel with pfSense and connecting to it with Mint Linux.

IPsec VPN Configuration: Phase 1

First we need to set up the IPsec tunnel in pfSense. Navigate to VPN -> IPsec and click on the plus button on on the lower right to add a new tunnel. Under General information, there is an entry for Interface, where we select the interface for the local endpoint of the tunnel. Since our end user will be connecting remotely, the local endpoint should be WAN. The next entry is Remote Gateway, where we enter the IP address or host name of the remote gateway. Enter a brief description and scroll down to the Phase 1 proposal (Authentication) section. At Pre-Shared Key, you need to enter a key (PSK), which will essentially be the tunnel’s password. Whether you alter the Phase 1 proposal (Algorithms) settings or not, take note of the settings, as we will need them for future reference. Press the save button at the bottom to save the Phase 1 configuration. On the next page, press the Apply changes button to commit changes.

IPsec VPN

Phase 2 IPsec configuration.

IPsec VPN Configuration: Phase 2

Now there should be a new entry in the IPsec table for the new Phase 1 configuration. Click on the big plus button underneath the entry you just created to initiate Phase 2 configuration. This section should expand, revealing an empty table for Phase 2 settings. Click on the (smaller) plus button to the right of the table to bring up the Phase 2 settings page. For Mode, you can select whichever method you prefer, but note that whoever connects will have to use the same method. For Local Network, enter the network or address to which you want to give the VPN user access (probably LAN net). For Remote Network, enter the address of the remote end of the VPN tunnel. Enter a brief description. In the Phase 2 proposal section (SA/Key Exchange), set the protocol and encryption options, again taking note of them for future reference (AES-256 is the commonly used standard). When you are done, press the Save button at the bottom of the page. Press the Apply changes button on the next page to commit changes. Finally, check the Enable IPsec check box on the main IPsec page and press the Save button.


Now that Phase 1 and Phase 2 configuration are complete, all that remains is to create a firewall rule for IPsec traffic. Navigate to Firewall -> Rules. There should be a new tab for IPsec; click on it. There may already be a rule there allowing traffic to pass to whatever network or address you specified in the Phase 2 configuration. If not, then create one now by pressing the one of the plus buttons on this page. Most of the default settings can be kept, but set Destination to the network or address specified in Local Network in the Phase 2 configuration. For Destination port range, specify any. Add a brief description, and press the Save button. On the next page, press the Apply changes button to commit these changes.

In part two of this article, we will cover connecting to the VPN tunnel from the remote node.

External Links:

IPsec on Wikipedia

pfSense IPsec configuration information from the official pfSense site

webConfigurator Options in pfSense

Today, I thought it might be interesting to look at some of the advanced pfSense settings. I will start this series by looking at the webConfigurator settings, which you can find by navigating to System -> Advanced, and clicking on the “Admin Access” tab.

webConfigurator Options

webConfigurator

webConfigurator settings in pfSense 2.0

The first setting is “Protocol“. The default is HTTP, but you can choose HTTP Secure, which runs HTTP on top of the SSL/TLS protocol, enabling secure communications. Next is “TCP port“; here you can enter a custom port number for the web interface (80 for HTTP, 443 for HTTPS). This provides an extra layer of security, as you can use “security through obscurity” to hide the pfSense webConfigurator from others (this is especially valuable if, for whatever reason, you have to be able to access the webConfigurator from the WAN interface).


The next setting is “Max Processes“, in which you can alter the number of webConfigurator processes that are allowed to run simultaneously. Increasing the number of instances allows more users/browsers to access the GUI concurrently. Next is the “Disable webConfigurator redirect rule“. When this check box is unchecked, access to the pfSense web interface is always permitted from the WAN, even on port 80, regardless of the listening port is configured. Checking this box disables this access. If it is checked, access to the webConfigurator can be allowed, but only via an explicit rule and via NAT port forwarding.

The next setting is “Disable web configurator login autocomplete” When this in unchecked (the default), login credentials for the webConfigurator maybe saved by the browser. Checking this check box disables autocomplete on the login form so that browsers will not prompt to save credentials, but not all browsers respect this option.

