1 - Observações
- Utilizar no maximo 8 caracteres na Pre-Shared Key
- Adicionar as regras de firewall na interface IPSEC do pfSense e no SYSTEM ACCESS do Endian
2 - Mapeamento das configurações
| pfSense | Endian firewall | |||
| General Information | IPsec settings (Dead Peer Detection) | |||
| Key Exchange version | IKEv1 | Ping delay (in seconds) | 30 | |
| Internet Protocol | IPv4 | Timeout interval (in seconds) - IKEv1 only | 120 | |
| Interface | WAN | |||
| Remote Gateway | 192.168.1.20 | Connections | ||
| Description | VPN-PFSENSE-ENDIA | Name * | VPNPFSENSE | |
| Connection type | Host-to-net | |||
| Phase 1 Proposal (Authentication) | ||||
| Authentication Method | Mutual PSK | Authentication | ||
| Negotiation mode | Main | Authentication type | Password (PSK) | |
| My identifier | My ip address | Use a pre-shared key | SENHA88 | |
| Peer identifier | Peer IP address | Interface | Uplink main | |
| Pre-Shared Key | SENHA88 | Local subnets (only IKEv2 supports multiple subnets) * | 192.168.40.0/24 | |
| Remote host/IP | 192.168.1.3 | |||
| Phase 1 Proposal (Algorithms) | Dead peer detection action | Restart | ||
| Encryption Algorithm | 3DES | |||
| Hash Algorithm | MD5 | Advanced (Internet Key Exchange protocol configuration) | ||
| DH Group | 5 (1536 bit) | IKE encryption | 3DES | |
| Lifetime (Seconds) | 28800 | IKE integrity | MD5 | |
| IKE group type | DH group (1536 bit) | |||
| Advanced Options | IKE lifetime (hours) | 1 | ||
| NAT Traversal | Auto | IKE version | IKEv1 | |
| Dead Peer Detection | Habilitado | |||
| Delay | 10 | Encapsulating security payload configuration | ||
| Max failures | 5 | ESP encryption | 3DES | |
| ESP integrity | MD5 | |||
| General Information | ESP group type | DH group (1536 bit) | ||
| Mode | Tunnel IPv4 | ESP lifetime (hours) | 8 | |
| Local Network | Lan subnet | Mode config (IKEv1 only) | Pull | |
| NAT/BINAT translation | None | Enabled | Habilitado | |
| Remote Network | 192.168.40.0/24 | |||
| Description | Endian | |||
| Phase 2 Proposal (SA/Key Exchange) | ||||
| Protocol | ESP | |||
| Encryption Algorithms | 3DES | |||
| Hash Algorithms | MD5 | |||
| PFS key group | 5 (1536 bit) | |||
| Lifetime (Seconds) | 3600 | |||
3 - Configuração no pfSense
4 - Configuração Endian Firewall
5 - .CONF
Endian
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
root@efw-ae787e6bd4:/etc/ipsec # cat ipsec.conf config setup cachecrls=yes uniqueids=yes charondebug="" conn %default keyingtries=%forever dpddelay=30s dpdtimeout=120s conn VPNPFSENSE dpdaction=restart left=192.168.1.20 leftnexthop=192.168.1.1 leftsubnet=192.168.40.0/24 right=192.168.1.3 rightsubnet=0.0.0.0/0 rightsourceip= leftauth=psk rightauth=psk leftid=192.168.1.20 rightid=192.168.1.3 ikelifetime=1h keylife=8h ike=3des-md5-modp1536 esp=3des-md5-modp1536 auto=add keyexchange=ikev1 conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore |
pfSense
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[2.4.2-RELEASE][root@pfSense-proxy-vbox.localdomain]/etc: cat /var/etc/ipsec/ipsec.conf # This file is automatically generated. Do not edit config setup uniqueids = yes conn bypasslan leftsubnet = 192.168.30.0/24 rightsubnet = 192.168.30.0/24 authby = never type = passthrough auto = route conn con1000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 192.168.1.3 right = 192.168.1.20 leftid = 192.168.1.3 ikelifetime = 28800s lifetime = 3600s ike = 3des-md5-modp1536! esp = 3des-md5-modp1536! leftauth = psk rightauth = psk rightid = 192.168.1.20 aggressive = no rightsubnet = 192.168.40.0/24 leftsubnet = 192.168.30.0/24 |