pfSense to Strongswan IPSec Questions

LIGISTX · November 14, 2020, 2:41am

Hello guys! I have watched lots of videos by Tom and have decided to at least attempt to setup a pfsense box to talk to a strongswan setup on Ubuntu.

I currently have things set up for testing, Ubuntu 20.04 under vmware on a PC at Pub IP A, and pfsense (will be my main router, just want to play with some things in VM land) on my homelab under ESXi at Pub IP B. Both are currently behind Google Wifi, and the Ubuntu server eventually will be baremetal (old machine I have) but will remain behind Google Wifi so it will be NATed.

Setting up IPSec on pfsense seems incredibly simple, I am just not 100% certain how to go about setting up the config on the ubuntu strongswan side of things. Being behind a G-Wifi, I will need to port forward 4500 and 500? I will need to use these settings for left side of Ubuntu config I believe:

left=[LOCAL IP]             # Due to NAT Server does not have PUBLIC IP
leftid=[PUBLIC IP]          # Requires PUBLIC IP of NAT router

But I am not sure how to go about routing traffic on the ubuntu box side (do I need iptable rules? if so, what would they be?) or what leftsubnet= and leftsourceip= would be?

I found a CentOS example of the conf file that was a setup to pfSense so theoretically this would work, minus the NAT issue as this was a public facing CentOS guide:

config setup
 
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no
 
conn net-net
        left=148.27.56.195
        leftsubnet=10.1.96.0/20
        leftid=148.27.56.195
        leftfirewall=no
        right=23.183.125.249
        rightsubnet=192.168.1.1/24
        rightid=23.183.125.249
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256!
        pfs=no
        auto=start
        lifetime=1h

I believe I would also need to figure out some firewall settings as I would like to have SSH open for this for remote management (if I bork the tunnel) and since I will have to open ipsec ports regardless, I definitely want a firewall running.

In summation, I believe I need help with:
Port forwarding, 4500 and 500? For both Ubuntu and ESXied pfSense (until its my main router?)
How to route Ubuntu side traffic out through WAN (iptables or other)
leftsubnet=
leftsourceip=
Firewall rules

Any help here would be appreciated.

Simple background - I would like to subnet some devices behind pfsense to route over the ipsec interface, nothing from the Ubuntu side will need to originate connections to the pfSense side; I only need to be able to get out to the internet (Ubuntu side) from devices sourced on the pfsense subnet.