Next is “Disable logging of webConfigurator successful logins“; when this is checked, successful logins to the webConfigurator will not be logged. When unchecked, “Disable webConfigurator anti-lockout rule” will allow access to the pfSense web interface regardless of what firewall rules are set. If this box is checked, then access from the LAN will still be possible if the web interface is set to port 80 and the default “Anti-Lockout Rule” is still in place (or if a rule is created to allow traffic on whatever port you choose). Make sure such a rule is in place before you check this box, or you could lock yourself out.


Disable DNS Rebinding Checks” when unchecked blocks private IP responses from your configured DNS servers. Sometimes, however, it may interfere with webConfigurator access or name resolution; if so, you can check this box so that such private IP responses will not be blocked. Below this, at “Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks“, you can specify alternate hostnames by which the router may be queried to bypass the DNS rebinding attack checks (hostnames should be separated by spaces). Finally, when unchecked, “Disable HTTP_REFERER enforcement check” will disable access to the webConfigurator from scripts that try to redirect traffic based on the HTTP_REFERER field. Checking this box disables this protection, which may help if you use external scripts to interact with the system.

External Links:

HTTP_referer at Wikipedia

SNMP Server Configuration in pfSense

SNMP Server

SNMP server configuration in pfSense 2.0.

This article will (a) briefly describe the Simple Network Management Protocol, and (b) explain how to enable the SNMP server in pfSense.

Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention, and the protocol is supported by such devices as switches, servers, workstations, printers, modem racks, and more. SNMP is a component of the Internet Protocol Suite and consists of a set of standards for network management. It operates in the Application Layer of the Internet Protocol Suite (Layer 7 of the OSI model).

Typical SNMP use entails the following: administrative computers (called managers) have the task of monitoring or managing a group of hosts or devices on a network. Each managed system executes at all times a software component called an agent which reports information via SNMP to the manager. SNMP agents expose management data on the manged systems as variables. The protocol also permits active management tasks, such as modifying and applying a new configuration through remote modification of these variables. The variables accessible via SNMP are organized in hierarchies. An SNMP managed network consists of the following components: [1] a managed devices; [2] an agent (software which runs on the managed devices), and [3] network management system (NMS) – software which runs on the manager.

SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. It has been criticized for its poor security, as authentication of clients is performed only by a “community string”, in effect a type of password, which is transmitted in cleartext. The first RFCs for SNMP appeared in 1988 (1065-1067). These were obsoleted by RFCs 1155-1157, which in turn were replaced by RFC 1213. SNMPv2 (RFCs 1441-1452) revises version 1 and includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. It introduced GetBulk Request, and alternative to iterative GetNextRequests for retrieving management data. Like version 1, however, SNMPv2 lacks encrypted connections.


pfSense SNMP Server Configuration

To enable the SNMP server, first navigate to Services -> SNMP. At “SNMP Daemon“, click on the “Enable” check box (at the right). At “Polling Port”, you can probably leave this port set to the default of 161. At “System Location“, specify a location, and below that, specify a “System Contact” if desired. At “Read Community String“, specify an alphanumeric string. This is roughly equivalent to a password and changing its value will ensure only authorized SNMP clients will be able to query the SNMP information from this machine.

The second section on the page is labeled “SNMP Traps“. These traps are sent by SNMP-enabled devices to specified servers when a significant event occurs. SNMP trap servers then decide how to process and handle the even, such as e-mailing a network administrator. SNMP traps thus enable network administrators to react quickly to potential issues. To enable pfSense SNMP traps, check the “Enable” check box to the right. At “Trap Server Name“, specify the name (or IP address) of the trap server. At “Trap Server Port“, specify the port. At “Specify Trap String“, specify a string.


The third section on the page is labeled “Modules“. At “SNMP Modules“, select the modules to be queried. The fourth section, “Interface Binding“, allows you to select which interfaces the SNMP server binds to. This is useful, for example, if you are accessing your pfSense box via a VPN tunnel, and you otherwise would not be able to query the SNMP server because your IP address is that of the LAN IP address. Binding the SMTP server to LAN, which then would cause it to only listen on the LAN IP address, would solve this problem. Otherwise, you can probably leave this set to “All”. Once you are done configuring settings, press the “Save” button to save the changes. Now that the SNMP server has been enabled, administrators will be able to query vital system information from an SNMP client.

External Links:

Simple Network Management Protocol at Wikipedia

SNMP Server Daemon at doc.pfsense.org

Command line examples for monitoring a pfSense router with SNMP

© 2013 David Zientara. All rights reserved. Privacy Policy