Setting up an IPsec VPN between a MikroTik router and a pfSense firewall can seem daunting, but it's totally achievable with the right guidance. IPsec, or Internet Protocol Security, creates a secure, encrypted tunnel for your data to travel between networks, ensuring confidentiality and integrity. In this article, we'll walk you through the steps to establish a robust and reliable VPN connection between your MikroTik and pfSense devices.

Understanding the Basics of IPsec

Before diving into the configuration, let's cover some IPsec fundamentals. IPsec operates in two primary modes: transport mode and tunnel mode. In transport mode, only the payload of the IP packet is encrypted, while in tunnel mode, the entire IP packet is encrypted and encapsulated within a new IP packet. For VPNs, tunnel mode is generally preferred as it provides a higher level of security. Key components of IPsec include:

• Internet Key Exchange (IKE): IKE is the protocol used to establish a secure channel between the two devices for negotiating IPsec security associations (SAs). It handles authentication and key exchange.
• Authentication Header (AH): AH provides data integrity and authentication but does not offer encryption.
• Encapsulating Security Payload (ESP): ESP provides both encryption and authentication, ensuring data confidentiality and integrity. It's the more commonly used protocol.
• Security Association (SA): An SA is a set of security parameters that define how the IPsec connection will be secured. It includes encryption algorithms, authentication methods, and key lifetimes.

Understanding these concepts will make the configuration process much smoother. Remember, the goal is to create a secure tunnel that allows traffic to flow seamlessly between your networks.

Step-by-Step Configuration on pfSense

First, let's configure the pfSense side of the IPsec tunnel. These steps will guide you through creating the necessary Phase 1 and Phase 2 settings to establish a connection with your MikroTik router. So, fire up your pfSense web interface and let's get started!

Phase 1 Configuration (IKE)

Phase 1 is all about setting up the initial secure channel for negotiating the IPsec connection. This involves defining the encryption and authentication methods. To configure Phase 1 on pfSense:

1. Navigate to VPN > IPsec and click Add P1 to create a new Phase 1 entry.
2. Set the following parameters:
   • Key Exchange version: Choose IKEv2. It's more modern and offers better security features.
   • Internet Protocol: Select the appropriate IP version, typically IPv4.
   • Interface: Choose the WAN interface through which the VPN connection will be established.
   • Remote Gateway: Enter the public IP address of your MikroTik router.
   • Description: Add a descriptive name for the Phase 1 configuration (e.g., "MikroTik-VPN-Phase1").
   • Authentication Method: Select Mutual PSK. This is the simplest method for authentication using a pre-shared key.
   • Pre-Shared Key: Enter a strong, randomly generated pre-shared key. Make sure to use the same key on both the pfSense and MikroTik devices.
   • My identifier: Set to My IP address.
   • Peer identifier: Set to Peer IP address.
   • Encryption Algorithm: Choose an encryption algorithm such as AES256.
   • Hash Algorithm: Select a hash algorithm such as SHA256.
   • DH Group: Choose a Diffie-Hellman group such as 14 (2048 bit MODP Group).
   • Lifetime: Set the lifetime for the Phase 1 tunnel (e.g., 28800 seconds).
3. Save the Phase 1 configuration. With Phase 1 configured, you've laid the groundwork for a secure connection. Double-check all the settings to ensure they match the MikroTik configuration you'll set up next.

Phase 2 Configuration (ESP)

Phase 2 defines the security parameters for the actual data transfer. This includes specifying the encryption algorithms and the networks that will be allowed to communicate through the VPN tunnel. Here’s how to configure Phase 2 on pfSense:

1. In the IPsec configuration page, click Add P2 to create a new Phase 2 entry.
2. Set the following parameters:
   • Mode: Select Tunnel IPv4.
   • Local Network: Specify the local network behind the pfSense firewall that will be accessible through the VPN (e.g., 192.168.1.0/24).
   • Remote Network: Specify the remote network behind the MikroTik router that will be accessible through the VPN (e.g., 192.168.2.0/24).
   • Protocol: Select ESP.
   • Encryption Algorithms: Choose an encryption algorithm such as AES256GCM.
   • Hash Algorithms: Select SHA256.
   • PFS Key Group: Choose a Perfect Forward Secrecy (PFS) group such as 14 (2048 bit MODP Group).
   • Lifetime: Set the lifetime for the Phase 2 tunnel (e.g., 3600 seconds).
3. Save the Phase 2 configuration. Now, with both Phase 1 and Phase 2 configured on the pfSense side, it’s time to move on to the MikroTik configuration. Ensure that the network settings are correct so that traffic can be properly routed through the VPN.

Step-by-Step Configuration on MikroTik

Now, let's switch gears and configure the MikroTik router to establish the IPsec VPN connection. These steps will guide you through setting up the necessary IPsec policies and peers to connect to your pfSense firewall.

Creating an IPsec Peer

The IPsec peer configuration defines the remote endpoint (pfSense firewall) and the authentication details. To create an IPsec peer on MikroTik:

1. Open WinBox or use the WebFig interface to access your MikroTik router.
2. Go to IP > IPsec > Peers and click the + button to add a new peer.
3. Set the following parameters:
   • Address: Enter the public IP address of your pfSense firewall.
   • Secret: Enter the same pre-shared key you used in the pfSense Phase 1 configuration.
   • Exchange Mode: Choose ike2.
   • Send Initial Contact: Check this option to initiate the connection from the MikroTik side.
   • NAT Traversal: Select yes to enable NAT traversal.
   • Proposal Check: Select Obtain Lifetimes. This is crucial to let the tunnel adjust lifetimes based on the negotiation.
   • Hash Algorithm: Select sha256.
   • Encryption Algorithm: Select aes-256-cbc.
   • DH Group: Select modp2048.
4. Apply and save the peer configuration. With the IPsec peer configured, you’re one step closer to establishing the VPN tunnel. Make sure the address and secret key match the pfSense configuration.

Creating an IPsec Proposal

The IPsec proposal defines the encryption and authentication algorithms that will be used for the data transfer. To create an IPsec proposal on MikroTik:

1. Go to IP > IPsec > Proposals and click the + button to add a new proposal.
2. Set the following parameters:
   • Name: Give the proposal a descriptive name (e.g., "pfSense-Proposal").
   • Auth Algorithms: Select sha256.
   • Enc Algorithms: Select aes-256-gcm.
   • Lifetime Seconds: Set the lifetime for the Phase 2 tunnel (e.g., 3600).
   • PFS Group: Select modp2048.
3. Apply and save the proposal configuration. This ensures that the encryption and authentication methods align with those configured on the pfSense firewall.

Creating an IPsec Policy

The IPsec policy defines which traffic will be secured by the VPN tunnel. To create an IPsec policy on MikroTik:

1. Go to IP > IPsec > Policies and click the + button to add a new policy.
2. Set the following parameters:
   • Src Address: Specify the local network behind the MikroTik router that will be accessible through the VPN (e.g., 192.168.2.0/24).
   • Dst Address: Specify the remote network behind the pfSense firewall that will be accessible through the VPN (e.g., 192.168.1.0/24).
   • Tunnel: Select Yes.
   • Peer: Choose the IPsec peer you created earlier.
   • Proposal: Choose the IPsec proposal you created earlier.
3. Apply and save the policy configuration. With the IPsec policy in place, the MikroTik router knows which traffic to send through the VPN tunnel.

Troubleshooting and Verification

Once you've configured both the pfSense and MikroTik devices, it's time to verify that the IPsec VPN tunnel is working correctly. Here are some troubleshooting steps to help you identify and resolve any issues.

Checking IPsec Status

• pfSense: Navigate to Status > IPsec in the pfSense web interface. This page displays the status of the IPsec tunnels. Look for an active connection with green checkmarks.
• MikroTik: In WinBox or WebFig, go to IP > IPsec > Active Peers and IP > IPsec > Installed SAs. Check if the tunnel is established and if there are active security associations.

Common Issues and Solutions

• Phase 1 or Phase 2 Failures: These are often caused by mismatched pre-shared keys, encryption algorithms, or hash algorithms. Double-check all the settings on both devices.
• Firewall Rules: Ensure that firewall rules on both pfSense and MikroTik allow IPsec traffic (ESP protocol, UDP ports 500 and 4500). Remember to check both the WAN and LAN interfaces.
• NAT Issues: If you are behind NAT, ensure that NAT traversal is enabled on both devices.
• Routing Problems: Verify that the routing tables on both devices include routes for the remote network via the IPsec tunnel. You may need to add static routes to ensure traffic is properly directed.

Testing Connectivity

To test connectivity, try pinging devices on the remote network from devices on the local network. For example, ping a device on the 192.168.1.0/24 network from a device on the 192.168.2.0/24 network. If the pings are successful, the VPN tunnel is working correctly.

Conclusion

Configuring an IPsec VPN between a MikroTik router and a pfSense firewall provides a secure and reliable way to connect networks. By following these steps, you can establish a robust VPN tunnel that protects your data and ensures seamless communication between your networks. Remember to double-check all settings and troubleshoot any issues using the methods described above. With a little patience and attention to detail, you'll have a fully functional IPsec VPN up and running in no time!