IPSec Site-To-Site Setup

By Edward, Published January 14 2024, Updated March 1 2024

Overview

While setting up IPSec through OPNSense is well-documented, I wanted to add in my own guide into how I have it set up. I also took into consideration National Institute of Standards and Technology (NIST) standards. The setup is fairly simple, between two networks sharing a local subnet on both ends.

The layout assumes a setup of two routers, with each having two subnets and two hosts connected. The WAN IP of Host 1 is 10.1.1.1 with a subnet of 255.255.255.0, and a gateway of 10.1.1.254. The WAN IP of Host 2 is 10.2.2.1 with a subnet of 255.255.255.0, and a gateway of 10.2.2.254.

With the configuration of IPSec, we will be using 10.1.1.1 and 10.2.2.1 as the external IP address to connect to. In a real-world scenario, this will likely be a static public IP or a Fully Qualified Domain Name (FQDN). In a situation where one or more hosts has a dynamic IP, dynamic DNS setup should be optimally set up on the router.

Finally, IPSec will route 192.168.1.1 to 192.168.3.1. 192.168.2.1 and 192.168.4.1 should not be able to communicate across IPSec.

We will use the Connections interface to set up the connection.

Network Layout

IPSec Key Pair Setup

Host 1 Setup

  1. Go to VPN > IPSec > Key Pairs
  2. Click the Add button towards the right of the menu
  3. Enter a key pair name
    • We will use host1-host2
  4. Select a key type
    • For RSA, use 4096 bit or higher.
    • For ECDSA select NIST P-384 or higher
  5. Click the gear Icon to generate key pair
  6. Save the key pair
  1. Go to VPN > IPSec > Key Pairs
  2. Click the Add button towards the right of the menu
  3. Enter a key pair name
    • We will use host2-host1
  4. Select the appropriate key type
  5. Enter ONLY the public key from Host 2
  6. Save the key pair

Host 2 Setup

  1. Go to VPN > IPSec > Key Pairs
  2. Click the Add button towards the right of the menu
  3. Enter a key pair name
    • We will use host2-host1
  4. Select a key type
    • For RSA, use 4096 bit or higher.
    • For ECDSA select NIST P-384 or higher
  5. Click the gear Icon to generate key pair
  6. Save the key pair
  1. Go to VPN > IPSec > Key Pairs
  2. Click the Add button towards the right of the menu
  3. Enter a key pair name
    • We will use host1-host2
  4. Select the appropriate key type
  5. Enter ONLY the public key from Host 1
  6. Save the key pair

Note

You can additionally generate more key pairs and/or pre-shared keys for additional security and to attempt to protect against post-quantum computing. The overall effectiveness of this strategy has yet to be determined.


IPSec Connections Setup

Host 1 General Settings

KeyValue
EnabledChecked
Proposalsaes256gcm16-sha512-ecp256 (DH19, NIST EC)
VersionIKEv2
MOBIKEUnchecked
Local AddressessBlank, or 10.1.1.1
Remote addresses10.2.2.1 or FQDN
DPD DelayEmpty, unless desired
PoolsEmpty
DescriptionIPSec to Host 2

Host 1 Local Authentication

KeyValue
EnabledChecked
ConnectionIPSec to Host 2
AuthenticationPublic Key
idhost1
CertificatesBlank
Public Keyshost1-host2
DescriptionInitial Host 1 Auth

Host 1 Remote Authentication

KeyValue
EnabledChecked
ConnectionIPSec to Host 2
AuthenticationPublic Key
idhost2
CertificatesBlank
Public Keyshost2-host1
DescriptionInitial Host 2 Auth

Host 2 Setup

KeyValue
EnabledChecked
Proposalsaes256gcm16-sha512-ecp256 (DH19, NIST EC)
VersionIKEv2
MOBIKEUnchecked
Local AddressessBlank, or 10.2.2.1
Remote addresses10.1.1.1 or FQDN
DPD DelayEmpty, unless desired
PoolsEmpty
DescriptionIPSec to Host 1

Host 1 Local Authentication

KeyValue
EnabledChecked
ConnectionIPSec to Host 1
AuthenticationPublic Key
idhost2
CertificatesBlank
Public Keyshost2-host1
DescriptionInitial Host 2 Auth

Host 1 Remote Authentication

KeyValue
EnabledChecked
ConnectionIPSec to Host 1
AuthenticationPublic Key
idhost1
CertificatesBlank
Public Keyshost1-host2
DescriptionInitial Host 1 Auth

IPSec Children Setup

Note

The Children setup can be set up per-network share or as a trunk share. However, for security purposes, a per-network share is preferred to avoid any undesired communication between networks.

If you set a Reqid, make sure to set it the same across both hosts.

Host 1 General Settings

KeyValue
EnabledChecked
ConnectionIPSec to host 2
ModeTunnel
PoliciesChecked
Start ActionStart
DPD ActionClear
ReqidBlank, or number
ESP Proposalsaes256gcm16-sha512-ecp521 (DH21, NIST EC)
Local192.168.1.0/24
Remote192.168.3.0/24
DescriptionLAN 1 to LAN3

Host 2 Setup

KeyValue
EnabledChecked
ConnectionIPSec to host 1
ModeTunnel
PoliciesChecked
Start ActionStart
DPD ActionClear
ReqidBlank, or number
ESP Proposalsaes256gcm16-sha512-ecp521 (DH21, NIST EC)
Local192.168.3.0/24
Remote192.168.1.0/24
DescriptionLAN 3 to LAN1

Firewall Setup

Both Host WAN Rules

IPSec NAT-T

KeyValue
ProtocolTCP/UDP
Sourceany
DestinationWAN Address
Destination PortIPSec NAT-T
LogOptional, checked
DescriptionIPSec NAT-T

IPSec ISAKMP

KeyValue
ProtocolTCP/UDP
Sourceany
DestinationWAN Address
Destination PortISAKMP
LogOptional, checked
DescriptionIPSec ISAKMP

IPSec ESP

KeyValue
ProtocolESP
Sourceany
DestinationWAN Address
LogOptional, checked
DescriptionIPSec ESP

IPSec Rules

Host 1

KeyValue
Source192.168.3.1/24
Destination192.168.1.1/24
LogOptional, checked
DescriptionIPSec LAN 3 to LAN 1

Host 2 Setup

KeyValue
Source192.168.1.1/24
Destination192.168.3.1/24
LogOptional, checked
DescriptionIPSec LAN 1 to LAN 3

Conclusion

IPSec is fully set up at this point and allows communication between two networks. Testing the configuration from 192.168.1.2 should allow communication to 192.168.3.2, but not 192.168.4.2. 192.168.2.2 should not be able to communicate to 192.168.3.2 or 192.168.4.2. The true is reversed from the other end as well.


Sources

Virtual Private Networking. (n.d.). Retrieved from https://docs.opnsense.org/manual/vpnet.html#firewall-rules

IPsec – Policy based public key setup. (n.d.). Retrieved from https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn.html

Guide to IPSec VPNs. (N.d.). Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf