Hello guys! I have watched lots of videos by Tom and have decided to at least attempt to setup a pfsense box to talk to a strongswan setup on Ubuntu.
I currently have things set up for testing, Ubuntu 20.04 under vmware on a PC at Pub IP A, and pfsense (will be my main router, just want to play with some things in VM land) on my homelab under ESXi at Pub IP B. Both are currently behind Google Wifi, and the Ubuntu server eventually will be baremetal (old machine I have) but will remain behind Google Wifi so it will be NATed.
Setting up IPSec on pfsense seems incredibly simple, I am just not 100% certain how to go about setting up the config on the ubuntu strongswan side of things. Being behind a G-Wifi, I will need to port forward 4500 and 500? I will need to use these settings for left side of Ubuntu config I believe:
left=[LOCAL IP] # Due to NAT Server does not have PUBLIC IP leftid=[PUBLIC IP] # Requires PUBLIC IP of NAT router
But I am not sure how to go about routing traffic on the ubuntu box side (do I need iptable rules? if so, what would they be?) or what leftsubnet= and leftsourceip= would be?
I found a CentOS example of the conf file that was a setup to pfSense so theoretically this would work, minus the NAT issue as this was a public facing CentOS guide:
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net left=184.108.40.206 leftsubnet=10.1.96.0/20 leftid=220.127.116.11 leftfirewall=no right=18.104.22.168 rightsubnet=192.168.1.1/24 rightid=22.214.171.124 ike=aes256-sha256-modp2048! esp=aes256-sha256! pfs=no auto=start lifetime=1h
I believe I would also need to figure out some firewall settings as I would like to have SSH open for this for remote management (if I bork the tunnel) and since I will have to open ipsec ports regardless, I definitely want a firewall running.
In summation, I believe I need help with:
Port forwarding, 4500 and 500? For both Ubuntu and ESXied pfSense (until its my main router?)
How to route Ubuntu side traffic out through WAN (iptables or other)
Any help here would be appreciated.
Simple background - I would like to subnet some devices behind pfsense to route over the ipsec interface, nothing from the Ubuntu side will need to originate connections to the pfSense side; I only need to be able to get out to the internet (Ubuntu side) from devices sourced on the pfsense subnet.