Mikrotik & PfSense: Setup IPsec VPN For Secure Connection

Setting up an IPsec VPN between a Mikrotik router and a pfSense firewall can seem daunting, but with a step-by-step approach, you can create a secure tunnel between your networks. This guide provides a detailed walkthrough to help you configure IPsec between these two popular devices. Let's dive in!

Understanding IPsec and VPNs

Before we get started, let's clarify what IPsec and VPNs are and why they are essential for secure communication. IPsec (Internet Protocol Security) is a suite of protocols that provides secure communication over IP networks. It ensures confidentiality, integrity, and authentication of data transmitted between two points. A VPN (Virtual Private Network) uses IPsec (or other protocols) to create a secure, encrypted tunnel over a public network like the internet, allowing you to extend your private network securely.

Why Use IPsec VPN?

Using an IPsec VPN offers several benefits:

Security: Encrypts all traffic between networks, protecting data from eavesdropping and tampering.
Remote Access: Allows users to securely access network resources from anywhere.
Site-to-Site Connectivity: Connects multiple networks securely, as if they were on the same physical network.
Cost-Effective: Reduces the need for expensive dedicated leased lines.

Prerequisites

Before starting the configuration, make sure you have the following:

Two Networks: Each network should have its own internet connection.
Mikrotik Router: Running RouterOS.
pfSense Firewall: Installed and configured.
Static Public IP Addresses: Or a dynamic DNS service for both networks.
Network Addressing: Plan your network subnets to avoid overlapping IP address ranges.

Step-by-Step Configuration

Step 1: Mikrotik Configuration

First, let's configure the Mikrotik router. Log in to your Mikrotik router using Winbox or the web interface.

1.1: Create an IPsec Proposal

An IPsec proposal defines the encryption and authentication algorithms that will be used for the IPsec connection. Navigate to IP > IPsec > Proposals and click the + button to add a new proposal.

Name: Give it a descriptive name (e.g., "pfSense-Proposal").
Auth. Algorithms: Choose appropriate authentication algorithms like SHA256 or SHA512.
Encryption Algorithms: Select encryption algorithms like AES-256-CBC or AES-256-GCM.
Lifetime: Set the lifetime (e.g., 1h). This is the duration for which the key is valid.

Apply the settings and move on.

1.2: Create an IPsec Peer

The IPsec peer defines the remote endpoint (pfSense) with which the Mikrotik will establish the VPN connection. Go to IP > IPsec > Peers and click the + button.

Address: Enter the public IP address of the pfSense firewall.
Secret: Set a strong pre-shared key (PSK). This key must match the one configured on the pfSense firewall.
Exchange Type: Set to main.
Generate Policy: Set to port override.
Proposal Check: Set to Obtain If Necessary
Hash Algorithm: Ensure this matches the proposal (e.g., SHA256).
Encryption Algorithm: Ensure this matches the proposal (e.g., AES-256).
Lifetime: Define the lifetime of the peer (e.g., 1d).
DPD Interval: Set a DPD (Dead Peer Detection) interval (e.g., 30s) to detect inactive peers. This helps in automatically re-establishing the connection if it drops.
DPD Maximum Failures: Set the number of allowed failures before considering the peer dead (e.g., 5).

1.3: Create an IPsec Policy

The IPsec policy defines the traffic that will be encrypted and sent through the VPN tunnel. Navigate to IP > IPsec > Policies and click the + button.

Src. Address: Enter the local network address behind the Mikrotik router (e.g., 192.168.1.0/24).
Dst. Address: Enter the remote network address behind the pfSense firewall (e.g., 192.168.2.0/24).
Tunnel: Select the peer you created in the previous step.
Action: Set to encrypt.
Proposal: Choose the proposal you created earlier.

Apply the settings. The Mikrotik side is now configured.

Step 2: pfSense Configuration

Now, let's configure the pfSense firewall. Log in to your pfSense web interface.

2.1: Configure IPsec Phase 1

Phase 1 settings handle the initial key exchange and authentication. Navigate to VPN > IPsec and click the + Add P1 button.

| Read Also : Kyle Busch: 2025 NASCAR Plans And Updates

Key Exchange version: Set to IKEv2
Interface: Choose the WAN interface.
Remote Gateway: Enter the public IP address of the Mikrotik router.
Authentication Method: Select Pre-Shared Key.
Pre-Shared Key: Enter the same pre-shared key you configured on the Mikrotik router.
Encryption Algorithm: Choose the same encryption and hash algorithms as in the Mikrotik proposal (e.g., AES256-GCM and SHA256).
DH Group: Select a Diffie-Hellman group (e.g., 14 (2048 bit MODP Group)).
Lifetime: Set the lifetime to match the Mikrotik peer setting (e.g., 86400 seconds).

Save the settings.

2.2: Configure IPsec Phase 2

Phase 2 settings define the specific traffic that will be encrypted. Click the + Add P2 button in the IPsec tunnel you just created.

Mode: Set to Tunnel IPv4.
Local Network: Specify the network behind the pfSense firewall (e.g., 192.168.2.0/24).
NAT/BINAT translation: Set to None
Remote Network: Specify the network behind the Mikrotik router (e.g., 192.168.1.0/24).
Protocol: Set to ESP.
Encryption Algorithms: Choose the same encryption algorithms as in the Mikrotik proposal (e.g., AES256-GCM).
PFS Key Group: Select a Perfect Forward Secrecy (PFS) key group (e.g., 14 (2048 bit MODP Group)).
Lifetime: Set the lifetime to match the Mikrotik proposal setting (e.g., 3600 seconds).

Save the settings.

2.3: Configure Firewall Rules

You need to create firewall rules to allow traffic to pass through the IPsec tunnel. On the pfSense firewall, go to Firewall > Rules.

IPsec Tab: Add a new rule.
Action: Set to Pass.
Interface: Select IPsec.
Protocol: Set to Any.
Source: Set to your local network (e.g., 192.168.2.0/24).
Destination: Set to the remote network behind the Mikrotik (e.g., 192.168.1.0/24).

Create a similar rule on the Mikrotik firewall to allow traffic from the pfSense network.

Step 3: Verification

After completing the configuration, it's essential to verify that the IPsec tunnel is working correctly.

3.1: Check IPsec Status

Mikrotik: Go to IP > IPsec > Active Peers to see if the connection is established.
pfSense: Go to Status > IPsec to view the tunnel status. You should see an established connection.

3.2: Test Connectivity

Ping a device on the remote network from a device on the local network. For example, ping a device on the 192.168.1.0/24 network from a device on the 192.168.2.0/24 network. If the ping is successful, the IPsec tunnel is working correctly.

Troubleshooting Tips

If you encounter issues, here are some troubleshooting tips:

Check Logs: Examine the logs on both the Mikrotik and pfSense devices for error messages.
Firewall Rules: Ensure that firewall rules are correctly configured to allow traffic through the IPsec tunnel.
Phase 1 and Phase 2 Settings: Double-check that the encryption, authentication, and key exchange settings match on both devices.
Pre-Shared Key: Verify that the pre-shared key is identical on both devices.
MTU Issues: Adjust the MTU (Maximum Transmission Unit) size if you experience connectivity problems. Try reducing the MTU size on both devices.

Advanced Configurations

For more advanced setups, you might consider:

Dynamic DNS: If you don't have static IP addresses, use dynamic DNS to keep the VPN connection active.
Multiple Subnets: Configure multiple subnets to be routed through the VPN tunnel.
Traffic Shaping: Implement traffic shaping to prioritize certain types of traffic over the VPN tunnel.

Conclusion

Setting up an IPsec VPN between a Mikrotik router and a pfSense firewall provides a secure and reliable way to connect networks. By following this step-by-step guide, you can establish a secure tunnel, ensuring your data is protected. Remember to double-check your configurations and use the troubleshooting tips if you encounter any issues. Good luck, and enjoy your secure network connection!

Keywords: IPsec, Mikrotik, pfSense, VPN, secure connection, tunnel, firewall, configuration, network security