By Edward, Published January 14 2024, Updated March 1 2024
Overview
While setting up IPSec through OPNSense is well-documented, I wanted to add in my own guide into how I have it set up. I also took into consideration National Institute of Standards and Technology (NIST) standards. The setup is fairly simple, between two networks sharing a local subnet on both ends.
The layout assumes a setup of two routers, with each having two subnets and two hosts connected. The WAN IP of Host 1 is 10.1.1.1 with a subnet of 255.255.255.0, and a gateway of 10.1.1.254. The WAN IP of Host 2 is 10.2.2.1 with a subnet of 255.255.255.0, and a gateway of 10.2.2.254.
With the configuration of IPSec, we will be using 10.1.1.1 and 10.2.2.1 as the external IP address to connect to. In a real-world scenario, this will likely be a static public IP or a Fully Qualified Domain Name (FQDN). In a situation where one or more hosts has a dynamic IP, dynamic DNS setup should be optimally set up on the router.
Finally, IPSec will route 192.168.1.1 to 192.168.3.1. 192.168.2.1 and 192.168.4.1 should not be able to communicate across IPSec.
We will use the Connections interface to set up the connection.
IPSec Key Pair Setup
Host 1 Setup
- Go to VPN > IPSec > Key Pairs
- Click the Add button towards the right of the menu
- Enter a key pair name
- We will use host1-host2
- Select a key type
- For RSA, use 4096 bit or higher.
- For ECDSA select NIST P-384 or higher
- Click the gear Icon to generate key pair
- Save the key pair
- Go to VPN > IPSec > Key Pairs
- Click the Add button towards the right of the menu
- Enter a key pair name
- We will use host2-host1
- Select the appropriate key type
- Enter ONLY the public key from Host 2
- Save the key pair
Host 2 Setup
- Go to VPN > IPSec > Key Pairs
- Click the Add button towards the right of the menu
- Enter a key pair name
- We will use host2-host1
- Select a key type
- For RSA, use 4096 bit or higher.
- For ECDSA select NIST P-384 or higher
- Click the gear Icon to generate key pair
- Save the key pair
- Go to VPN > IPSec > Key Pairs
- Click the Add button towards the right of the menu
- Enter a key pair name
- We will use host1-host2
- Select the appropriate key type
- Enter ONLY the public key from Host 1
- Save the key pair
Note
You can additionally generate more key pairs and/or pre-shared keys for additional security and to attempt to protect against post-quantum computing. The overall effectiveness of this strategy has yet to be determined.
IPSec Connections Setup
Host 1 General Settings
| Key | Value |
|---|---|
| Enabled | Checked |
| Proposals | aes256gcm16-sha512-ecp256 (DH19, NIST EC) |
| Version | IKEv2 |
| MOBIKE | Unchecked |
| Local Addressess | Blank, or 10.1.1.1 |
| Remote addresses | 10.2.2.1 or FQDN |
| DPD Delay | Empty, unless desired |
| Pools | Empty |
| Description | IPSec to Host 2 |
Host 1 Local Authentication
| Key | Value |
|---|---|
| Enabled | Checked |
| Connection | IPSec to Host 2 |
| Authentication | Public Key |
| id | host1 |
| Certificates | Blank |
| Public Keys | host1-host2 |
| Description | Initial Host 1 Auth |
Host 1 Remote Authentication
| Key | Value |
|---|---|
| Enabled | Checked |
| Connection | IPSec to Host 2 |
| Authentication | Public Key |
| id | host2 |
| Certificates | Blank |
| Public Keys | host2-host1 |
| Description | Initial Host 2 Auth |
Host 2 Setup
| Key | Value |
|---|---|
| Enabled | Checked |
| Proposals | aes256gcm16-sha512-ecp256 (DH19, NIST EC) |
| Version | IKEv2 |
| MOBIKE | Unchecked |
| Local Addressess | Blank, or 10.2.2.1 |
| Remote addresses | 10.1.1.1 or FQDN |
| DPD Delay | Empty, unless desired |
| Pools | Empty |
| Description | IPSec to Host 1 |
Host 1 Local Authentication
| Key | Value |
|---|---|
| Enabled | Checked |
| Connection | IPSec to Host 1 |
| Authentication | Public Key |
| id | host2 |
| Certificates | Blank |
| Public Keys | host2-host1 |
| Description | Initial Host 2 Auth |
Host 1 Remote Authentication
| Key | Value |
|---|---|
| Enabled | Checked |
| Connection | IPSec to Host 1 |
| Authentication | Public Key |
| id | host1 |
| Certificates | Blank |
| Public Keys | host1-host2 |
| Description | Initial Host 1 Auth |
IPSec Children Setup
Note
The Children setup can be set up per-network share or as a trunk share. However, for security purposes, a per-network share is preferred to avoid any undesired communication between networks.
If you set a Reqid, make sure to set it the same across both hosts.
Host 1 General Settings
| Key | Value |
|---|---|
| Enabled | Checked |
| Connection | IPSec to host 2 |
| Mode | Tunnel |
| Policies | Checked |
| Start Action | Start |
| DPD Action | Clear |
| Reqid | Blank, or number |
| ESP Proposals | aes256gcm16-sha512-ecp521 (DH21, NIST EC) |
| Local | 192.168.1.0/24 |
| Remote | 192.168.3.0/24 |
| Description | LAN 1 to LAN3 |
Host 2 Setup
| Key | Value |
|---|---|
| Enabled | Checked |
| Connection | IPSec to host 1 |
| Mode | Tunnel |
| Policies | Checked |
| Start Action | Start |
| DPD Action | Clear |
| Reqid | Blank, or number |
| ESP Proposals | aes256gcm16-sha512-ecp521 (DH21, NIST EC) |
| Local | 192.168.3.0/24 |
| Remote | 192.168.1.0/24 |
| Description | LAN 3 to LAN1 |
Firewall Setup
Both Host WAN Rules
IPSec NAT-T
| Key | Value |
|---|---|
| Protocol | TCP/UDP |
| Source | any |
| Destination | WAN Address |
| Destination Port | IPSec NAT-T |
| Log | Optional, checked |
| Description | IPSec NAT-T |
IPSec ISAKMP
| Key | Value |
|---|---|
| Protocol | TCP/UDP |
| Source | any |
| Destination | WAN Address |
| Destination Port | ISAKMP |
| Log | Optional, checked |
| Description | IPSec ISAKMP |
IPSec ESP
| Key | Value |
|---|---|
| Protocol | ESP |
| Source | any |
| Destination | WAN Address |
| Log | Optional, checked |
| Description | IPSec ESP |
IPSec Rules
Host 1
| Key | Value |
|---|---|
| Source | 192.168.3.1/24 |
| Destination | 192.168.1.1/24 |
| Log | Optional, checked |
| Description | IPSec LAN 3 to LAN 1 |
Host 2 Setup
| Key | Value |
|---|---|
| Source | 192.168.1.1/24 |
| Destination | 192.168.3.1/24 |
| Log | Optional, checked |
| Description | IPSec LAN 1 to LAN 3 |
Conclusion
IPSec is fully set up at this point and allows communication between two networks. Testing the configuration from 192.168.1.2 should allow communication to 192.168.3.2, but not 192.168.4.2. 192.168.2.2 should not be able to communicate to 192.168.3.2 or 192.168.4.2. The true is reversed from the other end as well.
Sources
Virtual Private Networking. (n.d.). Retrieved from https://docs.opnsense.org/manual/vpnet.html#firewall-rules
IPsec – Policy based public key setup. (n.d.). Retrieved from https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn.html
Guide to IPSec VPNs. (N.d.). Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf