Setting up a secure site-to-site VPN using OPNsense can seem daunting, but with this comprehensive guide, you'll be able to connect two networks securely. This article will walk you through the entire process, ensuring you understand each step and can troubleshoot common issues. Whether you're a seasoned network administrator or a tech enthusiast, this guide provides clear, actionable instructions for establishing a robust and reliable VPN connection. Let's dive in!

Understanding IPSec VPNs

Before we get into the specifics of OPNsense, let's clarify what an IPSec VPN is and why it's important. IPSec (Internet Protocol Security) is a suite of protocols that provides secure communication over IP networks. It ensures confidentiality, integrity, and authentication, making it a popular choice for creating secure tunnels between networks. A site-to-site VPN connects two or more networks, allowing resources to be shared securely as if they were on the same local network. This is especially useful for businesses with multiple locations or for securely connecting to a network in a different geographical area.

The key benefits of using an IPSec VPN include:

• Security: IPSec provides strong encryption and authentication, protecting your data from eavesdropping and tampering.
• Flexibility: It can be configured to work with various network setups and is compatible with many devices and operating systems.
• Cost-Effectiveness: By using the internet as the transport medium, it eliminates the need for expensive dedicated lines.
• Scalability: It can easily scale to accommodate growing network needs.

Understanding these benefits will help you appreciate the importance of setting up your OPNsense IPSec VPN correctly. Now that we have a foundational understanding of IPSec VPNs, let's proceed with configuring OPNsense.

Prerequisites

Before we begin configuring the OPNsense IPSec site-to-site VPN, let’s ensure we have everything prepared. Here’s a checklist to guide you through the necessary prerequisites:

1. Two OPNsense Firewalls: You’ll need two separate OPNsense installations, one for each site you want to connect. Ensure that each firewall is properly installed and configured with basic network settings.
2. Static Public IP Addresses: Each OPNsense firewall should have a static public IP address. This is crucial for establishing a stable and reliable VPN connection. If you don’t have static IPs, consider using Dynamic DNS (DDNS) services, but keep in mind that this may introduce some instability.
3. Network Subnets: Determine the IP subnets for each network you’ll be connecting. Make sure these subnets do not overlap; otherwise, you’ll encounter routing issues. For example, Site A could use 192.168.1.0/24, and Site B could use 192.168.2.0/24.
4. Firewall Rules: Ensure that your firewalls allow IPSec traffic. This typically involves allowing UDP ports 500 (ISAKMP) and 4500 (NAT-T), as well as allowing ESP (Encapsulating Security Payload) protocol.
5. OPNsense Version: It’s recommended to use the latest stable version of OPNsense to take advantage of the latest features and security updates. Update your OPNsense installations before proceeding.
6. Administrative Access: You’ll need administrative access to both OPNsense firewalls to configure the IPSec settings.
7. Time Synchronization: Ensure that both OPNsense firewalls have accurate time synchronization, preferably using NTP (Network Time Protocol). Time discrepancies can cause issues with the VPN connection.

Having these prerequisites in place will streamline the configuration process and minimize potential issues. Once you’ve confirmed that everything is ready, you can move on to the next step: configuring the IPSec settings on both OPNsense firewalls.

Configuring OPNsense IPSec: Phase 1

Phase 1 of the IPSec configuration involves setting up the initial secure channel for communication between the two OPNsense firewalls. This phase establishes the foundation for the VPN tunnel by negotiating security parameters and authenticating the peers. Here’s how to configure Phase 1 on both OPNsense firewalls:

1. Access the OPNsense Web Interface: Log in to the web interface of your first OPNsense firewall (e.g., Site A).
2. Navigate to VPN > IPSec > Tunnel Settings: Go to the IPSec configuration section in the OPNsense web interface.
3. Add a New Tunnel: Click on the “Add” button to create a new IPSec tunnel.
4. General Settings:
   • Disable this tunnel: Unchecked (to enable the tunnel).
   • Key exchange version: Select “IKEv2”.
   • Internet Protocol: Choose “IPv4”.
   • Interface: Select the WAN interface (the interface with the public IP address).
   • Local address: Select the WAN interface’s IP address.
   • Remote gateway: Enter the public IP address of the other OPNsense firewall (e.g., Site B).
5. Phase 1 Proposal (Authentication):
   • Authentication method: Choose “Mutual PSK”.
   • Pre-shared key: Enter a strong, randomly generated pre-shared key. Make sure to use the same key on both OPNsense firewalls. This is crucial for authentication.
   • Encryption algorithm: Select “AES256” (or another strong encryption algorithm).
   • Hash algorithm: Select “SHA256” (or another strong hash algorithm).
   • DH key group: Choose “14 (2048 bit)”.
   • Lifetime: Set to “28800” seconds (8 hours).
6. Advanced Settings:
   • Leave the advanced settings at their default values unless you have specific requirements.
7. Save the Configuration: Click “Save” to save the Phase 1 settings.
8. Repeat on the Other Firewall: Repeat the same steps on the second OPNsense firewall (e.g., Site B), but with the local and remote IP addresses reversed. Ensure that the pre-shared key is identical on both firewalls.

Configuring Phase 1 correctly is essential for establishing a secure and stable VPN connection. Double-check all the settings, especially the pre-shared key and IP addresses, to avoid common configuration errors. Once Phase 1 is configured on both firewalls, you can proceed to configure Phase 2.

Configuring OPNsense IPSec: Phase 2

After successfully configuring Phase 1, Phase 2 defines the specific security parameters for the data that will be transmitted through the VPN tunnel. This phase ensures that the data is encrypted and protected as it travels between the two networks. Here’s how to configure Phase 2 on both OPNsense firewalls:

1. Access the OPNsense Web Interface: Log in to the web interface of your first OPNsense firewall (e.g., Site A).
2. Navigate to VPN > IPSec > Tunnel Settings: Go to the IPSec configuration section and find the tunnel you created in Phase 1.
3. Edit the Tunnel: Click on the “Edit” button to modify the tunnel settings.
4. Phase 2 Proposal (SA/Key Exchange):
   • PFS key group: Choose “14 (2048 bit)” (or match the DH key group from Phase 1).
   • Encryption algorithms: Select “AES256GCM16” (or another strong encryption algorithm; ensure it matches on both sides).
   • Hash algorithms: Select “none” when using AES-GCM.
   • Lifetime: Set to “3600” seconds (1 hour).
5. Advanced Settings:
   • Automatically ping host: You can enter an IP address on the remote network to ping periodically to keep the tunnel alive. For example, 192.168.2.1.
6. Save the Phase 2 Settings: Click “Save” to save the Phase 2 settings.
7. IPSec Mobile Client Settings:
   • Scroll down to IPSec Mobile Client Settings.
   • Under Source, add your local network, for example 192.168.1.0/24.
   • Under Destination, add your remote network, for example 192.168.2.0/24.
8. Repeat on the Other Firewall: Repeat the same steps on the second OPNsense firewall (e.g., Site B), ensuring that the local and remote network settings are reversed to match its network configuration.

Configuring Phase 2 correctly is vital for ensuring that data transmitted through the VPN tunnel is securely encrypted and protected. Ensure that the encryption algorithms and PFS key group match on both sides to avoid connectivity issues. After configuring Phase 2, you’ll need to adjust the firewall rules to allow traffic to pass through the VPN tunnel.

Firewall Rules Configuration

To allow traffic to pass through the IPSec VPN tunnel, you need to configure firewall rules on both OPNsense firewalls. These rules will permit traffic between the local and remote networks. Here’s how to configure the necessary firewall rules:

1. Access the OPNsense Web Interface: Log in to the web interface of your first OPNsense firewall (e.g., Site A).
2. Navigate to Firewall > Rules > IPSec: Go to the firewall rules section and select the “IPSec” tab. This is where you’ll create rules specifically for IPSec traffic.
3. Add a New Rule: Click on the “Add” button to create a new firewall rule.
4. Configure the Rule:
   • Action: Set to “Pass” to allow the traffic.
   • Interface: Select “IPSec” as the interface.
   • Address Family: Choose “IPv4”.
   • Protocol: Set to “Any” to allow all protocols (or specify specific protocols if needed).
   • Source: Select “Network” and enter the local network subnet (e.g., 192.168.1.0/24).
   • Destination: Select “Network” and enter the remote network subnet (e.g., 192.168.2.0/24).
   • Description: Add a description for the rule, such as “Allow traffic from Site A to Site B”.
5. Save the Rule: Click “Save” to save the firewall rule.
6. Apply Changes: Click “Apply Changes” to activate the new firewall rule.
7. Repeat on the Other Firewall: Repeat the same steps on the second OPNsense firewall (e.g., Site B), ensuring that the source and destination networks are reversed to match its network configuration. The source network should be the local network of Site B (e.g., 192.168.2.0/24), and the destination network should be the remote network of Site A (e.g., 192.168.1.0/24).

By configuring these firewall rules, you ensure that traffic can flow freely between the two networks connected by the IPSec VPN tunnel. Without these rules, traffic will be blocked, and the VPN connection will not be functional. Double-check the source and destination networks to avoid common configuration errors. After configuring the firewall rules, you can proceed to test the VPN connection.

Testing the VPN Connection

After configuring both Phase 1 and Phase 2, and setting up the necessary firewall rules, it’s time to test the VPN connection to ensure everything is working as expected. Here’s a step-by-step guide to testing the VPN connection between your two OPNsense firewalls:

1. Check IPSec Status:
   • Go to VPN > IPSec > Overview in both OPNsense web interfaces.
   • Verify that the IPSec tunnel is active and connected. Look for a green checkmark or a status indicating that the tunnel is established.
   • If the tunnel is not active, check the logs for any error messages that might indicate a configuration issue.
2. Ping Test:
   • From a device on the local network of one OPNsense firewall (e.g., Site A), ping a device on the local network of the other OPNsense firewall (e.g., Site B). For example, if a device at Site B has the IP address 192.168.2.10, ping that address from a device at Site A with the IP address 192.168.1.10.
   • If the ping is successful, it indicates that traffic is flowing through the VPN tunnel.
   • If the ping fails, double-check the firewall rules, routing settings, and IPSec configuration on both OPNsense firewalls.
3. Traceroute Test:
   • Use traceroute to verify the path that traffic is taking between the two networks. This can help identify any routing issues or bottlenecks.
   • From a device on one network, run traceroute to a device on the other network and ensure that the traffic is going through the IPSec tunnel.
4. File Sharing Test:
   • If you intend to share files between the two networks, test file sharing to ensure that it’s working correctly. Try accessing a shared folder or file on the remote network.
   • If file sharing is not working, check the firewall rules and file sharing settings on both networks.
5. Application Testing:
   • Test any applications that you plan to use over the VPN connection to ensure that they are functioning correctly. This could include testing email, VoIP, or other network-based applications.
   • If applications are not working, check the firewall rules and application-specific settings on both networks.

By performing these tests, you can verify that the IPSec VPN connection is working correctly and that traffic is flowing securely between the two networks. If you encounter any issues, refer to the troubleshooting section for guidance.

Troubleshooting Common Issues

Even with careful configuration, you might encounter issues when setting up an OPNsense IPSec site-to-site VPN. Here are some common problems and their solutions:

1. Tunnel Not Establishing:
   • Problem: The IPSec tunnel fails to establish, and you see errors in the logs.
   • Solution:
     • Verify Pre-Shared Keys: Ensure that the pre-shared keys are identical on both OPNsense firewalls. Even a small typo can prevent the tunnel from establishing.
     • Check IP Addresses: Double-check the local and remote IP addresses on both firewalls. Make sure they are correct and that there are no typos.
     • Firewall Rules: Ensure that the necessary firewall rules are in place to allow IPSec traffic (UDP ports 500 and 4500, and ESP protocol).
     • IKE Phase 1 Settings: Verify that the Phase 1 settings (encryption algorithm, hash algorithm, DH key group) match on both firewalls.
2. Traffic Not Passing Through the Tunnel:
   • Problem: The IPSec tunnel is established, but traffic is not passing through it.
   • Solution:
     • Firewall Rules: Ensure that the firewall rules are configured correctly to allow traffic between the local and remote networks. Check the source and destination networks in the rules.
     • IKE Phase 2 Settings: Verify that the Phase 2 settings (encryption algorithms, PFS key group) match on both firewalls.
     • Routing: Check the routing tables on both OPNsense firewalls to ensure that traffic is being routed correctly through the IPSec tunnel.
3. Intermittent Connectivity:
   • Problem: The VPN connection drops intermittently.
   • Solution:
     • Lifetime Settings: Adjust the lifetime settings in Phase 1 and Phase 2. Shorter lifetimes can cause more frequent key exchanges, which can lead to connectivity issues.
     • NAT-T: Ensure that NAT-T (NAT Traversal) is enabled if one or both firewalls are behind a NAT device.
     • DPD (Dead Peer Detection): Enable DPD to detect and re-establish the tunnel if the connection drops.
4. MTU Issues:
   • Problem: Large packets are being fragmented, causing performance issues.
   • Solution:
     • Adjust MTU: Reduce the MTU (Maximum Transmission Unit) on the OPNsense firewalls to account for the overhead of the IPSec encryption. A common value is 1400 bytes.
5. Log Analysis:
   • Problem: Unable to diagnose the issue.
   • Solution:
     • Check Logs: Examine the OPNsense logs for any error messages or clues about the cause of the problem. The logs can provide valuable information about what is going wrong and how to fix it.

By systematically troubleshooting these common issues, you can identify and resolve problems with your OPNsense IPSec site-to-site VPN. Always double-check your configuration settings and consult the OPNsense documentation or community forums for additional help.

Conclusion

Setting up an OPNsense IPSec site-to-site VPN provides a secure and reliable way to connect two or more networks. By following this comprehensive guide, you can configure your OPNsense firewalls to establish a robust VPN connection. Remember to pay close attention to the prerequisites, Phase 1 and Phase 2 settings, and firewall rules to ensure everything is configured correctly. Testing the VPN connection and troubleshooting common issues will help you maintain a stable and secure network environment.

With a properly configured IPSec VPN, you can securely share resources, access remote networks, and protect your data from unauthorized access. Whether you're a small business or a large enterprise, OPNsense offers a flexible and cost-effective solution for your VPN needs. So go ahead, implement these steps, and enjoy the benefits of a secure and connected network! You got this!